OpenClaw can do a lot, but it shouldn't have access to your tokens

#tutorials

OpenClaw (a.k.a. Moltbot, a.k.a. ClawdBot) went viral and became one of the most popular agentic harnesses in a matter of days.

Peter Steinberger had a successful exit from PSPDFKit, and felt empty until the undeniable potential of AI sparked renewed motivation to build. And he's doing it it non-stop.

OpenClaw approaches the idea of an Personal AI agent as a harness that communicates with you (or multiple users) in any of the supported channels in multiple sessions connected to the underlying computer through a gateway, which is ultimately responsible for running and maintaining.

A super entertaining narration of important events is available in OpenClaw's Lore doc page (worth a read!)

A security nightmare

Everyone wanted to start playing with what is clearly shaping how the future of Personal AI assistants could look like. However, people were running OpenClaw without even an afterthought to security. And that (of course) resulted in some not so funny preventable disasters:

As this TechCrunch article points out:

Right now, running Moltbot safely means running it on a separate computer with throwaway accounts, which defeats the purpose of having a useful AI assistant. And fixing that security-versus-utility trade-off may require solutions that are beyond Steinberger’s control.

The reason for this is, as you may have guessed, the lethal trifecta: the inherently dangerous combination of giving LLMs tools with the following characteristics:

Access to your private data
Exposure to untrusted content
The ability to externally communicate

As Simon Willison (who coined the term) explains:

LLMs are unable to reliably distinguish the importance of instructions based on where they came from. Everything eventually gets glued together into a sequence of tokens and fed to the model.

As a harness with "Full System Access" and "Browser Control" as flagship features,

you can see how OpenClaw checks the three boxes.

Securing OpenClaw

OpenClaw doesn't have to be limited to throwaway accounts though. Since it blew up, security has been one of the main focus points of OpenClaw's development, and you can leverage some of that today to get a secure experience in the harness. While this still requires you to be technically savvy, you can:

Use OpenClaw's tool policies to control which user and/or agent gets access to specific tools
Run it in a Sandbox
Use exec approvals to implement human-in-the-loop for specific tools that may have undesired side-effects
Use a detached tool-calling runtime like Arcade. Credentials never touch the harness, so there's nothing to leak.

Here's how to setup that last point in your OpenClaw instance:

First, clone the Arcade plugin:

git clone --depth 1 https://github.com/ArcadeAI/openclaw-arcade-plugin /tmp/openclaw-arcade

Then, install it into your OpenClaw gateway:

openclaw plugins install /tmp/openclaw-arcade/arcade

Go to your Arcade Dashboard to get and API key

copy it, and run this command to configure your Arcade API key:

openclaw config set plugins.entries.arcade.config.apiKey "{your_arcade_api_key}"

And this one to configure your Arcade User ID (this is the email you used to

sign up to Arcade):

openclaw config set plugins.entries.arcade.config.user_id "{your_arcade_user_id}"

Once the Arcade plugin is configured, initialize it to load all the tools, and

restart the OpenClaw gateway

openclaw arcade init
openclaw gateway restart

Now OpenClaw has access to 7,000+ tools, with tokens handled outside the harness. Nothing to exfiltrate.

Here's a screenshot of how this works when I talk to the Telegram bot connected

to my OpenClaw instance:

Final tips

Even with these precautions, OpenClaw is still early-adopter territory. Make sure to run this in a sandbox, a VPS, or even a dedicated computer. If you're sharing files to OpenClaw, make sure to set up the guardrails around the tools it can use, and be mindful of the accounts you log into in the browser it can control.