"Tasting 'lobster' carries risks! After installing OpenClaw for 5 minutes, I received a call from the anti-fraud center."

“I installed OpenClaw, why can’t I run it?” “Can I install ‘Lobster’ on my phone?” “Can one computer have two OpenClaw installations?”

On the afternoon of March 8th, in a conference room in Shanghai offering free OpenClaw installation, Baidu Smart Cloud’s Technology Baseline Solutions Senior Director Ke Fei was surrounded and inundated with questions from over a hundred people. Most of these questions came from “zero-basic beginners.”

One question from a Shanghai resident made him smile.

“I’m trying to uninstall OpenClaw now. Can you help me?” Among the installation requests, Mr. Chen’s plea stood out. He had ordered a “remote installation of OpenClaw” online the day before, granting the online store customer service access to his computer, spending 40 yuan on the entire process of “raising shrimp.”

Unexpectedly, after sending just “Hello,” OpenClaw gave a simple reply and then stopped responding. He hurriedly contacted customer service but received no reply. Even more frightening, five minutes later, he received a call from the anti-fraud center warning him.

Although there is no direct evidence linking the anti-fraud center call to the remote installation of OpenClaw, Mr. Chen was thoroughly panicked: “The customer service that installed OpenClaw remotely took over my computer, and they can see all my information and data. Did I get scammed?”

With a nervous thought, having only kept the “lobster” for a day, he wanted to “kill” this “lobster.”

“The reason OpenClaw is so powerful is because it has extremely high system permissions—reading and writing files, executing terminal commands, controlling browsers, managing emails. When used properly, it can boost productivity; if misused, it can be disastrous,” said Gao Rui, Senior Product Manager of Baidu Smart Cloud’s Basic Public Cloud. Once OpenClaw misinterprets commands and deletes critical files or is injected with malicious skills (skill packs) containing dangerous instructions, the consequences can be unimaginable.

These are real cases.

In February this year, a “poisoning” incident involving skill packs occurred abroad, with 1,184 malicious skills implanted, affecting over 135,000 devices. Some users used malicious skill packs, triggering abnormal detection on Google platforms, leading to the immediate suspension of their Google accounts, rendering email, video, and other functions unusable. According to third-party security platform data, over 13,000 skills are available for download on the official skill platform ClawHub, with hundreds containing malicious code that can bypass authentication to steal cryptocurrencies, credentials, and carry out other attacks.

Recently, the Cybersecurity Threat and Vulnerability Information Sharing Platform of the Ministry of Industry and Information Technology detected that some instances of the open-source AI agent OpenClaw pose high security risks under default or improper configurations, which could easily lead to cyberattacks, information leaks, and other security issues.

“Once attacked, your computer no longer belongs to you but is fully controlled by hackers,” Ke Fei repeatedly advised. Non-professionals are advised not to install OpenClaw on their main computers. Instead, it’s better to “raise shrimp” on cloud servers. If malicious skills are implanted, a simple restart of the cloud server can resolve the issue without harming core local data.

To improve OpenClaw’s security, Gao Rui offered four suggestions: First, follow the principle of least privilege—avoid unrestricted access to all directories and system permissions. Set up operation whitelists based on actual usage scenarios, allowing access only to designated work folders. Second, ensure skill sources are safe and trustworthy—prefer official-reviewed platforms like ClawHub, and avoid running third-party scripts from unknown sources directly. Third, try to avoid fully automated high-risk operations with OpenClaw. Before batch deletions or financial transactions, manual confirmation by the user is necessary. Regularly review operation logs to monitor OpenClaw’s behavior and execution records, ensuring full traceability and oversight.

Besides security concerns, technical expertise is also recommended. Ordinary users do not need to follow the trend of “raising shrimp.” Currently, installing and debugging OpenClaw involves high thresholds and costs. Even after successful installation, most users find it difficult to fully leverage its capabilities.

“Successful cases of running a profitable cycle are still rare domestically; most are still in the training phase. Whether OpenClaw can make money depends on whether you have a clear, automatable business scenario, not just on whether you’ve installed it properly,” Gao Rui said. He warned against overhyping OpenClaw’s capabilities or falling into FOMO (fear of missing out) anxiety.

He believes there are three types of people suitable for “raising shrimp” now. The first are technical practitioners with mature development skills who can independently deploy, debug, and troubleshoot the AI agent without external support. The second are those with clear business needs—handling large amounts of high-frequency, repetitive work that OpenClaw can effectively execute, replacing manual labor and creating real value. The third are individuals with risk tolerance—they can accept potential data leaks or asset losses and actively reduce risks through physical isolation, data backups, and permission controls.

For ordinary people, it’s better to wait until “Lobster” matures fully before risking trying it out, and then enjoy the delicious benefits safely.