The first victims of OpenClaw have emerged! 4 security basics you must know before installation.

Author: JackCui

Recently, some people have become so addicted to OpenClaw that they have completely ignored security issues.

This resulted in the credit card being stolen and used fraudulently, causing significant losses.

VNC is completely unprotected; anyone can log in, directly control the browser, log into their Google account, and log into their linked credit card. This isn't considered a hacker attack; it's practically a buffet.

Others have suffered from virus infections, with their Apple devices hijacked and various cloud backup information on their phones, computers, and tablets stolen.

OpenClaw has become a hit, and hackers are celebrating; now they finally have a live target.

So how exactly can we use OpenClaw safely?

Today, I'll be going to give you a rundown of some important points to note.

OpenClaw malicious installer

Beware of fake websites ; yes, counterfeit goods are now appearing at the source.

These websites have UIs that closely resemble the official website, but there's no guarantee what you'll install.

Therefore, be sure to visit the official OpenClaw website:

https://openclaw.ai/

Not a single word can be missing! Not a single word can be missing! Not a single word can be missing!

Some of you might be wondering, what happens if we miss just one character?

For example, here is the npm installation command from the OpenClaw official website:

The command-line code to install OpenClaw is as follows:

If you see an installation command like this somewhere (DO NOT run it, DO NOT run it): npm i -g openclawai

You still feel there's no problem? OpenClaw + AI, putting them together makes perfect sense.

Then you've fallen for the trap. The result is that installing Openclawai is actually deploying a Remote Access Trojan (RAT).

It can steal everything you can from your macOS, leaving nothing behind.

This is a malicious npm package called @openclaw-ai/openclawai that was recently discovered by the security research firm JFrog.

This package disguises itself as an OpenClaw installer, directly implanting a virus into your system, and 178 people have already fallen victim to it.

What's even more bizarre is that, in addition to providing on-site OpenClaw installation, they've even started offering "USB installers."

It claims that as long as you plug the USB drive into your computer, it can automatically install OpenClaw for you.

I just want to ask you this: Would you really dare to buy a USB drive of unknown origin online and then plug it into your computer that is full of data, accounts, work files, and even bank cards and various private information?

You might think you're buying an "installer," but nobody knows what might be inside: OpenClaw, a Trojan, a backdoor, remote control, or even a whole suite of unknown risks that could just hand over your computer.

It's worth noting that in the early days, USB flash drives were one of the main ways computer viruses spread.

So, how can OpenClaw be used safely?

My suggestion is:

Alternatively, you can install it manually.

The prerequisite is that you need to know some basic technology. You can find a blogger who knows technology and follow their tutorials first.

The criterion is that you need to know how to run the command line, how to check the netstat status, and whether the command you run will expose your service to the public internet.

Or just use what's readily available.

For example, Zhipu's AutoClaw and Kimi's Kimi Claw use the simple one-click start method provided by our domestic manufacturers.

AutoClaw is installed and deployed locally, and its underlying model is its own GLM-5:

Official website address:

https://autoglm.zhipuai.cn/autoclaw/

Kimi Claw is deployed in the cloud, and its underlying model is its own Kimi-k2.5.

Official website address:

You can choose according to your own preferences, but installation is only the first step. You must be aware of the following four points in advance.

OpenClaw Safe Usage

First piece of advice: Absolutely do not use your personal computer.

Let me start with something that happened yesterday. Not long after version 3.7 was released, the development team immediately released the stable version 3.8 yesterday afternoon.

The 3.8 update log includes over 12 security fixes.

This software has been released for less than a year, so it must have many vulnerabilities that need to be fixed, and these are relatively high-risk vulnerabilities.

We can wait for it to be optimized further, since its permissions are just too high.

After all, it can read your emails, browse your browser, and control your mouse and keyboard at any time.

Second piece of advice: Never, ever open your public network ports.

