Security Flaws Expose Over 12,000 Instances
The promise of a personal AI agent with broad system permissions has proven to be a double-edged sword for OpenClaw users. A security analysis by STRIKE revealed that over 40,000 OpenClaw instances are currently exposed to the public internet, with a staggering 63% containing exploitable vulnerabilities. This has left more than 12,000 instances susceptible to remote control by malicious actors.
The risks became tangible in February 2026 with the 'ClawHavoc' supply chain attack, where 1,184 malicious skills were injected into the ClawHub marketplace, ultimately affecting over 135,000 devices. Compounding the issue, a high-risk vulnerability dubbed 'ClawJacked' allows malicious websites to silently hijack locally running OpenClaw agents. The severity of these threats has prompted major technology companies, including Google, Meta, and Anthropic, to ban the framework's use internally, signaling a major loss of confidence in its current security posture.
High API Costs Create Unexpected Financial Drain
Beyond security concerns, users are discovering that running an effective OpenClaw agent carries a significant and often unforeseen financial burden. The framework itself is free, but its intelligence is powered by external large language models (LLMs) like GPT or Claude, which charge for usage based on data processed (tokens). Complex tasks, multi-step operations, and long-term memory functions cause token consumption to escalate rapidly.
Reports have surfaced of users accumulating bills of over 1,000 RMB in just six hours under heavy use. More conservative estimates place the monthly cost for a dedicated, high-frequency user at several hundred to over a thousand RMB. This creates a difficult trade-off: using less capable, cheaper models results in a poor user experience, while powerful models can lead to unsustainable expenses, a far cry from the idea of a free AI assistant.
Steep Technical Barrier Hinders Mainstream Adoption
Despite its viral popularity, OpenClaw remains far from a consumer-ready product. Released in November 2025, the project is still in a raw, rapidly iterating phase. Its installation and configuration require a level of technical expertise far beyond that of the average user, involving command-line operations, environment setup, and API key management. The difficulty is so pronounced that a cottage industry has emerged on platforms like Xianyu, where technical experts charge 500 RMB for a one-time installation service.
The project's founder, Peter Steinberger, has acknowledged that the agent is not a plug-and-play solution.
Lobster is not something you install and it just works, you need to 'raise' it like an intern.
— Peter Steinberger, Creator of OpenClaw
This need for continuous training and a complex setup process underscores that OpenClaw is currently a powerful prototype for developers and technical hobbyists, not a polished tool for the mass market. The gap between its potential and its usability remains a critical obstacle to widespread adoption.
