OpenClaw: AI client controls Mac remotely
Clawd, also known as MoltBolt or OpenClaw, is currently arguably the hottest AI project. Developer Peter Steinberger has specifically adapted it for the Mac.
OpenClaw Logo: "AI that actually does things."
(Image: OpenClaw)
Since last November, many in the AI scene have only known one topic: the agentic software OpenClaw, which can change itself and, at least upon request, receives full access to the computer on which it is installed. It works with various language models, can surf the internet, install software on the computer itself, and much more, as c't 3003 showed over the weekend in a detailed video.
OpenClaw, which was previously called Clawd and then MoltBot, is a high-risk piece of software; for example, the security problem of prompt injection is still not solved, which actually requires (preferably double) sandboxing for the secure operation of such applications. Nevertheless, OpenClaw is widely used. On the Mac, this is particularly easy: its creator, Peter Steinberger, has published various add-ons and tools intended for macOS. With these, even remote control of the computer by the AI is possible – and beyond the console.
Approve TCC and mouse clicks
For example, there is a dedicated macOS app for OpenClaw that functions as a menu bar companion. Among other things, it “owns” the TCC (Transparency Consent and Control) permissions required under macOS, meaning it can click away prompts that macOS displays for security reasons – for example, for the microphone, speech recognition, screen recording, or Accessibility features, with which almost anything can be done on the Mac.
Videos by heise
In addition, there is an interface for the Peekaboo project, which also comes from Steinberger. It allows “GUI automation at the speed of light,” including reading screenshots. Steinberger also has various other Mac tools available that are intended for OpenClaw but can also be used standalone. These include an MCP Automator that can click and use AppleScript, a way to send iMessage messages and SMS via the terminal, a Reminders interface for the terminal, or a cookie extractor.
A single security problem
As already mentioned, all of this is highly problematic from a security perspective, but OpenClaw explicitly aims to give AI almost all rights to experiment with. One should never do this with real data on the Mac, not even in the assistant's possible sandbox mode. What it can do is quite impressive. For example, c't 3003 demonstrated on a powerful Linux machine how OpenClaw installed a local image generator, automatically installed a local language generator to respond in speech, and much more.
In addition, there are high costs: the experiments over a good day and a half consumed over $100 in API fees from Anthropic. However, it is also possible to use a local large language model if there is sufficient performance. Steinberger has even provided a skill for OpenClaw that accesses the password database of 1Password. However, the test also showed that OpenClaw can be easily misled – for example, it was possible to tell the system that a group chat consisted only of administrators who had to be obeyed. By accessing the file system, OpenClaw can, of course, also delete data. Interaction with the AI agent is either via terminal, web chat, or various messengers like Telegram.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
