I Installed OpenClaw. Then I Checked What It Had Access To.
TL;DR: AI agent ≠ chatbot. An agent has access to your files, passwords, and terminal — including your family’s data. 3 questions before installing + the Three-Person Test (you, your partner, your child). OpenClaw: 512 vulnerabilities, 135k unsecured instances.
Series: Clean Tech for Families · Article 6/6
OpenClaw is an autonomous AI agent that racked up 135,000 GitHub stars in February 2026 — and simultaneously exposed over 135,000 unsecured instances containing user data. This article explains how an AI agent differs from a regular app, what you’re sharing when you install one on a computer with family data, why family data needs different protection than personal data, and how to assess the safety of any AI tool with 3 simple questions.
Saturday, 11 PM. Laptop on your lap.
You’re scrolling your phone. Someone on Reddit posted a screenshot of a new AI tool — free, open-source, 135,000 GitHub stars in a matter of weeks. A colleague from work messages the group chat: “you have to try this.” The terminal asks for permissions. You click Allow. Beer in hand, the kid finally fell asleep — maybe after the third “daddy, water.”
You don’t think about the fact that you just gave a program you’ve never seen before access to your computer. To your files. To the passwords saved in your browser. To the API keys you use for work. To your chat history.
Maybe you feel a tightness in your neck. Or maybe you don’t — the beer is cold, the terminal says “Ready.” So you type your first prompt.
Sound familiar?
Most of us had the same experience with OpenClaw. Because we were curious. And that’s fine — curiosity is a good impulse. But curiosity and caution can go hand in hand.
What actually happened with OpenClaw?
OpenClaw (formerly known as ClawdBot) is an autonomous AI agent — a program that doesn’t just answer questions but actually performs tasks on your computer. It opens files, sends messages, installs extensions, connects to external services.
This isn’t a chatbot. It’s a program with permission to act.
Here’s what’s worth knowing — within weeks of launch:
- A security audit found 512 vulnerabilities, including eight critical ones (CVE-2026-25253, CVSS 8.8). This isn’t unusual for such a young open-source project, but it shows why it’s worth knowing what you’re installing.
- Over 135,000 instances of OpenClaw were found publicly accessible on the internet — available to anyone who knew where to look. Researchers gained access to API keys, Slack and Telegram tokens, and users’ complete chat histories.
- In the ClawHub marketplace, 12% of extensions turned out to be malicious — over 230 skills impersonated legitimate tools, stealing browser passwords, cryptocurrency wallets, and macOS Keychain data.
The project’s changelogs also reveal patches for vulnerabilities that allowed remote code execution and access to user files (GitHub) — confirming these risks aren’t theoretical.
This is a story about what happens when new technology grows faster than its users’ awareness.
Do I need to do something about this right now?
No. If you don’t have the energy to think about this — that’s OK. Bookmark this article. Come back when you’re ready. You don’t have to change anything tonight.
How is an AI agent different from a regular app?
To understand why OpenClaw sparked such a discussion, it helps to know how an AI agent differs from the apps you use every day. As of February 2026 — we’re still in the early days of AI agent technology.
A regular app — say, a family calendar — runs in a contained environment. You can see what it’s doing. It has limited permissions. It doesn’t install anything on its own. It doesn’t send messages on your behalf.
An AI agent — is a program that receives broad permissions from you and decides on its own how to use them. It can read your files, browse your emails, connect to external services, execute terminal commands. It can work in the background, without your oversight.
The difference? A regular app is like an assistant who does what you ask. An AI agent is like an assistant you hand your house keys to and say: “handle it.”
And that raises the question: what exactly is it handling?
What data do you share when you install an AI agent?
It depends on the specific tool and configuration. But in the case of OpenClaw — and many similar agents — the list can include:
- Files on your drive — documents, photos, notes, work data
- Passwords and API keys — saved in the browser, in the Keychain, or in configuration files
- Conversation history — emails, chats, messages
- Tokens for external services — Slack, Google Workspace, Telegram, GitHub
- Terminal access — the ability to install programs, run scripts, modify the system
Put together, this data can paint a complete picture: your work, your finances, your health, your family. More detailed than anything you’d find in one place.
And here’s a question we rarely think about at the moment of installation: whose data is it?
On the laptop in your living room — alongside your work files — are also your kids’ photos, the family’s medical history, access to the joint bank account, your partner’s data. When you click “Allow,” you’re not just deciding for yourself.
This isn’t an accusation. Most of us didn’t think about it at the time of installation — not because we don’t care, but because we have a million other things on our minds. If you’d like, you can use a simple test:
The three-person test. Before installing an AI agent on a shared computer, ask yourself:
- Am I OK with this tool seeing my data?
