Avoid OpenClaw Scams

Why Scams Exist

OpenClaw is popular software that handles AI interactions. This makes it a target for scammers who want to:

• Steal your API keys (to use your AI credits)
• Install malware on your computer
• Phish for personal information
• Charge you for something that is free

Common Scam Types

1. Fake Download Sites

What they do: Create websites that look like the official OpenClaw site but distribute malware.

Warning signs:

• URL is not openclaw.ai
• Site asks for payment to download
• Download file has unusual extension (.exe.zip, .scr, .bat)
• Site has spelling errors or broken images

How to protect yourself:

• Only download from openclaw.ai
• Verify the URL before downloading
• Check file hashes if provided

2. Fake "Premium" Versions

What they do: Claim to offer a "Pro" or "Premium" version with extra features.

Warning signs:

• Promises features not mentioned in official docs
• Requires payment or cryptocurrency
• Asks for your API keys during purchase
• Distributed through unofficial channels

Truth: OpenClaw is open-source. All features are available in the official version. There is no paid "premium" tier.

3. Phishing for API Keys

What they do: Trick you into sharing your AI provider API keys.

Warning signs:

• "Support" emails asking for your API key
• Websites asking you to "verify" your API key
• Discord/Telegram messages from "developers" requesting keys
• Forms that ask for API key to "activate" features

How to protect yourself:

• Never share API keys with anyone
• OpenClaw developers will never ask for your keys
• API keys go in local config files only

4. Malicious Bot Tokens

What they do: Send you "pre-configured" bot tokens that are actually controlled by attackers.

Warning signs:

• Someone offers to "set up" your Telegram/Discord bot for you
• Free bot token provided by strangers
• Instructions to use someone else's bot token

How to protect yourself:

• Always create your own bots through official channels
• Never use bot tokens from strangers
• Follow our official Telegram and Discord guides

5. Fake Support Channels

What they do: Create fake "official" support groups to steal information.

Warning signs:

• Support channel not linked from official website
• Moderators asking for sensitive information
• Pressure to act quickly or lose access
• Requests for remote access to your computer

Official channels:

• Website: openclaw.ai
• Documentation: docs.openclaw.ai
• GitHub: github.com/openclaw

How to Verify Authenticity

Check the Download Source

Official installation command:

curl -fsSL https://openclaw.ai/install.sh | bash

Verify the URL is exactly: https://openclaw.ai/install.sh

Verify Package Integrity

After installation, verify the package:

openclaw --version
npm view openclaw

The version should match what is shown on the official website and npm registry.

Check Digital Signatures

Official releases are signed. Verify signatures when available:

openclaw security verify

Red Flags Checklist

Use this checklist when evaluating any OpenClaw-related resource:

• Asks for payment - Scam (OpenClaw is free)
• Requires API key in form - Phishing attempt
• Download from non-official site - Potential malware
• "Premium" version offers - Does not exist
• Urgency ("act now or lose access") - Social engineering
• Requests remote access - Never legitimate
• Bot tokens provided by strangers - Security risk
• Support via unofficial channels - Impersonation

What To Do If You Were Scammed

If you shared your API key:

1. Immediately regenerate your API key at your AI provider's dashboard
2. Update OpenClaw with the new key:

openclaw auth reset
openclaw onboard

3. Monitor your AI provider account for unusual usage

If you shared your bot token:

1. Regenerate the token in Telegram BotFather or Discord Developer Portal
2. Update OpenClaw:

openclaw channels remove --channel telegram
openclaw channels add --channel telegram

3. Check if the bot was used to send spam

If you installed malware:

1. Disconnect from the internet immediately
2. Run antivirus/antimalware scan
3. Remove OpenClaw completely:

npm uninstall -g openclaw
rm -rf ~/.openclaw

4. Reinstall from official source after cleaning your system
5. Change all passwords used on that computer

If you paid money:

1. Contact your bank or payment provider
2. Report the fraud
3. Document everything (screenshots, URLs, communications)

Reporting Scams

Help protect others by reporting scams:

Report to OpenClaw Team

Email: security@openclaw.ai

Include:

• URL of fake site
• Screenshots
• How you found it
• Any communications from scammers

Report to Platforms

• Fake websites: Report to hosting provider and Google Safe Browsing
• Fake npm packages: Report to npm security team
• Fake social accounts: Report on the platform (Discord, Telegram, etc.)
• Phishing emails: Forward to your email provider's abuse team

Staying Safe

Best Practices

1. Bookmark official sites instead of searching each time
2. Verify URLs before entering any information
3. Never share API keys with anyone
4. Create your own bots using official platform guides
5. Be skeptical of unsolicited help or offers
6. Keep software updated to patch security vulnerabilities

Regular Security Checks

Run this periodically:

openclaw security audit --deep

This checks for:

• Tampered files
• Unauthorized changes
• Exposed credentials
• Known vulnerabilities

Summary

Safe Practices:

• Download from openclaw.ai
• Create your own bot tokens
• Keep API keys in local config
• Use official documentation
• Report suspicious activity

Unsafe Practices:

• Download from random sites
• Use tokens from strangers
• Share API keys online
• Trust random tutorials
• Ignore red flags

What To Do Next

1. Is OpenClaw Safe? - Understand the security model
2. Keep OpenClaw Local Only - Maximum security setup
3. Start Here - Review your installation

Last updated: February 3, 2026 | Found an error? Contact us