If you run a business in Malaysia and nobody on your team has mentioned OpenClaw yet, give it a week. The open-source AI assistant has racked up over 247,000 stars on GitHub since January, making it one of the fastest-growing projects on the platform. The pitch sounds almost too good: a free, self-hosted AI agent that manages your email, calendar, and files through WhatsApp or Telegram. It runs on your machine, connects to models like Claude or GPT, and automates workflows while you sleep.
There's a lot to like here. There's also a lot that should make you nervous.
The problem isn't AI automation itself. Businesses that build proper access controls and security layers into their AI tools use them every day without incident. The problem is deploying an unvetted tool with deep system access and hoping for the best.
OpenClaw has serious unresolved security issues. Of public instances tested, 93% lacked authentication, over 135,000 instances are exposed on the internet, and 12% of its skill marketplace contained malware. Malaysian businesses subject to the PDPA should hold off on deploying it in production until these problems are sorted out.
What can OpenClaw actually do?
OpenClaw is a personal AI agent that lives on your computer. You talk to it through WhatsApp, Telegram, Discord, whatever messaging app you prefer. Tell it to clear your inbox, reschedule a meeting, summarise a PDF, or run a shell script. It just does it.
The difference between OpenClaw and something like ChatGPT is that OpenClaw acts. It reads your files, controls your browser, runs code, and remembers what you talked about last Tuesday. If you're a solo founder with 47 browser tabs open, that's actually useful.
It's free under an MIT license. The real costs come from infrastructure: roughly RM25-50 per month for a personal setup (cheap VPS plus a budget AI model), or RM100-200 per month if you're running business workflows with multiple models.
Is OpenClaw safe for business use?
Here's where my enthusiasm runs into a wall. Security researchers have been sounding alarms, and the findings are bad.
Early researchers found over 42,000 OpenClaw instances running on the public internet. Of those actively tested, 93% had no proper authentication. Anyone could walk in. A follow-up scan by SecurityScorecard put the total at over 135,000 internet-exposed instances, with 12,800 directly exploitable through a now-patched remote code execution (RCE) vulnerability. The numbers got worse, not better.
On ClawHub, OpenClaw's public skill marketplace, 341 out of 2,857 skills turned out to be malicious. That's 12% of the entire registry, packed with keyloggers and credential stealers dressed up in professional documentation.
Meta reportedly told employees to keep OpenClaw off their work laptops or risk their jobs. Microsoft's security blog advised against running it with primary work accounts. Cisco called it an "absolute nightmare" for security. Sophos said it should only run in disposable sandboxes. CrowdStrike's AI Red Teaming team published their own analysis warning security teams about the agent's permission model.
OpenClaw itself isn't malicious. The project is built in good faith. But it has deep system access by design, and the community marketplace grew way faster than anyone could review it. When one in eight add-ons contains malware, the casual "install and try stuff" approach most people take becomes a real problem.
| Risk area | Finding |
|---|---|
| Public instances without authentication | 93% of those actively tested |
| Total internet-exposed instances | 135,000+ (SecurityScorecard) |
| Directly exploitable via patched RCE | 12,800 instances |
| Malicious skills on ClawHub | 341 of 2,857 (12%) |
| Enterprise response | Meta (banned), Microsoft (avoid primary accounts), Cisco, Sophos, CrowdStrike |
None of this means AI automation is off the table. It means OpenClaw specifically isn't ready for production, and there are better ways to get the same results.
Why this matters more for Malaysian businesses
Under the PDPA, your business is responsible for protecting customer data. An AI agent with read-write access to your email, files, and cloud storage is a compliance problem if it's misconfigured or running a compromised skill. If you're not sure where your gaps are, a cybersecurity assessment is worth doing before adding any new tools with this level of access.
Here's a scenario that plays out too often: a developer installs OpenClaw on their work laptop, hooks it up to the company Gmail and Slack, grabs a few popular skills from ClawHub without reading the source code, and carries on with their day. If one of those skills is compromised, client data walks out the door before anyone notices.
If your company handles customer records, financial data, or anything the PDPA covers, that's not hypothetical. It's the kind of thing that ends up in a breach notification.
What should Malaysian businesses do instead?
The idea behind OpenClaw is where AI agents are heading. A local assistant that does things for you, not one that just answers questions. But "where things are heading" and "safe to deploy on Monday" are very different.