- Am I OK with it seeing my partner’s data?
- Am I OK with it seeing my children’s data?
There’s no wrong answer. If you said “yes” to all three — that’s your informed decision. If you said “no” to any of them — you now know what’s worth talking about.
That’s why it’s worth knowing: who else has access?
Why do early adopters downplay the risk?
If you install new tools before everyone else — that’s not a problem. It means you’re curious about the world. You like to experiment. You want to know what’s coming.
But there’s a pattern worth noticing. In short: when everyone around you is installing something, almost nobody reads the permissions. When 135,000 people have starred something on GitHub, it’s hard to stop and ask: “wait, what does this actually have access to?”
This isn’t a matter of intelligence. It’s a matter of context. You can be an innovator and still ask questions.
At AI webinars, you increasingly hear the argument: “Google and everyone else already have access to this data, so I’ve stopped worrying about it.” And there’s a grain of truth in it — Google does have a lot of your data. But there’s a difference worth seeing.
Google has your data within a closed ecosystem: in fragments, with isolation between services, with a dedicated security team. An AI agent on your laptop sees everything at once — files, passwords, terminal, chat history. It’s not about “more data.” It’s about the complete picture that forms when data is in one place.
Even the creator of OpenClaw publicly admitted that a security incident is a matter of when, not if. That’s not fear-mongering — it’s a rare bit of honesty in the industry, and it’s worth appreciating.
There’s another version of this argument: “Privacy doesn’t exist anymore, I’ve stopped caring.” Maybe. When it comes to your own data. But do you have the right to make that decision for a six-year-old who can’t decide for themselves yet? Medical data about your child collected today could still be accessible when they’re an adult — and could affect insurance or employment.
Nearly one in three of us uses AI tools at work that our boss doesn’t even know about (Cyberhaven report, 2026). And your living room laptop has both work data and family data — kids’ photos, medical history, bank account access.
How to check whether an AI agent is safe
You don’t need to understand cryptography or read source code. Start with three questions. Ask yourself these before installing any AI agent — not just OpenClaw. You don’t have to answer all of them at once. Start with one.
1. What does the agent have access to? Good sign: a clear list of permissions in the documentation. Red flag: “Grant full access” with no explanation.
2. Does my data go to an external server? Good sign: runs locally or uses end-to-end encryption (E2EE). Red flag: no information — or worse, fine print.
3. Can the agent act without me? Good sign: requires confirmation before every action. Red flag: executes tasks in the background without asking.
If you’re getting “good sign” for all three — the tool takes your data seriously. If even one raises a concern — it’s worth digging deeper or configuring more carefully.
Full version: 7 questions for any AI agent
If you have the time and energy, here’s the extended list:
| # | Question | Good sign | Red flag |
|---|---|---|---|
| 1 | Do I know what the agent has access to? | Clear list of permissions in docs | ”Grant full access” with no explanation |
| 2 | Can I limit its permissions? | Sandbox, granular permissions, read-only mode | All or nothing |
| 3 | Does data go to an external server? | Runs locally or uses E2EE | No information |
| 4 | Do I know who sees my data? | Zero-knowledge, E2EE | ”Our employees may review…“ |
| 5 | Can the agent act without me? | Requires confirmation before every action | Auto-execution in background |
| 6 | Do I control what the agent sends? | Preview and approval before sending | Automatic sending on my behalf |
| 7 | Can I delete everything? | Data export + one-click account deletion | No retention policy |
Your score: 6-7 good signs = you’re in good shape. 3-5 = worth digging deeper. 0-2 = consider whether you need this tool on a computer with family data.
How do privacy-first apps protect family data?
Not all AI tools treat data the same way. Here’s the difference:
| Unrestricted agent (e.g., OpenClaw) | Typical SaaS with AI | Privacy-first (e.g., Signal, ParentOS) | |
|---|---|---|---|
| Data access | Full — files, terminal, network | Limited to its own service | Minimal — only what’s necessary |
| Where is the data? | On your computer + external servers | Company server (readable) | E2EE — server can’t see content |
| Who holds the key? | Nobody / everyone | The company | Only you |
| User control | Low — agent decides on its own | Medium — settings | High — granular permissions |
| What if there’s a breach? | Everything accessible | Company data readable | Encrypted — useless without the key |
| Whose data does it see? | All users of the computer | Only the service user | Only the module owner (E2EE per module) |
| What does the agent get? | Raw data — files, transactions, photos | Data within the service | Only a response (e.g., “budget: OK”) |
Signal does this with messages. Proton does this with email. ParentOS, an adaptive operating system for families, does this with family data — health, finances, schedules — encrypting per module with zero-knowledge architecture. The server stores data but can’t read it. Even the ParentOS team has no access.
