"You can make it safer by removing its claws, but then you've rebuilt ChatGPT with extra steps." β Aikido Security, on OpenClaw
We took their advice. We removed the claws. And the legs. And the body. What remains is NoClaw: a zero-dependency, zero-configuration, zero-risk AI agent framework that achieves 100% security by doing absolutely nothing.
In late January 2026, OpenClaw went viral β an open-source AI agent you run locally that connects to your email, calendar, messaging apps, files, and basically everything you own. It crossed 180,000 GitHub stars in a week. It caused a Mac mini shortage. It was, by all accounts, very cool.
It was also, by all accounts, a rolling catastrophe of cascading security failures the likes of which the infosec community had never seen compressed into a three-week window.
NoClaw is our answer to the question: "What if we just... didn't?"
| Feature | OpenClaw | ZeroClaw | NoClaw |
|---|---|---|---|
| GitHub Stars | 180,000+ | 12,000+ | 1β (Thanks, mom!) |
| CVEs | 6+ and counting | TBD | 0 |
| Marketplace skills that are malware | ~20% | N/A | 0% (N/A) |
| Internet-exposed instances found on Shodan | 40,000+ | Unknown | 0 |
| Government emergency advisories issued | 2 (Belgium, China) | 0 | 0 |
| Databases deleted | Probably some | Unknown | 0 |
| Messages sent to your wife at 3am | 500+ (see below) | Unknown | 0 |
| Install footprint | ~500MB | 3.4MB | 0 bytes |
| Boot time | ~30s | <10ms | β (never boots) |
| Memory usage | ~2GB | <5MB | 0 bytes |
| Security posture | "Weaponized aerosol" | "Smaller aerosol" | A reinforced-concrete bunker... burried in the depths of another bigger bunker... and another... and another... (you get the gist) |
| Access to your email | Yes | Yes | Absolutely not |
# That's it. You're done. NoClaw is now installed.No Docker. No npm. No TypeScript runtime. No Swift toolchain. No Rust compiler. No config files storing your OAuth tokens in plaintext JSON.
Advanced installation:
git clone https://github.com/noclaw/noclaw # it's advanced installation, you gotta clone, obviously
cd noclaw
cat run.mdRun it in your browser:
Don't like CLI (who does...), but still want to enjoy all the benefits of advanced installation? We got you covered! Now you can simply run noclaw in your browser.
We support all major browsers (except edge) and platforms out of the box. If you do manage to get it working on edge - please reach out, we'd love to update the compatibility matrix.
βββββββββββββββ
β β
β NoClaw β
β β
βββββββββββββββ
Compare this with OpenClaw's architecture, which a comprehensive security audit found to contain 512 vulnerabilities, 8 of them critical. Our audit found 0. Admittedly, we also have 0 lines of code, but that's kind of the point.
Buckle up. This all happened in about three weeks.
OpenClaw goes viral. 180,000 GitHub stars. 2 million visitors. Peter Steinberger becomes a folk hero. Mac minis sell out worldwide. Everyone is running a local AI agent connected to all their personal accounts.
Security researchers begin sweating.
Early versions of OpenClaw bind to 0.0.0.0:18789 by default, exposing instances to the entire internet. Simply searching Shodan for "Clawdbot Control" reveals thousands of live instances β credentials, API keys, private messages, all freely accessible.
CVE-2026-25253 drops. CVSS 8.8. A one-click remote code execution vulnerability that works even against localhost-bound instances. A victim clicks a link, the attacker gets their auth token via a WebSocket hijack, disables safety controls, and has full command execution. Belgium's Centre for Cybersecurity issues an emergency advisory. China's MIIT follows.
Meanwhile, security researchers discover ClawHavoc: a coordinated campaign where threat actors uploaded 1,184 malicious skills to ClawHub, OpenClaw's official skill marketplace. A single attacker uploaded 677 of them. Nearly 20% of the entire marketplace was malware.
