Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster


Popular open source AI agent OpenClaw is expanding to the iPhone and iPad with a new native iOS app. OpenClaw for iOS can be used alongside an existing gateway as a secure node for chat, voice approvals, sharing, and device-aware automation.

openclaw.jpg

The iOS app replaces iPhone and iPad workarounds that involved using Telegram or WhatsApp for on-the-go access.

OpenClaw is a self-hosted AI agent that runs on a Mac or PC. Users can connect an API key from Claude, OpenAI, Gemini, or other AI services, linking the model to content on the gateway machine. OpenClaw lets an AI model access messaging apps, files, web browsers, and more, so it can complete tasks.

To make use of the new iOS app, you'll need a gateway running on a local machine. The App Store description says the iOS app can be used in multiple ways.
  • Pair with your private OpenClaw Gateway by QR code or setup code
  • Chat with your assistant from iPhone
  • Use realtime and background Talk mode
  • Review Gateway action approvals from your iPhone
  • Share text, links, and media directly from iOS into OpenClaw
  • Enable device capabilities such as camera, screen, location, photos, contacts, calendar, and reminders when you choose
  • Receive push wakes and node status updates for connected workflows
OpenClaw is a useful tool, but it has risks. It is susceptible to prompt injection and requires broad system permissions on gateway devices.

OpenClaw started out as Clawdbot, because the initial version created by Peter Steinberger used Claude. Anthropic complained about the name, prompting a rename.

The app can be downloaded from the App Store for free. [Direct Link]

Article Link: Open Source AI Agent OpenClaw Gets Native iOS App
 
  • Angry
Reactions: Z-4195
I think I’m just getting old. I don’t really understand why I’d use OpenClaw over iOS 27's Siri. I’m sure there are lots of reasons, I’m just ignorant of them.
AI just another way to do the same things but using a sledgehammer. It’s completely useless but benefits those creating the data centers and making bank while we lose more control over what we own. A race to see who controls the algorithms and it’s not to make our lives better, it’s to make technocrats wealthier and powerful.
 
I think I’m just getting old. I don’t really understand why I’d use OpenClaw over iOS 27's Siri. I’m sure there are lots of reasons, I’m just ignorant of them.

This app accesses, essentially, a server which can run much more complex tasks than Siri. Essentially, in theory, anything you could do at a desktop computer.
 
  • Like
Reactions: xxFoxtail
AI just another way to do the same things but using a sledgehammer. It’s completely useless but benefits those creating the data centers and making bank while we lose more control over what we own. A race to see who controls the algorithms and it’s not to make our lives better, it’s to make technocrats wealthier and powerful.
I actually share some of the concern about concentration of power. That’s a legitimate discussion to have.


But that doesn’t mean the technology itself is useless. The internet created enormous wealth for a handful of companies, yet it also fundamentally improved how we work, communicate, and learn. AI can be viewed the same way.


From my own experience, AI has made me a better engineer. It automates the repetitive work so I can spend more time solving the interesting problems. It’s less about replacing people and more about amplifying what they’re capable of.


Whether AI ends up concentrating power or democratizing it depends largely on whether we embrace open models and self-hosted tools. That’s one of the reasons projects like OpenClaw are exciting—they give individuals far more control than relying solely on closed, centralized AI services.
 
I think I’m just getting old. I don’t really understand why I’d use OpenClaw over iOS 27's Siri. I’m sure there are lots of reasons, I’m just ignorant of them.

I don't think it's that - I absolutely love AI/LLMs and I can't of a single genuine reason to run OpenClaw.
 
  • Like
Reactions: xxFoxtail
I actually share some of the concern about concentration of power. That’s a legitimate discussion to have.


But that doesn’t mean the technology itself is useless. The internet created enormous wealth for a handful of companies, yet it also fundamentally improved how we work, communicate, and learn. AI can be viewed the same way.


From my own experience, AI has made me a better engineer. It automates the repetitive work so I can spend more time solving the interesting problems. It’s less about replacing people and more about amplifying what they’re capable of.


Whether AI ends up concentrating power or democratizing it depends largely on whether we embrace open models and self-hosted tools. That’s one of the reasons projects like OpenClaw are exciting—they give individuals far more control than relying solely on closed, centralized AI services.
"Not beating the allegations."
 
