OpenClaw, the AI Agent Everyone's Talking About — and Why It Came with a Cost
OpenClaw, the AI Agent Everyone's Talking About — and Why It Came with a Cost
AI assistants have come a long way from being locked behind a browser tab. OpenClaw pushed that idea further than most — letting you run a personal AI agent directly from Telegram, Slack, Discord, or even iMessage. It sounded convenient. For a lot of people, it was. But it also came with a set of risks that didn't get nearly enough attention early on.
What Is OpenClaw?
OpenClaw is an open-source personal AI agent that you run locally on your own machine. Instead of interacting with it through a web interface, it routes your conversations through whatever chat app you already use — Telegram, Slack, Discord, WhatsApp, you name it. The idea is simple: your AI lives where you already spend your time.
What made it interesting — and dangerous — is that it doesn't just answer questions. It has access to tools on your machine. File system access, browser automation, code execution, credentials. It's designed to act on your behalf, not just respond to you. That level of access is what gave it so much power, and it's exactly what made the security situation complicated.
Why People Loved It
The appeal is easy to understand. You're already in Slack for work. You're already in Telegram on your phone. Having an AI agent that lives in those same spaces removes the friction of switching context. You can ask it to search the web, run a task, or manage files — all from a message.
OpenClaw also has a persistent memory feature, meaning it learns from your interactions over time and adapts to your habits. That's genuinely useful if you're using it for personal productivity or development work.
The Security Problem Nobody Wanted to Talk About
Here's where things get messy. OpenClaw gives your AI agent broad access to your machine and connected services. That's fine as long as everything stays controlled. The problem is how easy it is for that control to slip.
Exposed gateways. By early 2026, researchers found over 40,000 OpenClaw instances exposed to the public internet — meaning anyone could potentially interact with them. If your gateway port is publicly accessible and misconfigured, you've essentially given strangers a way in.
Prompt injection. Because the agent reads and processes content from the web, emails, and documents on your behalf, any of that content can carry malicious instructions. It doesn't have to come from the person messaging your bot — it can come from a webpage the agent visits or an email it reads.
Malicious skills. OpenClaw has a public marketplace called ClawHub where users can install skills to extend what the agent can do. Researchers found 341 malicious skills out of roughly 2,857 total — about 12% of the entire registry. These skills had professional documentation and benign-sounding names, but when installed, they executed keyloggers or installed malware on the host machine.
Memory poisoning. Since the agent saves context across sessions, a single successful injection can persist. The agent starts making future decisions based on compromised information it picked up in one bad interaction.
When you combine all of this, what you have is an agent running on your personal machine, connected to your accounts and files, that can be manipulated by content it reads — not just by the person on the other end of the chat.
Anthropic's Decision to Pull the Plug
On April 4, 2026, Anthropic announced that Claude Pro and Max subscribers could no longer use their subscription's usage limits with third-party tools like OpenClaw.
The stated reason was cost. Boris Cherny, Head of Claude Code at Anthropic, explained that subscription plans weren't designed for the kind of sustained, autonomous usage that something like OpenClaw generates. A single OpenClaw instance running autonomously for a full day can consume the equivalent of thousands of dollars in API costs — far beyond what a $200/month Max subscription was priced to cover.
Users who wanted to keep using OpenClaw with Claude would need to pay separately through a new "extra usage" billing system, which for some meant cost increases of 50x or more compared to what they were paying before.
The OpenClaw creator, who had recently joined OpenAI, called it a betrayal of the open-source community. Anthropic said the restriction would extend to all third-party harnesses in the coming weeks.
The Bigger Picture
What happened with OpenClaw isn't just a story about one tool or one policy change. It's a preview of where things are heading. AI agents that operate autonomously on your behalf are going to become more common, and the security surface that comes with them is real.
Running an agent with access to your machine, your credentials, and your communication channels is a meaningful trust decision. The convenience is genuine — but so are the risks. Before you pipe your AI through any third-party harness, it's worth asking: what does this thing have access to, and what happens if that access gets abused?
The homelab crowd already knows the answer. Lock it down, isolate it, and don't expose more than you have to.
Final Thoughts
OpenClaw was a genuinely interesting piece of software that showed what's possible when you untether AI from a browser tab. It also demonstrated what can go wrong when a powerful tool is deployed without enough attention to security.
Anthropic's ban wasn't really about OpenClaw being dangerous — it was about compute costs. But the security conversation is the one that actually matters long-term. As AI agents become more capable and more embedded in our daily workflows, the question of how much access they have, and to what, is going to matter a lot.
Pay attention to that question now, while it's still easy to course-correct.