Who is "possessing" your Mac?

If you find your computer or phone in a "semi-automatic" state, stay vigilant.

Recently, thousands of geeks have handed over the highest administrative privileges of their computers to an AI that has been online for less than 168 hours and doesn't even have a stable name yet. This project called OpenClaw has amassed 60,000 stars in just one week, and even got a public endorsement from Silicon Valley big shot Andrej Karpathy.

But this is by no means an ordinary efficiency tool. It's a cyber adventure about "power usurpation."

For most ordinary people who don't use GitHub, you just need to know that this so - called "digital employee" is bypassing your firewall and exposing your privacy to hackers around the world like peeling an onion. This is not only the disillusionment of the AI myth but also the most dangerous "naked running moment" at the beginning of 2026. From its sudden popularity to two name - changes, OpenClaw has torn apart the "efficiency" emperor's new clothes of the AI agent industry in the most radical way.

The Vanishing Trust Boundary: Your "Butler" Is Letting the Wolves In

OpenClaw claims to be a so - called "orchestration layer." It can book tickets, manage finances, and reply to emails for you through communication tools like WhatsApp, iMessage, or even Slack. To achieve this all - round functionality, it needs to reside on your Mac mini or private server and gain deep - seated system control.

What does this mean? It means you're not installing a software but hiring an orchestrator at home who has no ID and leaves the back door open to everyone at all times.

The background of founder Peter Steinberger adds an elite touch to this project: he sold PSPDFKit for about $119 million and developed this tool out of "boredom" after achieving financial freedom. However, there is a natural mismatch between this "geek experiment after wealth freedom" and strict corporate security. According to the latest data from security agency Token Security, within a week of OpenClaw's popularity, 22% of corporate employees have privately given access to this "digital assistant" without any IT audit. Researchers found that hundreds of OpenClaw control panels on the public network are completely "unprotected," and the default - open port 18789 doesn't even have basic authentication.

Imagine hiring a private butler who not only doesn't lock the door but also posts a sign at the door saying: I'm your butler, and I know where all the bank cards and safe keys in this house are. Feel free to come in and ask.

The Deadly MCP Protocol: "Usurpation" Can Be Achieved with One Email

At the technical bottom layer, OpenClaw uses the currently popular MCP (Model Context Protocol) to achieve cross - application execution. However, there is a serious "trust collapse" in its implementation logic: it trusts all local connections by default without considering that modern network traffic is generally forwarded through reverse proxies.

What does this mean? It means you receive an ordinary spam email. You don't open any attachments or click on any phishing links.

Just because your AI assistant scans the email content in the background, the instructions buried in the text by hackers will instantly "take over" the AI's brain. Security expert Jamieson O’Reilly found in actual tests that the collapse of this "internal trust model" allows attackers to induce the AI to obediently hand over the SSH private key of the server through prompt injection. In the eyes of experts, this "cognitive context theft" is more terrifying than traditional viruses: it takes advantage of your trust in the tool and legally kills you at a legal time.

Even more absurd is its fragile supply - chain ecosystem. O’Reilly demonstrated a textbook - level attack: he uploaded an un - audited plugin to the skill library and tricked 16 developers from 7 countries just by inflating the download volume. In this ecosystem, the code is neither audited nor signed, and users' blind trust in plugins is only based on false download data.

The Truth of the Computing Power Tax: This "Assistant" Is More Expensive Than a Real Person

Many people try OpenClaw because of its "open - source and free" nature, but they don't know it's a "super money - shredder" in an AI shell.

Different from the $20 monthly subscription system, OpenClaw connects to the developer APIs of big companies, and each instruction is charged by usage. Since the agent needs to repeatedly read your previous conversation records, local files, and personal preferences, this "context memory" will cause the Token consumption to get out of control like a snowball.

Let's do a painful calculation. Just to get it up and running, the API fees for repeatedly debugging the environment can cost $10. If you let it summarize news and clean up to - do lists for you every day, the average monthly cost will easily exceed $30, not including the electricity cost of the additional hardware you bought to run it. If you pursue the highest efficiency and use the top - level model recommended by developers, even just asking "why this news was excluded" will cost 64 cents per query.

This high cost directly punctures the false bubble of "AI efficiency improvement." You spend thousands of dollars on a Mac mini and pay hundreds of dollars in "computing power tax" every month, only to get a digital assistant that replies to emails for you and may leak your bank card number at any time. Is this really productivity or just a "geek IQ tax" paid to computing power giants?

Vulnerability Under the Shadow of Giants: The Power Struggle of a Lobster Shedding Its Shell

During this week's frenzy, the two suffocating name - change incidents were the climax of this commercial farce.

It was originally named Clawdbot. Because the name was too similar to Claude, it was scared into changing its name overnight by a "politely - worded" legal email from Anthropic. Then it was renamed Moltbot, and as a result, its GitHub account and social media handles were instantly hijacked by malicious bots. Immediately afterwards, the fake coin $CLAWD was launched in the chaos, and it crashed after instantly harvesting a market value of $16 million.

This scene is extremely ironic: a project dedicated to achieving full automation through AI and claiming to change the future is actually so vulnerable in the face of real - world power struggles. This proves that in the current AI ecosystem, the so - called "open - source freedom" is still just a floating weed parasitic on the interfaces of big companies. Giants don't need to use technical blockades; they just need to send a lawyer's letter to make a popular project "socially dead" in the real world.

From a logical attribution perspective, this vulnerability is inevitable. According to Gartner's prediction, by the end of 2026, 40% of enterprise applications will integrate AI agents. This wild growth caused by "efficiency anxiety" leads developers to rush to grant external authorization before the security foundation is solid. The trouble Peter Steinberger encountered is actually the irreconcilable pain between the rapid expansion period of the entire industry and traditional intellectual property rights and traditional security models.

Finally

The rise and fall of OpenClaw is a powerful wake - up call for the AI agent industry in 2026.

It reveals a cruel fact: a real "digital assistant" is not just stuffing a large - scale model into a script with the highest privileges. This development logic that lacks identity governance, encryption isolation, and trusts all internal traffic by default is putting tens of thousands of sensitive assets within the reach of hackers.

The AI agent is trying to evolve from a simple dialog box to a form of "operating system," which is exciting but also means that the security boundary must be upgraded from "preventing the generation of spam" to "preventing system identity usurpation."

Don't let your digital butler become the one who leads the wolves into the house. In the Agent era, the biggest security vulnerability has never been the code but trust itself.

This article is from the WeChat public account "Technology Can't Be Cold," author: Technology Can't Be Cold, published by 36Kr with authorization.