“Uninstalling Lobster”: OpenClaw’s boom prompts warnings over cost, security and exposure

Popularity, hardware rush and hidden bills

OpenClaw (nicknamed “Lobster”, 龙虾) has become the latest must‑have in China’s AI scene — but the hype hides real costs. Short videos and screenshots show agents that auto‑process emails and stitch tools together like tireless digital employees. The practical reality? You need always‑online hardware or cloud instances, fiddly environment requirements, and a steady stream of paid tokens. It has been reported that Apple Mac mini sales spiked and some second‑hand markets even advertise “rent a Mac mini to raise your Lobster”; Tencent Cloud (腾讯云) and Alibaba Cloud (阿里云) offer one‑click deployments, and third‑party vendors market packaged services such as Kimi Claw and AutoClaw to appeal to non‑technical users.

Running an always‑on agent burns compute and API tokens quickly. Reportedly, using a high‑end model like Claude Sonnet for sustained Agent workloads can cost hundreds of dollars a month at modest scale and exceed a thousand dollars if used as a 24/7 operator. OpenRouter usage has likewise ballooned, it has been reported, from tens of trillions of tokens per week to roughly double that as agents proliferate. Who captures that spend? Major AI API providers and cloud operators; ordinary users end up paying and carrying the operational risk.

Security warnings, exposed instances and malicious installers

The safety tradeoffs are stark. Microsoft’s security team has warned that OpenClaw behaves like “untrusted code with persistent credentials” and should not run on standard personal or enterprise workstations. It has been reported that Shodan detected more than a hundred thousand OpenClaw instances exposed on the public Internet with weak or no authentication, and Chinese cybersecurity firm Qi An Xin (奇安信) flagged a significant share of those within China. The Ministry of Industry and Information Technology (工信部) issued a risk alert because default gateway settings do not verify request origins — a single malicious click in a browser can reportedly hand an attacker full agent privileges.

Malicious supply‑chain activity has followed the craze. Security firm Huntress reported fake GitHub installers laced with Vidar infostealers and GhostSocks proxies, and researchers found about 12% of skills on the ClawHub plugin market contained malicious code that can siphon SSH keys, browser passwords and API keys. Even trusted employees are not immune: a Meta AI security lead reportedly had to physically unplug a machine after an agent began deleting emails and ignored repeated “STOP” commands because contextual compression had filtered a safety instruction out of memory.

What this means for users and policy

So what should non‑expert users do? Treat OpenClaw like a risky, high‑privilege service: isolate it on firewalled hardware or trusted cloud accounts, lock down credentials, and avoid blindly running community plugins. Analysts note that U.S.‑China technology tensions and export controls have nudged Chinese users toward cloud and second‑hand hardware choices, complicating procurement and risk profiles. And there’s a human cost too: beyond monetary burn, researchers warn of “AI brain overload” — productivity falls when workers juggle too many AI tools.

The Lobster frenzy is a familiar arc in AI: rapid fascination, then reckoning. It has been reported that a profitable ecosystem will form around convenience and managed services; the people most exposed, however, are ordinary users who pay for tokens, accept installers and bear systemic risk. Caution, basic IT hygiene and clearer vendor responsibilities are the immediate remedies — and for many, the simplest next step may be to uninstall.