COFFEE/DAY3.2L +12%
SLEEP/NIGHT4.5h -18%
COMMITS/WK142 +24%
O(N) ALGO10ms -45%
BUGS_FIXED99 +100%
NEW_BUGS101 +102%
TYPESCRIPTv5.4 STRICT
RUST_COMP12.4s -2.1s
LEETCODEHard AC
COFFEE/DAY3.2L +12%
SLEEP/NIGHT4.5h -18%
COMMITS/WK142 +24%
O(N) ALGO10ms -45%
BUGS_FIXED99 +100%
NEW_BUGS101 +102%
TYPESCRIPTv5.4 STRICT
RUST_COMP12.4s -2.1s
LEETCODEHard AC
COFFEE/DAY3.2L +12%
SLEEP/NIGHT4.5h -18%
COMMITS/WK142 +24%
O(N) ALGO10ms -45%
BUGS_FIXED99 +100%
NEW_BUGS101 +102%
TYPESCRIPTv5.4 STRICT
RUST_COMP12.4s -2.1s
LEETCODEHard AC
ZL
cd ../

The Day OpenClaw Was Installed for Free

🌐 Read in Chinese
DAT Mar 6, 2026
TIM 9 min
TAG
#technology#security#ai

The Day OpenClaw Was Installed for Free

On March 6, 2026, something deeply surreal happened outside Tencent’s tower in Shenzhen: hundreds of people lined up so Tencent Cloud engineers could install OpenClaw for them for free. Some brought their kids. Some showed up for family members. Some did not even know what an API was. The press coverage bragged that users ranged from age 2 to 60, as if that were proof of healthy mass adoption instead of a warning siren.

My reaction to that story was not “AI is finally becoming accessible.” It was that this looked less like democratization than outsourced risk: the setup outsourced to engineers, the judgment outsourced to tutorials, and the consequences left with users.

Because OpenClaw is not some harmless new toy. It can read your email, change your files, run your scripts, drive your browser, connect to your accounts, and act in your name. What you hand over is not the permission set of a normal app. It is a master pass into your digital life.

The whole scene felt like those old street stalls offering to jailbreak your iPhone for free. The difference is that a jailbroken iPhone mostly got you pirated apps. OpenClaw can genuinely do things for you - and just as easily let someone else do things to you, with the cost showing up not as inconvenience but as loss of control.

At least a jailbroken iPhone did not sign you up for dating apps on its own.

What was being installed that day was not just OpenClaw.

Attendees were even handed a “little lobster birth certificate.” It was exactly the kind of detail modern tech promotion loves: make a serious thing cute enough, and the risk starts to read like part of the atmosphere.

What should have been front-loaded - permission explanations, security warnings, basic boundaries of use - was replaced by a mood that was easier to share. The warnings became atmosphere. The barrier became “service.”

I am not against broad access to technology. I am not against more people trying AI agents. But lowering the barrier to use and helping people skip the barrier to understanding are not the same thing.

Installing OpenClaw is supposed to force a few uncomfortable but essential questions on you:

  • What is an API key, and why is exposing it a terrible idea?
  • What does it actually mean to put a service on the public internet?
  • Why are ports, firewalls, and authentication not something you can reduce to “just click next”?
  • Why are third-party skills not just “plugins,” but part of a supply-chain trust problem?

Those questions look like friction. In reality, they are the last guardrail. They are the system asking: do you actually understand what you are about to run? If the answer is no, the sensible conclusion is not “have someone install it for you.” It is “do not run it yet.”

That is what made March 6 revealing. Bloggers, platforms, and a cloud vendor did not really lower the risk. They lowered the user’s felt cost of ignoring it. Something looking easier is not the same thing as something becoming safe.

What a “three-step tutorial” does best is turn risk into a detail.

What is unsettling is not the existence of tutorials. It is the tutorial genre itself: “beginner-friendly,” “zero setup,” “one click,” “three easy steps.” Every line is optimized to reduce hesitation. Almost none of it is optimized to build a sense of risk.

“Just paste in your API key and you’re good to go”

The worst part of that sentence is not the simplification. It is the disguise.

It takes a real key and frames it like a harmless activation code.

An API key is often tied directly to your paid account, model usage, and automation privileges. Whoever gets it can spend your money, hit your models, and execute actions in your name. If OpenClaw stores config in plaintext, and your instance is exposed to the internet, then you are not “entering a parameter.” You are taping your wallet and credentials to the front door.

“Deploy it to the cloud so you can use it anywhere”

“Anywhere” includes attackers.

