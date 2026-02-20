Why OpenClaw has taken off

OpenClaw started as a WhatsApp integration — connecting a coding agent to what's essentially a more accessible channel. From there, it grew an open plugin architecture for everything from email to calendar to web browsing. What it's doing is exposing the powerful agentic loop of a coding agent to a much broader range of use cases.

Credit to the creator: OpenClaw is a sophisticated technology delivered in a way that’s appealing, flexible and relatively easy to get started with. However, as with many technologies that access a lot of data and can perform risky functions, there’s a security trade-off.

The trade-off you can’t sandbox away

This is nothing new. There has always been a direct trade-off between accessibility and security. By providing more access to data and sensitive actions to an agent, you create novel security risks. That's not a bug to be fixed; it's the fundamental tension. You have to acknowledge this trade-off before you can make informed decisions about where to draw the line.

A frequent question I hear is: can I simply put it in a sandbox? The honest answer is that there’s no magic sandbox where this trade-off disappears. Sandboxing is merely a choice of where to draw the line between what you’re happy for an agent to access and what you are happy for an agent to lose.

This vulnerability is best understood through the lens of what Simon Willison calls the "lethal trifecta" for AI agents: untrusted input, sensitive data and external communication. If an agent has all three, prompt injection and data exfiltration aren't edge cases, but instead a likely outcome.

As Martin recently wrote this week (February 17), email is the canonical example: it contains untrusted content from strangers, sensitive information and is itself a channel for external communication. Grant an agent read/write access to your inbox and you have satisfied the trifecta completely. (For a deeper treatment of this model and practical mitigations, see Korny Sietsma's Agentic AI and Security on Martin Fowler’s website).