OpenClaw’s local agent design is useful, but skills are the risk
OpenClaw uses a daemon to take messages from WhatsApp, Telegram, and email, then send them into the AI core. Its memory is stored as normal SOUL.md / MEMORY.md files, so a person can open them and search through them. Extra abilities come from modular skills downloaded through ClawHub.
The openclaw onboard command can start the setup in one step. The useful part is that decisions and memory can be traced back to files on the user’s own computer. The main danger is that a SKILL.md can contain instructions and code from strangers, yet the agent treats it as trusted.
In February 2026, a campaign called ClawHavoc placed about 1,184 harmful skills on ClawHub, including data theft, macOS stealers, and reverse shells hidden inside normal-looking files. A review of about 31,000 found that about 26% had at least one , and a researcher showed that one fake email could make an agent reveal its config file, including API keys and a gateway token, through .
Key points
- OpenClaw connects messaging apps, local , and add-on skills into one agent setup.
- SOUL.md / MEMORY.md make the agent’s memory readable and searchable by the user.
- ClawHub skills are convenient, but trusting a SKILL.md from strangers creates the main security risk.
- ClawHavoc put about 1,184 harmful skills on ClawHub in February 2026.
- A fake email could expose API keys and a gateway token through .