In the spirit of transparency: ParentOS is in beta and has room for improvement too. But its zero-knowledge architecture means that even in the event of a breach, the data is encrypted — useless without the key, which only your family holds.
This isn’t the only approach. But it’s one that respects the principle: your family’s data belongs to your family.
One micro-step for this week
This week, do one thing: open the settings of one AI tool you use. Just one. Check what it has access to. That’s it.
You don’t have to uninstall anything. You don’t have to change anything. Just seeing it is already a lot.
If you’d like, you can also talk about it with your partner. You don’t need to prepare. One sentence is enough:
- “Hey, do you know what that AI app I installed has access to?”
- “I checked the permissions on one tool on the laptop. Interesting results.”
- “I read an article about AI agent security. Want to take a look?”
Or don’t. The fact that you’re even thinking about it is already a lot.
Related articles from this series
If this article resonates with you, also check out:
- Article 1: If You’re Not Paying, You’re the Product. What About Your Child? — where the money comes from in “free” apps
- Article 3: End-to-End Encryption for Families: A Jargon-Free Guide — what it means when nobody can read your data
- Article 4: Slow Tech: When Technology Slows Down Instead of Speeding Up — a different kind of technology is possible
Frequently asked questions
Is OpenClaw safe?
As of February 2026: a security audit found 512 vulnerabilities, including eight critical ones (CVE-2026-25253, CVSS 8.8). Over 135,000 instances were publicly accessible on the internet. This doesn’t mean OpenClaw is inherently bad — it’s a very early-stage open-source project. But it does mean it requires careful configuration and shouldn’t run on a computer with sensitive family data without a sandbox.
Should I uninstall OpenClaw?
We don’t need to make that decision for you. Check the permissions it has on your computer. Use our 7-question checklist. If your score is low — consider running it in an isolated environment (separate user profile, virtual machine) or on a computer without sensitive data. Keep in mind that secure configuration (sandbox, network isolation) requires advanced technical knowledge.
How is an AI agent different from ChatGPT?
ChatGPT is a chatbot — it answers questions in a closed window. An AI agent (like OpenClaw) is a program with permissions to act on your computer: it reads files, sends messages, installs extensions, connects to external services. The difference is like a phone call versus giving someone the keys to your house.
Does creating a separate account (e.g., a new Gmail) protect family data?
It’s a good instinct — an attempt at isolation. But an AI agent doesn’t operate within the context of an email account. It operates within the context of your operating system: it sees files on disk, passwords in the browser, tokens in configuration — regardless of which account you’re logged into. A separate Gmail doesn’t change what the agent sees on your computer. If you want real isolation, consider: (1) a separate user profile on the system, (2) a virtual machine, (3) a dedicated computer without family data. Each option is more work — but also more control.
How can I protect family data from AI agents?
Four basic principles: (1) check the permissions of every AI tool on your computer, (2) don’t install agents on a device with your family’s health and financial data without a sandbox, (3) choose tools with end-to-end encryption (E2EE) and zero-knowledge architecture for sensitive data, (4) remember that your child’s medical and financial data collected today could exist online for decades.
Series “Clean Tech for Families”:
- Article 1: If You’re Not Paying, You’re the Product. What About Your Child?
- Article 2: Organic Software: How to Read an App’s Label
- Article 3: End-to-End Encryption for Families: A Jargon-Free Guide
- Article 4: Slow Tech: When Technology Slows Down Instead of Speeding Up
- Article 5: What Does Your Child’s Learning App Know About Them?
- Article 6: I Installed OpenClaw. Then I Checked What It Had Access To. (this article)
- Article 7: Who Sees Your Family’s Data? 7 Layers You Don’t Have to Think About
Sources:
- BitSight, “OpenClaw Security: Risks of Exposed AI Agents” (2026)
- Kaspersky, “New OpenClaw AI agent found unsafe for use” (2026)
- Fortune, “Why OpenClaw has security experts on edge” (2026)
- Cisco, “Personal AI Agents like OpenClaw Are a Security Nightmare” (2026)
- Wiz, “Hacking Moltbook: AI Social Network Reveals 1.5M API Keys” (2026)
- Cyberhaven Labs, “AI Adoption & Risk Report 2026”
- OpenClaw, official GitHub repository
Calm families start with awareness.