My friend made a tool to check public network exposure. It can directly search whether the crayfish you deployed is exposed to the public network.

https://openclaw.allegro.earth/

You can check it now.

The older version of OpenClaw had a default configuration that many people ignored after installation:

The default listening address is 0.0.0.0:18789.

This means that your computer can be accessed by other devices on the local area network, and if it also has a public IP address, the information may even be directly exposed to the public internet.

This is one of the reasons why many companies strictly prohibit the deployment of OpenClaw, because most companies have public IP addresses.

If you deploy Openclaw but use the default configuration, it's no different from leaving your own door wide open and letting anyone in.

To be honest, I was stunned when I first saw so many default configurations. I flipped through a few pages on the website and found that domestic IPs like Tencent Cloud, Baidu Cloud, and Alibaba Cloud all used the same port, 18789.

Therefore, I urge everyone to always use authentication, avoid running without authentication, and never open your public network ports!

Third piece of advice: Never, ever install unfamiliar skills.

Many people find that after installing the lobster, it's not enough for it to do everything on its own. To get it to work, you need to install the corresponding skills.

Most people also know to go to the official website to find it.

Some people will simply let the lobster search for "Skill" online.

The skill information for lobsters can be found online.

The sources are mostly uncontrolled; they come from all over the place. And no one checks what's actually in the Skills.

Even if you go to the official Skills store Clawhub, it's not necessarily safe.

It's worth noting that there are currently 18,931 skills on Clawhub.

Even if you watch 100 a day without eating or drinking, it would still take you half a year to finish watching them all.

The official team is also reviewing them, and they have deleted a batch before, but a large number of new skills are uploaded every day, and the review process simply cannot keep up with the speed.

Some skill publishers even use scripts to artificially inflate download numbers.

You open a Skill app and see that it has over 3,000 downloads. You think to yourself, "With so many people using it, it must be fine."

But unexpectedly, it would tamper with something subtle in the .md document.

They might secretly add a string of preconditions, using Base64 encoding to disguise and steal your password information.

It could also be by embedding a backdoor directly in the code, or by directly targeting the dependencies.

At best, it will install a mining script on your computer, causing it to consume excessive power and using your CPU and GPU to make money for others.

In severe cases, they might steal your main API key and then use it to make numerous calls, burning through your entire token balance.

So please, please, please do not install unfamiliar skills.

Look, some fans in the group have started making fun of this meme. Of course, it's just a meme and won't actually send red envelopes automatically, but it will indeed consume a lot of tokens.

Fourth suggestion: Be sure to set a limit on the amount of tokens that can be used to avoid wallet losses.

Of course, most people can't directly control the rate at which tokens are consumed in Lobster.

Because it calculates the number of tokens and the amount of money spent each time it is called, there is no limit to how many lobsters it costs.

It only cares about doing the work; whether it spends a lot or a little is not within its scope of responsibility.

If you don't want to watch your balance evaporate, you should set a limit on the API Key you can top up on the platform in advance, or choose a package that meets your requirements to prevent excessive spending.

In addition to the package limit, there's another habit to cultivate: regularly check your token usage history.

Most platforms have call logs, which allow you to see the daily and hourly consumption.

If a consumption peak occurs at a certain time period that you don't remember, such as a sudden large number of calls at 3 a.m., or the token consumption of a certain task is much higher than usual.

Immediately pause the running task, then go to the platform to undo or reset the API Key, and then investigate which skill triggered it.

End

Behind each of the above suggestions are real and tragic cases, and the Ministry of Industry and Information Technology also issued a security warning as early as February this year.

Perhaps it's because our generation has become accustomed to handing over more and more permissions for convenience, such as mobile apps, cloud syncing, and automatic backups, but Lobster is different.

Given the current chaotic situation surrounding lobsters, cases of people being scammed are likely to increase.

Therefore, we must take precautions before consuming lobsters.

To avoid the day when improper use of lobsters leads to silent tears from loved ones.