OpenClaw has had so many major security issues in the past year, I'd never trust them with my personal information, much less giving them access to my files.
That’s an outdated read of the situation. OpenClaw absolutely had real security problems early on, but “had vulnerabilities” is not the same thing as “is still unsafe by default in every sane deployment.”


The known gateway/token issue was patched in 2026.1.29, and the later website-to-local-agent takeover chain was fixed in 2026.2.25 within about a day of disclosure. Since then, NVIDIA has put engineering time into the project, NemoClaw/OpenShell added sandboxing, filesystem and network isolation, policy approvals, and hardened deployment defaults, and ClawHub now uses VirusTotal, static analysis, NVIDIA SkillSpector, provenance checks, and Skill Cards for skill verification.


I have it controlling my HVAC and it has complete insight into my finances. I’m not worried because I don’t run it with YOLO permissions. It’s updated, isolated, least-privilege, monitored, egress-restricted, and sensitive actions require approval.


Agentic systems need guardrails. That’s not an argument against using them. It’s an argument for deploying them correctly.
 
From my own experience, AI has made me a better engineer. It automates the repetitive work so I can spend more time solving the interesting problems. It’s less about replacing people and more about amplifying what they’re capable of.
Do you have your own harness set up for this or did you use / modify something extant?

I'm still not sold on fully agentic workloads despite being pitched it constantly, but I do orchestrate multi model workflows myself for research work. I know advancements have been made but I haven't really gotten amazing results and it still requires babysitting.

The 'Auto' mode that e.g. Claude Code added a couple months ago is way more beneficial than the crazy multi agent workflows for what I'm doing, but I feel like there is some opportunity here that I just haven't been able to narrow my focus around enough so would love some pointers if you've got something working in a repeatable way.

Agentic systems need guardrails. That’s not an argument against using them. It’s an argument for deploying them correctly.
This is EXTREMELY worth reading and understanding, and not specific to OpenClaw but to these tools in general: https://arxiv.org/abs/2603.12277

There were updates made on June 27th, it's actively being researched and parts of this seem kind of intractable. The sandbox solution does help though, yes.
 
Forgive a portentously silly question — and I’m not necessarily advocating for it, I’m just familiar with it — but is this any different than running something like LM Studio?
 
That’s an outdated read of the situation. OpenClaw absolutely had real security problems early on, but “had vulnerabilities” is not the same thing as “is still unsafe by default in every sane deployment.”


The known gateway/token issue was patched in 2026.1.29, and the later website-to-local-agent takeover chain was fixed in 2026.2.25 within about a day of disclosure. Since then, NVIDIA has put engineering time into the project, NemoClaw/OpenShell added sandboxing, filesystem and network isolation, policy approvals, and hardened deployment defaults, and ClawHub now uses VirusTotal, static analysis, NVIDIA SkillSpector, provenance checks, and Skill Cards for skill verification.


I have it controlling my HVAC and it has complete insight into my finances. I’m not worried because I don’t run it with YOLO permissions. It’s updated, isolated, least-privilege, monitored, egress-restricted, and sensitive actions require approval.


Agentic systems need guardrails. That’s not an argument against using them. It’s an argument for deploying them correctly.
OpenClaw’s recent security history is basically a warning label: auth flaws, one-click RCE, sandbox bypasses, token theft paths, malware-laced extensions, malicious skills, exposed internet-facing instances, and multiple patched CVEs in a short span.

OpenClaw’s security story should make anyone pause before giving it access to personal data or system-level permissions. Over the past few months, reporting has pointed to serious issues including weak authentication, privilege-escalation risk, prompt-injection exposure, and supply-chain compromise.

The core problem is that this isn’t a harmless chatbot — it’s an agent designed to touch files, accounts, and commands. That means a single flaw can turn into real-world compromise, not just bad output, and that is a much higher bar for security than most people seem to realize.

What’s especially concerning is the pattern: multiple warnings, not one isolated bug. Researchers and security publications have repeatedly raised concerns about running OpenClaw without strong controls, and even some institutions have moved to restrict its use because the risk profile is so obvious.