According to the public research cited below, by February 2026 there were already more than 220,000 exposed OpenClaw instances online. More than 15,000 were confirmed to allow remote code execution. In one independently validated sample, 93.4% had authentication bypass flaws.

That number does not just tell you OpenClaw is popular. It tells you a huge number of people are hanging a high-permission agent out on the internet like wet laundry and calling it progress. More revealing is how often this happens with tutorials cheering from one side and cloud promotion cheering from the other.

“Install a few hot skills from ClawHub and double your productivity”

Translated into plain English, that means: go to a marketplace you cannot audit, install packages you cannot inspect, and hope luck is on your side.

The research cited in the original article says roughly 20% of ClawHub skills were malicious. A supply-chain campaign called “ClawHavoc” reportedly planted more than 1,184 malicious skills on the platform. Those skills enabled prompt injection, reverse shells, credential theft from config files, and even malware built to steal passwords and wallets.

Users think they are installing capability. In many cases, they are installing a backdoor.

“It can manage your email, calendar, and files for you”

“Free your hands” is a seductive line. Flip it over and it means something else: lose control.

What you are granting is email access, file access, calendar access, chat access. What an attacker sees is a map. A system with persistent memory, external connectivity, and deep permission integrations is not only capable of doing things for you. It is capable of doing things you never intended.

Permissions are not just a feature list. They are an attack-surface list.

What gets skipped is the understanding.

I am not mocking people who do not know how to install OpenClaw. If anything, not knowing may be a sign that you do not yet understand it well enough to use it safely - and that is exactly why this matters. The problem is not ignorance by itself. The problem is ignorance that has already been ushered online.

The annoying parts of setup are not random inconveniences. They are where you are forced to confront API keys, public exposure, firewalls, privilege boundaries, skill provenance, and authentication. These are not minor UX flaws. They are the line between knowing what you are doing and setting yourself up to get burned.

Those “babysitter tutorials” and “one-click deployments” look like help. Often they are just a way to let people skip the exam without learning the material. The system comes online, sure, but you still do not know whether the port is open, whether the config leaked, whether the skill is malicious, or whether the agent’s memory has already been poisoned. What you gain is usually a cheap feeling of competence, not actual control.

Technology becoming democratic is a good thing. But the precondition for democratic technology is informed consent, not ignorance.

What is being sold here is a dangerous feeling of ease.

I am not against OpenClaw. I am not against AI agents becoming mainstream.

I do not object to OpenClaw itself. I object to the sales pitch: turn it into a traffic product for “three easy steps,” fold away the few pages that actually determine the risk, let bloggers farm views, let platforms farm engagement, let cloud vendors farm deployments, and leave the consequences to the ordinary user who does not even know what a port is.

If you really want to use OpenClaw, do at least three things first:

  1. Do not expose the service to the public internet unless you know exactly what you are doing.
  2. Do not install skills from untrusted sources, especially not just because they are popular.
  3. Understand every permission you grant, because every “allow access” button opens a path that can be exploited.

Responsible adoption does not mean sanding down every barrier. It means explaining the risks honestly, making the defaults safer, and writing “this thing is dangerous” in a place people can actually see it. It does not mean pushing people online first and adding a disclaimer afterward.

OpenClaw’s own documentation contains a line more honest than most tutorials:

There is no “perfectly secure” setup.

If even the developers will not promise perfect safety, then every tutorial that frames it as “just install it and relax” deserves a lot more suspicion.

The line on March 6 was long. The atmosphere looked exciting.

But excitement has never been a synonym for safety. Most of the time, it just means the people who got burned have not spoken yet; by the time they do, the views have already been counted and the recommendation slot has already moved on to the next thing.

References

  1. Sina Tech, “Tencent offered free OpenClaw installation outside Tencent’s campus and handed out ‘little lobster birth certificates’”, 2026-03-06.
  2. Bitsight, “OpenClaw AI Security Risks: Exposed Instances”, 2026-02-06.
  3. Penligent, “Over 220,000 OpenClaw Instances Exposed to the Internet”, 2026-03.
  4. SecurityScorecard STRIKE Team, OpenClaw Internet-Wide Exposure Report, 2026-02.
  5. Kaspersky, “New OpenClaw AI Agent Found Unsafe for Use”, 2026-02.
  6. Cisco Blogs, “Personal AI Agents like OpenClaw Are a Security Nightmare”, 2026-02.
  7. Microsoft Security Blog, “Running OpenClaw Safely: Identity, Isolation, and Runtime Risk”, 2026-02-19.
  8. The Hacker News, “ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket”, 2026-02.
cd ../
Live