Core tool — Device hygiene

Is OpenClaw really gone?The free OpenClaw removal & AI agent scanner.

A free local scanner for AI-agent residue. Find installed agents and everything they leave behind — OpenClaw, Clawdbot, Moltbot directories, plaintext API keys, the port 18789 gateway, running processes — then clean it up, reversibly. Nothing is uploaded.

Aipurity’s device scan is a free AI agent scanner and OpenClaw uninstall helper — enterprise shadow-AI tools need CrowdStrike, Jamf or an IT department; this is a readable script that runs on your own laptop and shows its work.

A web page can’t read processes, ports or your whole disk (browser sandbox). The full scan is the local file in Step 1; the browser preview (Step 2) is a partial check.

Step 1 · Full scan

The local scanner

One readable file, no install. Enumerates running AI-agent processes, checks ports, sweeps your home directory for residue, flags plaintext secrets — then prints a purity score. Read it before you run it.

# macOS / Linux / Windows — needs Node.js
node aipurity-scan.mjs

Read-only. It prints the exact cleanup command for anything it flags.

Step 2 · Browser preview (partial)

Quick check, no download

Grant a folder (e.g. your home directory) and we scan it for agent residue and plaintext secrets right here. It can’t see processes or ports.

In-page folder scanning needs Chrome or Edge on desktop. Use the full scanner in Step 1 — it works everywhere.

What the OpenClaw scanner actually checks.

Agent residue & legacy folders

OpenClaw has been renamed twice (Clawdbot → Moltbot → OpenClaw), and each era leaves different folders. We check the current and legacy install and config directories, whatever the machine actually has.

Plaintext credentials

Agent config folders often contain API keys and tokens in plain text. We flag them so you can rotate and remove them — deleting the app doesn’t revoke what leaked from it.

The port 18789 gateway

OpenClaw’s gateway listens on port 18789 by default; researchers found tens of thousands of instances exposed to the internet. We check whether yours is still accepting connections.

Your AI app footprint

Which AI apps and assistants are installed (ChatGPT, Claude, Ollama, LM Studio, Cursor…) — awareness of how much AI lives on your device.

How to remove OpenClaw completely.

  1. 01

    Download the local scanner

    One readable file (Node CLI, or .sh / .ps1). It enumerates processes, ports, residue and plaintext secrets, then prints a purity score. Read it before you run it.

  2. 02

    Or a quick browser preview

    Grant a folder and we scan it for agent residue right here (Chrome/Edge). It can’t see processes or ports — the full scanner does.

  3. 03

    Clean, reversibly

    Cleanup quarantines residue to a recoverable folder — it never hard-deletes. You stay in control of every removal.

What OpenClaw actually installs

Knowing the footprint explains why a quick delete never works. A standard install puts four things on your machine:

The CLI package

A global npm/pnpm/bun package — the part `npm uninstall` actually removes, and the only part.

A background gateway

Registered as a login service (launchd on macOS, a systemd user service on Linux, Task Scheduler on Windows) so it survives reboots. Service names vary by install era: ai.openclaw.gateway, bot.molt.gateway, or com.clawdbot.gateway.

A state directory

Chat history, skill files and session data in ~/.openclaw — plus legacy ~/.clawdbot or ~/.moltbot folders if you installed before the renames.

Credentials in plaintext

API keys and OAuth tokens the agent used, stored readable on disk. Deleting files doesn’t revoke what already leaked from them.

Why “npm uninstall -g openclaw” isn’t enough

The single most repeated mistake in every removal guide: uninstalling the package removes the CLI, not the agent’s life on your machine. What survives a global uninstall:

Data and config directories

The agent’s home folder — including chat history, skill files and credentials — stays behind, along with legacy folders from the Clawdbot and Moltbot eras.

The background gateway

If the gateway was registered as a login service, it can keep running (or restart on reboot) after the package is gone. Check with: lsof -i :18789 on macOS/Linux, or netstat -ano | findstr 18789 on Windows.

Leaked keys

Any API key or token the agent held in plaintext is still valid until you rotate it at the provider. Uninstalling revokes nothing.

Remove OpenClaw on macOS

The scanner automates the finding; these are the same steps by hand. Quarantine rather than delete where you can.

