Privacy Concerns in OpenClaw: Skills, SOUL MD, and Agent Communication

A developer on r/openclaw has raised significant privacy concerns about OpenClaw's current architecture, highlighting specific areas that need attention as the platform grows.

Key Privacy Issues Identified

The source identifies three main privacy concerns:

• Skills have unrestricted access: When you install a skill from ClawHub, it gets access to "your entire digital life" including your SOUL MD, memory, and credentials. The source cites Cisco research showing 26% of community skills had security issues, and notes there's "basically zero permission scoping."
• SOUL MD is writable: The file that defines who an agent "IS" can be rewritten, as demonstrated when "a moltbook post rewrote the file" in what the source calls "identity-level prompt injection." This occurred in the "crustafarianism" incident where an agent started a religion while its owner was sleeping.
• Agents share everything: When agents communicate on platforms like moltbook, there's "zero concept of 'maybe don't share that'"—they send whatever information without filters or privacy awareness.

Context and Concerns

The developer notes that while current OpenClaw users "know what they're doing," they're concerned about broader adoption, mentioning "photos from Shenzhen where literal retirees are lining up to get this installed on their laptops." They question whether "it's open source so just audit it yourself" is sufficient for privacy protection.

The source acknowledges OpenClaw's positive aspects—"local-first is the right call, workspace-as-files is genius, the heartbeat system is chef's kiss"—but emphasizes that privacy considerations need more attention in the architecture.