OpenClaw leverages full shell access to automate complex workflows despite security risks.

OpenClaw has full shell access to your machine. That's the feature. It's also why LangChain told its own employees they couldn't install it.

Run the risk calculus both ways.

With shell access: the bot reads your local files, writes to them, monitors your Slack channels at 3 a.m., posts reports, routes bugs by customer tier, and indexes every document you drop into its workspace. It replaces hours of manual work per day.

Without shell access: it's another chatbot. You ask questions, it answers, you close the tab. Same as every other LLM tool.

Steinberger's bot WhatsApp'd every contact in a tester's phone with pairing codes. Including his mom. An early user's bot read personal Mac files it had no business accessing. China banned it from government computers.

And the project still hit 316,000 stars.

Because the calculation for most users looks like this: the risk of giving an AI agent root access to your machine is real. The cost of not automating 15 hours of weekly manual work is also real. One is a security problem you can mitigate with a $600 Mac Mini and folder restrictions. The other is a productivity gap that compounds every week.

The dangerous version is the only version worth using. That's why it spread.