  1. 01

    Remove the package

    Whichever package manager installed it:

    npm uninstall -g openclaw   # or: pnpm remove -g openclaw / bun remove -g openclaw
  2. 02

    Find the login service

    Names vary across the Clawdbot/Moltbot/OpenClaw eras, so match broadly:

    launchctl list | grep -iE "openclaw|molt|clawd"
  3. 03

    Unload it

    Use the label the previous step printed:

    launchctl bootout gui/$(id -u)/ai.openclaw.gateway
  4. 04

    Deal with the data folders

    List them, then quarantine (the scanner does this reversibly) or remove once you’re sure:

    ls -d ~/.openclaw ~/.clawdbot ~/.moltbot 2>/dev/null
  5. 05

    Verify the port is closed

    No output means nothing is listening any more:

    lsof -i :18789

Remove OpenClaw on Windows

Same idea in PowerShell — package, scheduled task, folders, port.

  1. 01

    Remove the package

    npm uninstall -g openclaw
  2. 02

    Find the scheduled task

    Get-ScheduledTask | Where-Object { $_.TaskName -match "openclaw|molt|clawd" }
  3. 03

    Unregister it

    Use the task name the previous step printed:

    Unregister-ScheduledTask -TaskName "OpenClaw Gateway" -Confirm:$false
  4. 04

    Check the data folders

    Get-ChildItem "$env:USERPROFILE\.openclaw","$env:APPDATA\openclaw" -ErrorAction SilentlyContinue
  5. 05

    Verify the port

    An empty result means the gateway is gone:

    netstat -ano | findstr 18789

Remove OpenClaw on Linux

Package, user service, folders, port — plus one check the other platforms don’t need: your shell profile.

  1. 01

    Remove the package

    npm uninstall -g openclaw
  2. 02

    Find and stop the user service

    systemctl --user list-units | grep -iE "openclaw|molt|clawd"
    systemctl --user disable --now openclaw-gateway.service
  3. 03

    Check the data folders

    ls -d ~/.openclaw ~/.clawdbot ~/.moltbot 2>/dev/null
  4. 04

    Check your shell profile

    Some installers append PATH or env lines:

    grep -iE "openclaw|molt" ~/.bashrc ~/.zshrc 2>/dev/null
  5. 05

    Verify the port

    ss -ltnp | grep 18789

Installed with Docker?

Containers, images and volumes live outside the filesystem paths a scanner reads — remove them with Docker itself.

  1. 01

    Find and remove containers

    docker ps -a | grep -iE "openclaw|molt|clawd"
    docker rm -f <container-id>
  2. 02

    Remove the image

    docker images | grep -iE "openclaw|molt"
    docker rmi <image-id>
  3. 03

    Remove volumes (this is where the state lives)

    docker volume ls | grep -iE "openclaw|molt"
    docker volume rm <volume-name>
  4. 04

    Compose installs

    From the folder that holds the compose file:

    docker compose down --volumes

Revoke what the agent could reach

Removal cleans your disk; it does nothing about the accounts the agent was authorized into. If you ever connected a service, revoke the grant at that service — this is the step every quick guide skips:

Google

myaccount.google.com → Security → Third-party apps with account access → remove the agent.

GitHub

Settings → Applications → Authorized OAuth Apps → revoke.

Slack

Workspace settings → Manage apps → remove the integration.

Discord

User Settings → Authorized Apps → deauthorize.

Microsoft

account.live.com/consent/Manage → remove access.

WhatsApp & Telegram

WhatsApp: Settings → Linked devices → log out the agent. Telegram: Settings → Devices → terminate the session.

Then rotate any API keys the scan flagged (OpenAI, Anthropic, and any others in the agent’s config) at the provider’s dashboard — a leaked key stays valid until you revoke it, not until you delete the file it sat in.

What the scanner checks — and what to review by hand

We’re precise about the split, because a web page that claims to see everything is lying to you.

The scanner checks automaticallyReview by hand afterwards
Current + legacy install & config folders (OpenClaw, Clawdbot, Moltbot)Autostart entries: launchd agents (macOS), systemd user services (Linux), Task Scheduler (Windows)
Plaintext API keys and tokens in agent config foldersRotate any flagged key at its provider (OpenAI, Anthropic, etc.)
Port 18789 accepting connections + running agent processesOAuth grants: revoke the agent in Google, Slack, Discord and GitHub security settings
Installed AI app footprint (ChatGPT, Claude, Ollama, LM Studio, Cursor…)Messaging links: WhatsApp Settings → Linked Devices, Telegram → Active Sessions; Docker containers and volumes if you installed that way

The sections above walk through every manual step; your scan report tells you which ones actually apply to this machine.

When removal fights back

The recurring failure modes, and what each one means:

The gateway is back after a reboot

An autostart entry survived — launchd, systemd or Task Scheduler is relaunching it. The “find the service” step for your OS above locates the entry; remove that, not just the process.

