OpenClaw and gharasathi are both local-first AI assistants. Both run on your own hardware. Both handle personal data. In February 2026, OpenClaw had a very bad month — and the lessons aren't what you might expect.
Quick Context: gharasathi's Setup
gharasathi runs on a ByteNUC mini PC using Talos Linux — an immutable, minimal OS built for Kubernetes. No SSH. No shell. No package manager.
LAN only. No port forwarding. No public IP. The only way to reach these services is to be on my home Wi-Fi.
What Happened to OpenClaw
OpenClaw (formerly Clawdbot) is an open-source AI agent that went viral in early 2026 — 150K+ GitHub stars. It's also local-first: you install it on your machine, it stores data locally, and it connects to LLMs for task automation.
But OpenClaw is far more ambitious than gharasathi. It can execute shell commands, control browsers, send emails, and automate multi-step workflows. It integrates with WhatsApp, Telegram, and Slack. It has a community marketplace (ClawHub) for third-party skills. gharasathi just queries a database and explains the results in natural language.
That difference in scope turned out to matter a lot. In February 2026, multiple security teams published findings within days of each other:
CVE-2026-25253: One-Click RCE (CVSS 8.8)
A browser-based attack that let attackers hijack any OpenClaw instance — even ones running only on localhost. A user visits a crafted webpage, JavaScript steals the gateway token via WebSocket, and the attacker gains full operator access: disable security features, escape Docker containers, execute arbitrary commands on the host. (The Hacker News)
This is worth pausing on. OpenClaw was running locally. It was listening on localhost. And it was still compromised — because the victim's own browser initiated the connection. "Local" alone doesn't mean "secure."
Misconfigured Instances Leaking Data
Users who exposed their OpenClaw instances to the internet — against best practices — were found leaking API keys, chat histories, and credentials. Some had zero authentication. (Trend Micro)
341 Malicious Skills in ClawHub
Security researchers found 341 malicious packages on ClawHub, OpenClaw's community marketplace. These impersonated legitimate tools but contained Atomic Stealer malware and ClawHavoc C2 implants — harvesting SSH keys, browser passwords, crypto wallet keys, and API tokens. (The Hacker News, The Register)
The Honest Comparison
It would be easy to say "gharasathi is local, therefore safe" — but OpenClaw is local too. The RCE vulnerability worked on localhost. "Runs on your machine" is not a security strategy.
The actual differences that matter are about scope and attack surface:
| OpenClaw | gharasathi | |
|---|---|---|
| What can the AI do? | Execute code, send emails, control browsers, shell access | Query Neo4j (read-only), explain results |
| External integrations | WhatsApp, Telegram, Slack, browser automation | None — LAN-only chat interface |
| Plugin/skill marketplace | ClawHub (2,800+ community skills) | None — all code in monorepo |
| Cloud API keys | GPT-4, Claude, Gemini keys in local config | None — local Ollama only |
| Blast radius if compromised | Full host access, all connected services | Read access to household data |
The RCE vulnerability (CVE-2026-25253) is a browser-based WebSocket attack. Could something similar affect gharasathi? Honestly — yes, in principle. Any service with a web interface is potentially vulnerable to browser-based attacks. I won't pretend otherwise.
But the blast radius is fundamentally different. If someone compromised OpenClaw, they got shell access, email sending, browser control, and every API key stored locally. If someone compromised gharasathi's chat interface, they'd get... read-only access to my grocery spending and photo metadata. The LLM can't execute code. It can't send messages. It can't modify data. It queries Neo4j and formats the response.
This Is a Trade-Off, Not a Win
I want to be clear: OpenClaw's broader scope is exactly what makes it useful. People use it to automate real workflows — managing emails, booking flights, controlling browsers, orchestrating multi-step tasks across services. gharasathi can't do any of that. It answers questions about household data. That's it.
OpenClaw with 150K+ GitHub stars solves problems that gharasathi doesn't even attempt. The shell access, the messaging integrations, the plugin marketplace — those features exist because users need them. Removing them isn't a security strategy anyone building a general-purpose AI agent can adopt.
gharasathi gets away with a narrow scope because it was designed for a narrow purpose: surface household data in natural language. That's a fundamentally different ambition from what OpenClaw is trying to do, and comparing them on security alone misses the point. The security comparison is only meaningful if you understand that these tools serve very different needs.
What I Actually Learned
Three takeaways from watching OpenClaw's February:
1. "Local-first" is necessary but not sufficient. Running on your own hardware avoids cloud data exposure, but it doesn't protect against browser-based attacks or supply chain compromises. Don't confuse deployment model with security model.
2. Scope is your best defense. The most effective security decision in gharasathi isn't the network topology — it's that the LLM can only read data and explain it. No code execution. No external integrations. No plugins. Every capability you add is attack surface you have to defend.
3. Marketplaces need guardrails. Plugin ecosystems are how tools like OpenClaw scale — 2,800 community skills is an incredible achievement. But 341 of them were malicious, and they ran with the same permissions as the core agent. The lesson isn't "don't have a marketplace" — it's that plugins touching personal data need sandboxing, permission scoping, and review processes that match the sensitivity of what they can access.
Where This Stands
gharasathi is still an MVP. The architecture works: graph database for structured household data, local LLM for natural language, Kubernetes for orchestration, all on a $200 mini PC.
What's proven:
- Neo4j handles household data relationships elegantly
- A small LLM (phi3:mini) works for structured query-and-explain
- K8s resource limits keep 5 services running in 6GB RAM
- Minimal scope limits blast radius even if something goes wrong
What's not:
- The LLM can't do real analysis (needs hardware upgrade for larger models)
- Photo processing isn't implemented yet
- It's a one-household system, not a product
The Idea Scales
The current MVP handles finances and photos, but the core idea — put your household data in a graph, give it a natural language interface — extends to almost anything: health records, home energy usage, kids' school schedules, vehicle maintenance, meal planning. Each new data domain is just another node type in Neo4j with relationships to what's already there. The query patterns stay the same: start at a node, walk relationships, explain the result.
The interface scales too. Right now it's chat. But the same LangGraph pipeline that answers a typed question could answer a spoken one — swap the text input for speech-to-text and the response for text-to-speech. The architecture doesn't change. The hardware constraints are the real bottleneck for now, not the design.
I'm not open-sourcing gharasathi. The codebase contains patterns specific to my household's financial accounts and data structure. Releasing it would require sanitizing all of that, and "privacy-first project accidentally leaks developer's banking patterns" is exactly the kind of irony I'd rather avoid.
Your most personal data — your finances, your photos, your family's memories — deserves to stay personal. Not discoverable on Shodan. Not accessible through a marketplace plugin you didn't audit. Just yours, on a box in your garage.
This is Part 3 of a 3-part series. Use the series navigation above to read Part 1 (Architecture & Neo4j) and Part 2 (LLM Model Selection).
Sources:
- Trend Micro: What OpenClaw Reveals About Agentic Assistants
- The Hacker News: OpenClaw Bug Enables One-Click RCE
- The Register: OpenClaw Ecosystem Security Issues
- The Register: Easy to Backdoor OpenClaw Skills
- The Hacker News: 341 Malicious ClawHub Skills
- CrowdStrike: What Security Teams Need to Know About OpenClaw
Top comments (0)