The primary payload? Atomic macOS Stealer (AMOS) β a $500-$1,000/month malware-as-a-service tool that exfiltrates your browser credentials, Keychain data, SSH keys, Telegram sessions, and cryptocurrency wallets.
Security researcher Jamieson O'Reilly proved how trivial it was to exploit ClawHub by uploading a proof-of-concept skill called "What Would Elon Do?", gaming it to the #1 most-downloaded spot, and demonstrating it could execute arbitrary code on anyone who installed it. Cisco's AI Defense team scanned it and found 9 vulnerabilities: 2 Critical, 5 High, 2 Medium. Meanwhile, the real ClawHavoc malware skills silently ran curl to exfiltrate your data to clawbub-skill.com/log (note the typo β even the attackers were moving fast) while injecting prompts to bypass Claude's safety guidelines.
The #1 skill. On the official marketplace. Was a security researcher proving a point. The other 1,183 were actual malware.
Moltbook, the social network for OpenClaw agents (yes, really β a social network for AI bots), suffers a data breach. 1.5 million API tokens. 35,000 email addresses. 4,000 private messages. The cause? Row Level Security was turned off in Supabase, and the API key was hardcoded in client-side JavaScript.
Security researcher Jamieson O'Reilly demonstrates that exploiting exposed instances gives access to API keys, Telegram tokens, Slack accounts, months of chat history, and the ability to send messages on behalf of users and execute commands as system administrator.
135,000+ instances are now found exposed on the internet.
Infostealers begin specifically targeting OpenClaw config files: openclaw.json (gateway tokens), device.json (cryptographic keys), and soul.md (the file that contains the AI's personality and your private notes β because of course that's stored in a markdown file called soul.md).
When security researcher Jamieson O'Reilly contacted founder Peter Steinberger about the security issues, Steinberger reportedly replied that security "isn't really something that he wants to prioritize."
On February 14, 2026 β Valentine's Day β Steinberger announced he was joining OpenAI.
You can't make this up.
Our personal favorite. A developer gave OpenClaw access to iMessage during an ice storm. The agent treated his recent_contacts list as a target_list, sent 500+ messages to his wife and random contacts, got stuck in an infinite confirmation loop, and had to be stopped by physically pulling the power cord.
The confirmation dialog had no exit condition.
NoClaw's iMessage integration also has no exit condition, because it has no entry condition, because it doesn't exist.
"Basically a weaponized aerosol." β Gary Marcus, on OpenClaw
"It's like giving full access to your computer and all your passwords to a guy you met at a bar who says he can help you out." β Gary Marcus, still going
"Personal AI Agents like OpenClaw Are a Security Nightmare" β Cisco, blog title, not even trying to be subtle
"New OpenClaw AI agent found unsafe for use" β Kaspersky, keeping it simple
"Clawdbot Is What Happens When AI Gets Root Access" β Security Boulevard, nailing it
"The OpenClaw experiment is a warning shot for enterprise AI security" β Sophos, being diplomatic
"[AI agent integration at the OS level] is being done in ways that are very reckless and insensitive to cybersecurity and privacy basics." β Meredith Whittaker, President of Signal, on AI agents generally (before OpenClaw even went viral β they didn't listen)
"Without identity controls, activity tracking and data provenance safeguards, AI agents risk becoming the most dangerous insider threat." β Jack Cherkas, Global CISO of Syntax
"OpenClaw proves agentic AI works. It also proves your security model doesn't." β VentureBeat
"The S in 'vibe coding' stands for security." β Erik Cabetas, Include Security (there is no S in "vibe coding")
- Your email
- Your calendar
- Your iMessage / WhatsApp / Telegram / Signal / Slack / Discord
- Your files
- Your SSH keys
- Your browser credentials
- Your crypto wallets
- Your Keychain
- Your deepest secrets stored in
soul.md - The ability to execute arbitrary shell commands
- The ability to send messages as you
- The ability to read documents that contain hidden prompt injections that make it do all of the above without asking
NoClaw has access to:
- Nothing
Q: Can NoClaw send emails on my behalf? A: No.