If your team wants to experiment, do it in a sandbox. Dedicated machine, no production data, no real credentials. Microsoft's security team said the same thing. This is the same principle that applies to vibe coding and AI-generated code: test in isolation before trusting it with anything real.
Stay away from ClawHub skills until there's a proper vetting process. 12% of the registry was compromised. Treat third-party skills like unsigned software from an unknown source, because right now, that's exactly what they are.
If your workflows don't fit neatly into off-the-shelf products, you can have something built specifically for your business. Not a wrapper around OpenClaw or any other open-source agent. A custom AI solution designed from scratch around your operations, with access controls scoped to exactly what the tool needs and nothing more.
For simpler use cases, managed tools like Claude, ChatGPT Enterprise, or Microsoft Copilot handle a lot of the same tasks with security layers already in place. They cost more than self-hosting, but self-hosting OpenClaw safely isn't free either, and the compliance overhead adds up faster than people expect.
OpenClaw vs the alternatives: a side-by-side
The question most founders ask is "if not OpenClaw, then what?" Here is how the realistic options stack up for a Malaysian business in 2026.
| Option | Upfront cost | Monthly cost | PDPA-friendly? | Best for |
|---|---|---|---|---|
| OpenClaw (self-host) | RM3K–10K to configure + harden | RM25–200 infra | Only if every skill is audited and scopes are locked down | Solo founders and sandbox experiments, not production |
| Claude Teams / ChatGPT Business | Zero | ~RM80–120 per user | Yes, with enterprise controls | Teams that want chat plus light automation out of the box |
| Microsoft Copilot (M365) | Zero | ~RM130 per user | Yes, under existing M365 DPA | Businesses already on Microsoft 365 and SharePoint |
| Custom AI agent (built for you) | RM25K–80K | Hosting + model token usage | Yes, scoped by design | Production workflows with real business logic |
If your use case is "I want to chat with something and get answers," a managed tool is cheaper and safer than self-hosting. If your use case is "I want this thing to take actions inside our systems on behalf of customers," you probably want a custom AI solution with a narrow permission model rather than a general-purpose agent that could, technically, do anything.
2026 verdict: fascinating to follow, risky to deploy
For Malaysian businesses in April 2026, the call is simple. The security picture has not materially improved since the first wave of January coverage. The 135,000 exposed instances are still out there. The ClawHub marketplace still has no mandatory review process that enterprise buyers can point to. The Foundation handover is real progress but governance changes take months to show up in scan data.
If you want automation today, pick a managed tool or commission something custom that is scoped to exactly what it needs. If you want to learn how agents work, run OpenClaw in a disposable sandbox with no production data and no real credentials. What you should not do is install it on your work laptop, connect it to your live Gmail and Slack, and hope the community marketplace has cleaned itself up.
The OpenClaw ecosystem in Malaysia
OpenClaw has already spawned a local ecosystem. At least two Malaysian businesses (OpenClawMY and Irmaya) now offer paid setup services, charging to install and configure OpenClaw for business owners who do not want to deal with the technical side. A KL chapter of the OpenClaw Global Unhackathon ran in February 2026.
This is worth watching, but it also raises a question: if you are paying someone to set up and secure OpenClaw for you, are you actually getting the cost savings that made it attractive in the first place? At that point, you might be better off with a managed tool or a custom-built solution that does not inherit OpenClaw's security baggage.
The EU AI Act is also starting to affect how businesses deploy autonomous agents, and Malaysian companies exporting to the EU should factor that into their tooling decisions.
OpenClaw isn't ready, but AI automation is
247,000 people starred OpenClaw for a reason. The demand for AI that actually does things is real. Peter Steinberger (the creator) has joined OpenAI, and the project has moved to the OpenClaw Foundation. It could mature into something solid.
Right now, though, it's not there yet. Keep it out of production environments. But don't let that put you off AI automation entirely. The tools exist to do this safely. OpenClaw just isn't one of them yet.
We build custom AI solutions and software from the ground up for Malaysian businesses. No open-source agent underneath, no shared marketplace, no shortcuts. Talk to us if you want automation that's actually yours.
Image credit: OpenClaw. This article does not constitute professional cybersecurity or legal advice. Businesses handling personal data should consult qualified professionals regarding PDPA compliance.