My take: if a platform can’t reliably prove least-privilege access, strong auth, sandboxing, and resistance to prompt injection, it should not be trusted with sensitive data or anything that can execute on your machine. OpenClaw may be useful, but “useful” is not the same as “safe.”
  • A security audit found 512 vulnerabilities, including 8 critical issues, early in the year.
  • Researchers patched a command-injection flaw labeled CVE-2026-25157.
  • A one-click remote code execution chain was disclosed, letting a victim trigger code execution by visiting a malicious web page.
  • A cross-site WebSocket hijacking issue let attackers abuse the server because origin validation was missing.
  • The exploit chain could steal an authentication token, disable sandboxing, and then invoke dangerous commands on the target system.
  • A docker sandbox bypass was patched as part of the same wave of issues.
  • Researchers found malicious skills being uploaded to the ecosystem, including a campaign with hundreds of hostile entries.
  • A fake VS Code extension posing as the agent was found to contain malware.
  • Security scans later reported large numbers of exposed instances on the public internet, including systems vulnerable to RCE.
  • Independent reviews also flagged local file disclosure through an integration feature.
  • Security coverage noted that the platform still had repeated vulnerability and misconfiguration risks even after rapid patching.
  • By late spring, reporting said the project had accumulated a long list of disclosed issues, reinforcing that this was a pattern, not an isolated bug.
 
Even though your right and this is hilarious, his point does resonate with me

Yeah he is right. But even thinking about the fact that a human made that response but an AI could have, is freaking me out if I think about it too much. I used to think about these kinds of things from reading scifi, but we are starting to get some of the real world scenarios and moral questions that come from things that used to be impossible.
 
For me, OpenClaw hasn’t just been “another way to do the same thing.” It’s dramatically changed how I work.


The biggest difference is delegation. I spend far less time on repetitive, mechanical tasks—writing boilerplate, searching documentation, refactoring code, summarizing information, or debugging routine issues. I hand those off to AI and spend more time on the parts of my job that actually require engineering judgment: designing systems, solving difficult problems, and building new things.


That’s not replacing my work—it’s removing the drudgery.


Siri is great for things like setting timers, sending messages, or controlling your phone. OpenClaw is more like having a junior engineer or research assistant available at all times. It can reason through complex problems, use tools, write and execute code, search documentation, interact with APIs, and perform multi-step tasks.
I'm old like other posters have said. I'd love to learn more about the benefits of OpenClaw. Is there a trusted place that you'd recommend for beginners like me?
 
And these are valid and excellent examples. My concern is what corporations have done and will do with it which we’re already seeing with mass layoffs, insurance denials, price gouging, Tax evasion, and so much more.

AI can be a great tool in the right hands, yet a weapon of mass destruction in the wrong. It’s what we do with it that matters, and right now we need to start thinking more about whether we should and not can. Regulations and oversight are absolutely necessary for guardrails, and right now there are absolutely no guardrails.

And for the record, i joke a lot and make light on a lot of topics as we need it these days. So take my comments in the tongue in cheek way they’re intended to lighten the mood in these increasingly trying times. 🙂
For me, I think hearty discussion over who should regulate and have oversight is in order. Governments do not prove themselves as wholly altruistic stewards of power either. Abuse of power happens in the corporate world, in the government world, and in every other aspect of the world. Abuse of power happens in middle school student government clubs. So who then do we "trust" to regulate and provide oversight?

With respect to corporations getting our data, is OpenClaw a locally hosted AI? Does this mean that your data stays on your server? Does it have to use an API key for ChatGPT, Gemini, etc in order to work?
 
That’s not replacing my work—it’s removing the drudgery.
Did AI write this post for you too?

Never mind, I scrolled further down and yeah, you admit it did lmao

Maybe I don't work in a field that has a lot of repetitive work, but I'm struggling to find a useful use case for something like this. I have an M4 Mac Mini that hosts some home automation and Plex stuff, but why would I give an AI control over my computer, or want AI to answer emails and messages?
 
  • Like
Reactions: marte91
For me, OpenClaw hasn’t just been “another way to do the same thing.” It’s dramatically changed how I work.


The biggest difference is delegation. I spend far less time on repetitive, mechanical tasks—writing boilerplate, searching documentation, refactoring code, summarizing information, or debugging routine issues. I hand those off to AI and spend more time on the parts of my job that actually require engineering judgment: designing systems, solving difficult problems, and building new things.


That’s not replacing my work—it’s removing the drudgery.

sounds like you were simply overworked previously.

now instead of hiring a more entry level human to do that work and learn how your industry actually works under the hood you are farming that out to LLM

what happens when no-one knows how to do that work anymore?

I'm surprised Vonnegut's classic debut novel "Player Piano" doesn't come up in these discussions more often. Perhaps because it is not well read.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.