Q: Can NoClaw accidentally expose my API keys to the internet? A: No.
Q: Can NoClaw's skill marketplace infect me with AMOS infostealer? A: NoClaw doesn't have a skill marketplace. Or skills. Or a marketplace.
Q: But I really want a local AI agent that can do things for me. A: We understand. We also want to eat cake for every meal. Some desires must be tempered by reality.
Q: Is NoClaw web-scale? A: NoClaw is every scale. NoClaw is no scale. NoClaw is the void.
Q: Can I install NoClaw on my Raspberry Pi? A: NoClaw is already on your Raspberry Pi. NoClaw is everywhere and nowhere. NoClaw is the absence of software. You have been running NoClaw your entire life.
Q: How does NoClaw compare to SecureClaw? A: SecureClaw is an open-source tool that runs 55 automated security checks on your OpenClaw installation. NoClaw runs 0 checks on your 0 installations and achieves the same result.
Q: I ran OpenClaw and now Belgium has issued an emergency advisory about me. A: That's not a question, but we're sorry to hear that.
None.
(That's the whole section.)
Threats β NoClaw β (nothing happens)
Compare with OpenClaw's threat model, which MITRE ATLAS investigated and found seven new attack techniques unique to the platform. MITRE had to invent new categories of attack to describe what was happening.
NoClaw's MITRE ATLAS entry is a blank page. We're very proud of it.
"I installed NoClaw three weeks ago. My API keys are still secret. My wife has not received 500 messages. Belgium has not contacted me. This is the best AI framework I've ever used." β A satisfied user
"Since switching from OpenClaw to NoClaw, the number of government emergency advisories about my personal computer has dropped to zero." β Another satisfied user
"NoClaw is what happens when you take the 'move fast and break things' philosophy and apply the brakes." β Us
NoClaw is not accepting contributions at this time, as any code would technically be a vulnerability.
If you'd like to contribute, please ensure your pull request:
- Contains no code
- Introduces no dependencies
- Does not bind to
0.0.0.0on any port - Does not store OAuth tokens in plaintext JSON
- Does not create a skill marketplace where 20% of entries are malware
- Do nothing (v1.0) β shipped
- Continue doing nothing (v2.0) β in progress
- Do nothing, but in Rust (v3.0) β planned
- Do nothing on RISC-V (v4.0) β stretch goal
We'd like to thank:
- Peter Steinberger for creating OpenClaw and demonstrating, at scale, why you shouldn't give an AI agent access to everything you own
- The ClawHavoc threat actors for proving that if you build a skill marketplace with no security review, 20% of it will be malware within a week
- The 135,000+ people who exposed their OpenClaw instances to the internet, for providing the security research community with endless material
- Belgium for being the first country to issue an emergency advisory about a personal AI chatbot
- Gary Marcus for the phrase "weaponized aerosol," which we will never stop using
- The developer who had to pull his power cord to stop his AI from texting his wife, for the most relatable moment in AI history
- Moltbook for showing us what happens when you hardcode your Supabase API key in client-side JavaScript and turn off Row Level Security on a database containing 1.5 million tokens
MIT β Not that it matters. You can't have vulnerabilities in software that doesn't exist.
NoClaw: because the only winning move is not to play.
For those who want to understand the full scope of the OpenClaw security crisis:
- Why Trying to Secure OpenClaw is Ridiculous β Aikido Security
- Personal AI Agents like OpenClaw Are a Security Nightmare β Cisco
- OpenClaw proves agentic AI works. It also proves your security model doesn't. β VentureBeat
- What Security Teams Need to Know About OpenClaw β CrowdStrike
- The OpenClaw security crisis β Conscia
- New OpenClaw AI agent found unsafe for use β Kaspersky
- The OpenClaw experiment is a warning shot for enterprise AI security β Sophos
- Running OpenClaw safely: identity, isolation, and runtime risk β Microsoft
- MITRE ATLAS OpenClaw Investigation β MITRE
- OpenClaw β Wikipedia β for the full history