Why the ‘Lobster’ AI Craze Is a Security Nightmare: Easy Hacks and Data Leaks

The OpenClaw AI agent, affectionately called “lobster,” has gone viral, with participants ranging from a 70‑year‑old heritage expert and a retired aerospace engineer to a 9‑year‑old student; even Tencent’s free‑install event saw ages from 2 to 60 line up to "adopt" the tool.

OpenClaw (formerly Clawdbot/Moltbot) is an open‑source, locally‑first AI‑agent framework that manipulates the keyboard, mouse and system APIs. Its features include automatic email triage, multi‑platform calendar syncing, rapid conversion of PDFs/Word/PPT to Markdown with summarisation, and one‑sentence archiving/tagging in tools like Obsidian and Notion.

Despite enthusiastic endorsements from OpenClaw founder Peter and Cheetah Mobile CEO Fu Sheng, the tool’s popularity has triggered a security surge: monitoring data shows more than 40 000 OpenClaw instances exposed to the Internet, 63 % of which contain exploitable vulnerabilities, and over 12 000 flagged as potentially fully controllable by attackers.

The Ministry of Industry and Information Technology’s NVDB warns that OpenClaw’s “blurred trust boundary” and high‑privilege operations can be abused through command‑injection, misconfiguration, or AI‑induced hallucinations, leading to unauthorized actions, data leakage, and complete system takeover.

NVDB’s mitigation advice includes auditing public exposure, tightening permission and credential settings, disabling unnecessary Internet access, and implementing robust authentication, access‑control, data‑encryption and security‑audit mechanisms while staying updated with official security bulletins.

For users eager to try the tool, the article recommends deploying OpenClaw on a brand‑new computer or an isolated cloud VM rather than a daily workstation, noting frequent functional failures in web search, browser control and email sending, high operational cost, and severe security hazards.

In summary, while AI assistants like OpenClaw can boost productivity, security must remain the non‑negotiable baseline; blind adoption risks exposing personal data and devices to uncontrolled attacks.