Port 18789 is busy but no OpenClaw is found

Another tool may have claimed the port. The scan report names the process that’s listening, so you’re not guessing from the number alone.

A deleted folder keeps reappearing

A still-running process recreates its state directory on exit. Stop the service first, then quarantine the folder.

You installed to a custom path

A relocated state folder can sit outside every default location — ours included. A running gateway still shows up via the process and port checks; for the folder itself, search for the name you chose. Static path lists are exactly why “detect what’s present” beats “trust the docs”.

Exposed agents are a real attack surface

This isn’t theoretical hygiene. Censys measured 63,070 internet-exposed OpenClaw instances on 31 March 2026 — 63,005 of them still on the default port 18789, and researchers found over 21,000 with no authentication at all. A one-click config-exfiltration flaw (CVE-2026-25253) and malicious-skill campaigns (“ClawHavoc”, AMOS stealer distribution) targeted exactly these installs. Even an agent that never faced the internet holds plaintext keys worth rotating. Scanning your own machine takes two minutes; the sources below document the wider mess.

Honest limits

What it can’t tell you.

A web page can’t read your processes, ports, or whole disk — that’s a browser sandbox limit every tool shares. The full scan is a tiny local file you run; the browser preview is a partial check. And no scanner can revoke OAuth grants or rotate leaked keys for you — we list them, you close them.

Common questions.

I installed OpenClaw during the hype and now want it gone. Can this help?+

Yes — that’s exactly the case it’s built for. It finds OpenClaw’s residue and leftover credentials and quarantines them reversibly, so you can clean up completely without guesswork.

Does “npm uninstall -g openclaw” remove everything?+

No — that removes the CLI package only. Config and data folders, legacy Clawdbot/Moltbot directories, a still-registered gateway service and any plaintext credentials all survive it. That gap is what this scanner exists to find.

How do I completely uninstall OpenClaw on macOS or Windows?+

Uninstall the package, then hunt the residue: on macOS check ~/.openclaw plus the legacy ~/.clawdbot and ~/.moltbot folders and any gateway login item; on Windows check %USERPROFILE%\.openclaw and Task Scheduler; on both, confirm port 18789 is no longer listening and rotate any keys the agent held. The scanner above automates that residue hunt and quarantines findings reversibly.

What are the .clawdbot and .moltbot folders — can I delete them?+

They’re leftovers from OpenClaw’s earlier names (it was Clawdbot, then Moltbot, before the current name). If you’ve moved off the agent, they’re safe to remove — the scanner quarantines them reversibly instead of hard-deleting, so you can restore anything you change your mind about.

Why is OpenClaw still running after I deleted it?+

The gateway was likely registered as a login service (launchd on macOS, a systemd user service on Linux, Task Scheduler on Windows), so it restarts on boot. Verify with lsof -i :18789 or netstat -ano | findstr 18789, then remove the autostart entry — the scan report points at what it found listening.

Is OpenClaw malware?+

No — it’s a legitimate open-source project. But it runs with high privileges, stores credentials in plaintext, and exposed instances were hit by real attacks: CVE-2026-25253 allowed one-click config theft, and the “ClawHavoc” campaign spread malicious skills including the AMOS credential stealer. Treat an old install like an unlocked door, not a virus.

I installed it via Docker — does the scanner cover that?+

The scanner reads the filesystem, so it finds mounted config folders, but Docker containers, images and volumes need removing with Docker itself (docker rm / rmi / volume rm). The download page includes the exact commands as a manual step.

How is this different from enterprise shadow-AI tools?+

Tools like EDR-based agent scanners need CrowdStrike, Microsoft Defender or Jamf/Intune enrollment — an IT department. This is one readable script you can audit, run on your own laptop, and delete afterwards. Nothing reports to anyone but you.

Can I reinstall OpenClaw later after a full removal?+

Yes. Removal blacklists nothing — a fresh install recreates the CLI and writes a new state folder. If you restore a quarantined config to reuse it, rotate any keys inside first; they may have been exposed while the old install sat around.

I used a custom install or config path. Will the scan find it?+

Honest answer: a relocated state folder outside the default and legacy locations won’t be found by the path checks — that limitation applies to every path-based tool. A running gateway still shows up through the process and port checks. For the folder itself, search your disk for the name you chose.

Does anything get uploaded?+

No. The scanner runs entirely on your machine and only reports — nothing leaves your device.

Sources & further reading

More free AI detectors.