OpenClaw can do a lot, but it shouldn't have access to your tokens

Source: Dev.to

OpenClaw (a.k.a. Moltbot, a.k.a. ClawdBot) went viral and became one of the most popular agentic harnesses in a matter of days.

Peter Steinberger had a successful exit from PSPDFKit, and felt empty until the undeniable potential of AI sparked renewed motivation to build. And he’s doing it non‑stop.

OpenClaw approaches the idea of a Personal AI agent as a harness that communicates with you (or multiple users) in any of the supported channels in multiple sessions connected to the underlying computer through a gateway, which is ultimately responsible for running and maintaining.

A super‑entertaining narration of important events is available in OpenClaw’s Lore doc page (worth a read!).

---

A security nightmare

Everyone wanted to start playing with what is clearly shaping how the future of Personal AI assistants could look like. However, people were running OpenClaw without even an afterthought to security. And that (of course) resulted in some not‑so‑fun preventable disasters:

• Clawdbot Security Crisis Exposes Open Servers and Crypto Scams
• Moltbot security alert exposed Clawdbot control panels risk credential leaks and account takeovers
• Critical Vulnerabilities Found in Clawdbot AI Agent for Cryptocurrency Theft

As this TechCrunch article points out:

Right now, running Moltbot safely means running it on a separate computer with throwaway accounts, which defeats the purpose of having a useful AI assistant. And fixing that security‑versus‑utility trade‑off may require solutions that are beyond Steinberger’s control.

The reason for this is, as you may have guessed, the lethal trifecta: the inherently dangerous combination of giving LLMs tools with the following characteristics:

1. Access to your private data
2. Exposure to untrusted content
3. The ability to externally communicate

As Simon Willison (who coined the term) explains:

LLMs are unable to reliably distinguish the importance of instructions based on where they came from. Everything eventually gets glued together into a sequence of tokens and fed to the model.

As a harness with “Full System Access” and “Browser Control” as flagship features, you can see how OpenClaw checks the three boxes.

---

Securing OpenClaw

OpenClaw doesn’t have to be limited to throwaway accounts though. Since it blew up, security has been one of the main focus points of OpenClaw’s development, and you can leverage some of that today to get a secure experience in the harness. While this still requires you to be technically savvy, you can:

• Use OpenClaw’s tool policies to control which user and/or agent gets access to specific tools
• Run it in a Sandbox
• Use exec approvals to implement human‑in‑the‑loop for specific tools that may have undesired side‑effects
• Use a detached tool‑calling runtime like Arcade. Credentials never touch the harness, so there’s nothing to leak.

Setting up the Arcade plugin

1. Clone the Arcade plugin

   git clone --depth 1 https://github.com/ArcadeAI/openclaw-arcade-plugin /tmp/openclaw-arcade

2. Install it into your OpenClaw gateway

   openclaw plugins install /tmp/openclaw-arcade/arcade

3. Get an API key from the Arcade Dashboard, copy it, and configure it:

   openclaw config set plugins.entries.arcade.config.apiKey "{your_arcade_api_key}"

4. Configure your Arcade User ID (the email you used to sign up for Arcade):

   openclaw config set plugins.entries.arcade.config.user_id "{your_arcade_user_id}"

5. Initialize the plugin and restart the gateway

   openclaw arcade init
   openclaw gateway restart

Once the Arcade plugin is configured, OpenClaw has access to 7,000+ tools, with tokens handled outside the harness. Nothing to exfiltrate.

---

Here’s a screenshot of how it looks:

(screenshot placeholder – insert image here)

## This works when I talk to the Telegram bot connected to my OpenClaw instance:

[![Telegram bot screenshot](https://media2.dev.to/dynamic/image/width=800,height=,fit=scale-down,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe2rw5yjp764ou7gybjhn.png)](https://media2.dev.to/dynamic/image/width=800,height=,fit=scale-down,gravity=auto,format=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fe2rw5yjp764ou7gybjhn.png)

---

### Final tips

Even with these precautions, OpenClaw is still early‑adopter territory. Make sure to run it in a sandbox, a VPS, or even a dedicated computer. If you're sharing files to OpenClaw, set up guardrails around the tools it can use, and be mindful of the accounts you log into in the browser it can control.

---

### Ready to secure your agent setup?

Arcade handles just‑in‑time agent authorization so credentials never touch your harness → **[Get started](https://docs.arcade.dev/en/home)**

This version preserves the original content and structure while improving readability and markdown syntax.