You might have noticed the conversations around OpenClaw, or Moltbot, Clawdbot, or its other aliases, and how it's an unmitigated security risk. That's still the case, as I noticed at every stage of the installation, but some of the worst issues have been fixed. So, you might wonder why I'd want to install it on any of my devices, let alone my favorite gaming handheld.

Well, I couldn't resist the wordplay of turning it into a ROG Enemy X, and I wanted to see how difficult it was to install, configure, and most importantly — secure from harm. That last point is almost impossible, just as a FYI, in case you want to install OpenClaw yourself. This should not be installed on your primary device, and really, it should be installed on a sandboxed system somewhere else and only given the bare minimum of permissions. I'm also terminally curious about LLMs in general, and I thought this would be a fun time.

Why would you do this to your poor ROG Ally X?

What's more local than the game console you always have with you?

I use my ROG Ally X for tons of things, and it's a handy laptop replacement in a pinch when I don't want to suffer using a tablet for work. It's power-efficient, has a relatively powerful CPU, and supports unified memory shared between CPU and GPU, enabling it to run larger LLM models than many other devices.

Plus, I always have it on me, and I figured that putting a personal AI assistant on the only device (other than my phone) that's always in arm's reach was the wisest choice. Okay, maybe wisest isn't the best word choice there, but in a sea of bad decisions, it was the best non-horrible one.

You'll want to use the highest power plan

The problem with using a gaming handheld for AI is that the hardware is geared towards optimizing battery life. The newly minted ROG Enemy X can run on a 30W power budget, which is what you'll want to keep OpenClaw from becoming an OpenSlug.

With it at 30W, it can still take minutes to work on tasks even with using an external LLM via API access, but it's speedy enough for chatting to, and when it's running in autonomous mode you won't notice how long things take anyway.

Installation was pretty quick

Once I remembered what I was doing

Installing anything AI-related on Windows 11 often requires you to turn off Windows Defender, enable unsigned scripts, and other things that you really don't want to turn off normally, let alone when you're about to install an agentic AI that can do many tasks without asking for permission. It's bad security practices all the way down, and we should know better by now. Even in a local account with no administrator rights, it was doomed to fail.

I shouldn't have even tried, but I tried installing OpenClaw from PowerShell, and it was an unmitigated failure. The script errored out with an npm-related message. Npm wouldn't install correctly, adding it to my PATH and the local user account PATH didn't work, and I had to unwind PowerShell protection by enabling Windows to run scripts from any source, even unsigned ones.

Time for WSL2 to save the day

Things were slightly more hopeful once I installed WSL2, downloaded Ubuntu, and started using Linux to install things. Slightly, because the installer ran into an issue when I tried to connect it to Gemini's API. Npm wouldn't let me install the Gemini CLI, and Ubuntu suggested installing it via snap, which was another bad idea. Did you know that if you try to install Gemini from snap, it installs something to do with Spotify instead? I do now, and so do you.

To fix this, I had to install homebrew, then add brew to my Ubuntu path, then I could finally install Gemini CLI via brew. It's honestly a lot, and I can understand anyone who starts trying to install AI tools and gives up before they get to this stage. Only then could I run the OpenClaw script once again, and when it got to the AI model connection stage, I could use the Gemini CLI to generate a loopback URL via my browser to get things going further.

The next stage was connecting OpenClaw to the messaging option you want to use. You can use Telegram, WhatsApp, Discord, IRC, and about a dozen other things, but I skipped this to figure it out from the GUI once everything was installed. I'm not quite sure which option is going to be the most secure, and I didn't like the thought of an AI running wild in one of my personal messaging accounts.

Time for some skills

OpenClaw asks if you want additional skills installing, and it won't let you get past this stage without at least one. Depending on your needs, you can add Obsidian, Eight Sleep, BluOS, or any other devices and services you want to control with the AI. It's not getting access to my 1Password vault, though.

Then it's adding API keys for Gemini, OpenAI, or any other services you want to use. I appreciate the installer walking you through this stage, but the default place OpenClaw stores API keys is in a plaintext configuration file on your local machine. You can opt to use your system's secure keychain, and I suggest you do so.

You can also install Ollama for local LLM usage, freeing your wallet from API pain. I suggest the Mistral or any other 7B or smaller model for the ROG Ally X to fit within the VRAM constraints. Just know it will be significantly slower than using a cloud API; the Z1 Extreme isn't that powerful.

Okay, now what can we do with this?

The first task my newly named, chaotic ROG Enemy AI assistant wanted to help with was to kick the Gemini API to the curb and install Ollama for local LLM use. That's a good idea, because API access costs mount up FAST, and the AI is already trying to be helpful. I allowed it to do a read-only scan of the system, so it knew it was on a gaming handheld and to inform future decisions.

But before I get into that, I want to talk about how OpenClaw differs from many other AI chatbots. It has memory, even if the connection is broken, or it reboots, or the context window is reached. Persistent memory that builds up over time. You can tell it that your project uses X and Y dependencies one day, and when you reference that project name three months later, it will use the knowledge graph it built to carry on as if it were only minutes after. That's a game-changer, and powerful for whatever it's used for.

ROG Enemy asked if I knew which LLM model to install with Ollama, and I asked for a suitable 7B model. I got options for llama3, Mistral, Qwen 2, and Phi-3 Mini, and opted for Mistral as it fits the chaotic nature of the bot I created. OpenClaw then patched its own config files, restarted the instance, and registered mistral and llama3 as options for local models.

From here, I can do almost anything. ROG Enemy has a habit of prompting me with options whenever I don't ask a specific command, like right now it's asking if I want to code something, organize my messy file structure, research things, or chat about nothing in particular.

It's still a big security risk

For how quickly OpenClaw has been coded and installed on thousands of devices, you'd think someone would stop to worry about security issues. The installation script has a full-page disclaimer saying that any number of things could go wrong and that you accept the risks and outcomes of anything you install, but it doesn't really impart the gravity of what could go wrong.

For example, CVE-2026-25253 is a one-click remote code execution vulnerability via WebSocket hijacking, meaning that simply visiting an attacker's URL for a split second is enough for them to take over your machine. It has been patched, but it's still wise to bind the Gateway port to 127.0.0.1 rather than allowing it to have internet access, and to use Tailscale or other secure remote access methods instead of port forwarding.

The OpenClaw skill store, ClawHub​​​​​​, is another place to be very wary of. Researchers have already found hundreds of malicious skills uploaded to the store, and you should treat anything published there as a security risk. Audit every .md file before you install it, and avoid anything called Crypto Ticker or Social Media Manager because those are classic vectors for data poisoning or account takeover, and nobody (but the hackers) want that.

OpenClaw is more of a 'what could be' rather than a 'should use this'

The power of OpenClaw is that it breaks the rules of traditional AI sandboxing. It can literally do anything it has access to, and while you can define skills and workflows, it has a higher level of autonomy than most. Like AI browsers, OpenClaw introduces a huge number of attack surfaces for you and your online accounts, and these are harder to guard against than normal online hygiene efforts.

I can't deny how useful this might be in future iterations when someone figures out how to decouple the LLMs from how tightly embedded they are in the control and data planes. Until then, it's a huge security risk for normal users, and even security professionals aren't entirely sure they can contain the LLM tools.