OpenClaw/MoltBot/ClawdBot: The Risky Personal AI Agent and Netskope Protection

Update 2026-01-30 (18:00Z): Following its second rename this week, ClawdBot is now known as OpenClaw. We have updated the paths in this guide to match the latest changes.

Background

OpenClaw, previously known as MoltBot and ClawdBot, is an open-source, self-hosted personal AI agent that is run locally. It is advertised as a digital assistant that can read and write files, execute commands, and control browsers.

Two properties of OpenClaw make it risky to use in an enterprise environment or on systems with access to sensitive data, including:

Unauthenticated remote control: By default, OpenClaw allows unauthenticated remote access, which means that anyone with a network route to the host running OpenClaw can take full control over it, including harvesting sensitive data.

Privileged access: OpenClaw has full control over its host–it can run commands, modify files, and control your browser. The fundamental risk here is a mismatch between the intelligence of the model (probabilistic and error-prone) and the authority that it is granted (absolute). Examples of risks include indirect prompt injection, non-deterministic destructive actions, plain-text memory, supply chain attacks, and the lack of contextual common sense (doing something extreme like deleting all files to solve a simple problem).

As a result, Netskope Threat Labs recommends only running OpenClaw in limited sandboxed environments without access to any sensitive data.

Block MoltBot installation using Netskope

Targeted block

For a targeting blocking strategy, block the following URLs. These are the URLs most commonly used to install OpenClaw, including the OpenClaw Website, GitHub repo, and the OpenClaw paths of the most popular NPM mirrors.

• openclaw.ai/install.sh
• openclaw.ai/install.ps1 
• openclaw.ai/install.cmd 
• github.com/openclaw/
• registry.npmjs.org/openclaw/
• yarn.npmjs.org/openclaw/
• registry.yarnpkg.com/openclaw/
• registry.npmjs.org/moltbot/
• yarn.npmjs.org/moltbot/
• registry.yarnpkg.com/moltbot/
• registry.npmjs.org/clawdbot/
• yarn.npmjs.org/clawdbot/
• registry.yarnpkg.com/clawdbot/

Aggressive block

If Netskope customers want to be more aggressive, they can block the entire OpenClaw domain and its subdomains to block users from viewing the website or its official documentation, while also ensuring that you block installation even if they move it to a different path on the website.

• *.openclaw.ai

User coaching

Netskope customers also have the option to leverage real-time user coaching instead of a block. In this approach, users attempting to access one of the paths listed above are reminded that they should not install MoltBot on their devices. User coaching allows users who understand the risks, and have a legitimate business need, to browse the website and the Git repository.

Identify past installation using Netskope

Netskope SWG customers can use Netskope transaction events to identify users who have previously installed OpenClaw (or its predecessors MoltBot or ClawdBot). There are multiple patterns to search for, such as:

Install script

The easiest way to identify users who installed OpenClaw is to search for anyone who downloaded the installation script from one of the standard locations. Most users will have used the install scripts at openclaw.ai, molt.bot or clawd.bot, but some may have used npm to install from one of the standard mirrors.

• openclaw.ai/install.sh
• openclaw.ai/install.ps1 
• openclaw.ai/install.cmd 
• molt.bot/install.ps1
• molt.bot/install.sh
• molt.bot/install.cmd 
• clawd.bot/install.ps1
• clawd.bot/install.sh
• clawd.bot/install.cmd
• github.com/openclaw/
• github.com/moltbot/
• github.com/clawdbot/
• registry.npmjs.org/openclaw/
• yarn.npmjs.org/openclaw/
• registry.yarnpkg.com/openclaw/
• registry.npmjs.org/moltbot/
• yarn.npmjs.org/moltbot/
• registry.yarnpkg.com/moltbot/
• registry.npmjs.org/clawdbot/
• yarn.npmjs.org/clawdbot/
• registry.yarnpkg.com/clawdbot/

Curl or PowerShell access to the install script

The recommended installation process starts with a PowerShell or Curl command, therefore any access to openclaw.ai, molt.bot or clawd.bot via PowerShell or Curl provides a strong indicator that someone has actually attempted to run the installer.

Downloads from npm mirrors

To identify whether anyone may have used npm to download OpenClaw from a different mirror, you can filter by User-Agent string starting with npm, yarn, or pnpm (or process name node or node.exe) and url paths beginning with openclaw/, moltbot/, or clawdbot/.

Git repository clones

To identify whether anyone may have cloned the git repository, filter by User-Agent string starting with git (or process name git or git.exe) and url paths beginning with openclaw/, moltbot/, or clawdbot/.

Web fetch User-Agent string

One of the tools that ships by default with OpenClaw is web_fetch, which uses an old Chrome User-Agent string. This string is not unique to OpenClaw and can be customized, but any use of this User-Agent string correlated with access to the OpenClaw domains indicates that someone has likely installed OpenClaw and is using web_fetch. Most OpenClaw users will probably not use web_fetch, instead using the browser tool, which uses a web browser for communication.

Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

The next step after identifying which users have installed OpenClaw is to work with them to ensure that the installations are properly sandboxed and isolated from sensitive data and sensitive systems. Remote access to the installation should also be disabled. 

If you would like to know more, or need help creating new policies or identifying past OpenClaw installations, please contact your Netskope representative.