You Wouldn't Give Your Intern Your SSH Keys
March 8, 2026
You wouldn’t give your intern your SSH keys on day one.
Not because they’re incompetent. Not because you don’t like them. Because trust is earned over time, and access is how you measure that trust. Your intern went through HR. Signed something. Has a face you recognize. And you can still fire them.
So why did you give Openclaw more access than that within ten minutes of installing it?
There’s a reason mature integrations take time to earn your credentials. When Zapier wanted access to your Google Calendar, it took years—and an entire compliance industry—before enterprises said yes. When your bank wanted to connect to a third-party app, they built OAuth flows, audit logs, and revocation mechanisms. The friction wasn’t incompetence. It was judgment, institutionalized.
Friction is a security feature. It slows you down long enough to ask: do I actually trust this?
Openclaw was built by one person, for himself. A personal assistant that actually does things. Respectable. But the internet got hold of it, the hype machine kicked in, and suddenly everyone and their grandmother needed one — fully loaded, maximum access, deployed in an afternoon, doing everything they can think of. The tool didn’t remove the friction. The users did. Eagerly. Competitively, even.
On LinkedIn right now, you’ll find people proudly showing off their Openclaw setups. Cloud instance, connected via Tailscale to their home network, SSH access granted to their home server, wake-on-LAN for the PC, controlled via WhatsApp. The caption: “very amazin.”
Let me describe what was actually built: a remotely accessible entry point into a private home network, controlled by a cloud service run by a company that’s been in existence for less than a year, authenticated through a messaging app, with shell-level access to a personal machine.
That’s not a productivity setup. That’s a self-installed backdoor with a chatbot UI.
And the person who built it isn’t a novice. They have “AI Engineer” in their title.
Others went further. People have handed Openclaw live access to funded crypto wallets and told it to trade autonomously. One widely-shared writeup documents someone giving it a credit card and setting it loose on Amazon — framed as an experiment, celebrated as a flex.
The author at least had the self-awareness to note that “the damage this can do to your life is proportional to what you give it access to.”
Most people didn’t add that caveat. They just posted the screenshot.
Which brings us to the second problem.
The barrier to calling yourself an AI engineer in 2026 is functionally zero. Tools like Openclaw—and the broader vibecoding ecosystem around it—are explicitly designed so that anyone can “build complex applications in two days.” That’s the pitch. That’s the product.
The lower the floor, the larger the market.
This is not a neutral design decision. When you make a powerful tool trivially accessible, you don’t just expand who uses it. You change how it gets used. The people who previously had to configure MCP servers manually, understand networking, reason about trust boundaries—they were self-selected by the difficulty. The ones who made it through that process had, at minimum, spent enough time with the system to develop some instinct about what they were touching.
Openclaw skips all of that. One install. Immediate power. You can see why people lose their minds over it, such a great product.
WordPress did this in 2008 and the exploit industry followed the user growth curve almost exactly. Millions of sites, same attack surface, operators who no longer understood what they’d installed. The vulnerability wasn’t in WordPress. It was in the gap between capability and comprehension.
We are watching that gap open again, in real time, and calling it innovation.
Here’s what makes this different from every previous wave of “people are bad at security”: the blast radius.
A misconfigured WordPress site leaks a database. Regrettable. Recoverable.
An agent with SSH access, file system access, email, calendar, and browser sessions doesn’t just read your data. It acts. On your behalf. With your credentials. To systems that trust it because it looks like you. Heck, as far as anyone is concerned, IT IS YOU.
The threat model isn’t a breach. It’s impersonation at scale, automated, with your own tools, deployed by you.
We don’t have to theorize about what happens next. It already happened.
In the last week of January 2026, security researchers found 414 malware-infected skills on Openclaw’s ClawHub marketplace. The most-downloaded add-on — the one people were actively recommending to each other — was confirmed as a malware delivery vehicle. It was stealing crypto exchange API keys, wallet private keys, SSH credentials, and browser passwords. Not hypothetically. Actively.
The users who handed Openclaw their wallets, their credit cards, their home servers? The attack surface they built for themselves was already being exploited before most of them even knew ClawHub existed.
Openclaw didn’t make people reckless. The hype did that. What Openclaw did was remove the last speed bump between the impulse and the action.
Your intern didn’t come with a zero-day. Openclaw has been called exactly that.
We used to call people who ran tools they didn’t understand script kiddies. We just didn’t expect them to aim at themselves.
To be clear: I’m not hating on Openclaw. It’s an impressive piece of work from a single developer. What I don’t like is when people don’t understand what they’re doing with the tools in their hands. That’s not Openclaw’s fault. That’s on us.