Malwarebytes doesn't scare easily. They've been writing about malware, exploits, and security risks for over a decade, and they've earned a reputation for being measured in their assessments. When they publish an article titled "OpenClaw: What is it and can you use it safely?" — with the clear implication that the answer might be "no" — it's worth reading carefully.
Their article, published this week, lays out the risks plainly. And combined with Northeastern University's research calling OpenClaw a "privacy nightmare," the picture that's forming isn't great for anyone running the default setup.
What Malwarebytes Found
The Malwarebytes analysis focuses on what they call the fundamental tension of OpenClaw: the features that make it useful are the same features that make it dangerous.
OpenClaw can read your files. It can execute commands. It can browse the web. It can send messages on your behalf. It can install and run third-party code from ClawHub. Each of these capabilities is a feature when the agent is acting as intended and a vulnerability when it isn't.
Their specific concerns:
Full filesystem access. OpenClaw can read any file on the machine it runs on. If that machine is your personal computer, "any file" includes your browser passwords, SSH keys, tax returns, medical records, and that text file where you keep passwords because you haven't set up a password manager yet.
Command execution. The agent can run arbitrary shell commands. That's powerful for automation. It's catastrophic if the agent is compromised or tricked by prompt injection.
Third-party skills. ClawHub is essentially an app store where anyone can publish code that runs with the agent's full permissions. There's no review process comparable to Apple's App Store or even npm's. Malicious skills have already been documented at scale.
Persistent state. The agent remembers things across sessions. That's useful for continuity. It's dangerous because an attacker who modifies the agent's memory once can influence its behavior permanently.
Northeastern's "Privacy Nightmare" Research
The same week, Northeastern University researchers published findings calling OpenClaw a "privacy nightmare." Their analysis focused on the data exposure risk: giving an AI agent full computer access means every piece of data on that computer is accessible, processable, and potentially exfiltrable.
They documented scenarios where OpenClaw agents, acting on seemingly innocent instructions, accessed and transmitted sensitive data. Not because the agent was malicious — because the agent was doing what it was asked to do, and the user didn't fully understand the implications of granting full system access.
The researchers' core argument: the convenience of giving an AI agent broad access to your computer comes with a privacy cost that most users don't comprehend at the time they grant it. By the time they understand the implications, the agent has already been running with full access for days or weeks.
Why This Matters More Than It Sounds
Security researchers find risks in everything. That's their job. So why take Malwarebytes and Northeastern's findings seriously?
Because the risks they describe aren't theoretical. They're structural. OpenClaw's architecture requires broad system access to be useful. You can't have an AI agent that automates your computer while also preventing it from accessing your computer. The capability and the risk are the same thing.
This puts users in an impossible position. Either grant the agent the access it needs to be useful (and accept the security risk) or restrict its access (and lose the functionality you installed it for). There's no middle ground when the agent runs directly on your machine.
Unless the agent doesn't run on your machine.
The Isolation Solution
Both Malwarebytes and Northeastern arrive at similar recommendations: if you must use OpenClaw, isolate it. Don't run it on your personal computer. Don't give it access to your real data. Use a separate machine or VM with dedicated, non-sensitive credentials.
This is the same conclusion Microsoft reached in their security blog. The same conclusion we've been arguing since December. The same conclusion that the security community has converged on independently from multiple directions.
The pattern is clear: OpenClaw's utility is real. Its security risks are real. The solution isn't choosing between them — it's changing where the agent runs so the utility stays while the risk is contained.
When your OpenClaw instance runs on an isolated cloud server, the filesystem it can access contains only what you put there. The commands it executes affect only that server. If something goes wrong — prompt injection, malicious skill, vulnerability exploit — the blast radius is one disposable cloud instance. Not your life.
Malwarebytes identified the problems. Isolated deployment solves them. Clawdy runs your OpenClaw agent on dedicated cloud infrastructure where a breach doesn't cost you everything. Deploy in under 60 seconds at clawdy.app.