Core tool — Device hygiene
Is OpenClaw really gone?The free OpenClaw removal & AI agent scanner.
A free local scanner for AI-agent residue. Find installed agents and everything they leave behind — OpenClaw, Clawdbot, Moltbot directories, plaintext API keys, the port 18789 gateway, running processes — then clean it up, reversibly. Nothing is uploaded.
Aipurity’s device scan is a free AI agent scanner and OpenClaw uninstall helper — enterprise shadow-AI tools need CrowdStrike, Jamf or an IT department; this is a readable script that runs on your own laptop and shows its work.
- A readable script you can audit before running
- Nothing leaves your machine
- Cleanup quarantines — it never hard-deletes
A web page can’t read processes, ports or your whole disk (browser sandbox). The full scan is the local file in Step 1; the browser preview (Step 2) is a partial check.
The local scanner
One readable file, no install. Enumerates running AI-agent processes, checks ports, sweeps your home directory for residue, flags plaintext secrets — then prints a purity score. Read it before you run it.
node aipurity-scan.mjs
Read-only. It prints the exact cleanup command for anything it flags.
Step 2 · Browser preview (partial)
Quick check, no download
Grant a folder (e.g. your home directory) and we scan it for agent residue and plaintext secrets right here. It can’t see processes or ports.
In-page folder scanning needs Chrome or Edge on desktop. Use the full scanner in Step 1 — it works everywhere.
What the OpenClaw scanner actually checks.
Agent residue & legacy folders
OpenClaw has been renamed twice (Clawdbot → Moltbot → OpenClaw), and each era leaves different folders. We check the current and legacy install and config directories, whatever the machine actually has.
Plaintext credentials
Agent config folders often contain API keys and tokens in plain text. We flag them so you can rotate and remove them — deleting the app doesn’t revoke what leaked from it.
The port 18789 gateway
OpenClaw’s gateway listens on port 18789 by default; researchers found tens of thousands of instances exposed to the internet. We check whether yours is still accepting connections.
Your AI app footprint
Which AI apps and assistants are installed (ChatGPT, Claude, Ollama, LM Studio, Cursor…) — awareness of how much AI lives on your device.
How to remove OpenClaw completely.
- 01
Download the local scanner
One readable file (Node CLI, or .sh / .ps1). It enumerates processes, ports, residue and plaintext secrets, then prints a purity score. Read it before you run it.
- 02
Or a quick browser preview
Grant a folder and we scan it for agent residue right here (Chrome/Edge). It can’t see processes or ports — the full scanner does.
- 03
Clean, reversibly
Cleanup quarantines residue to a recoverable folder — it never hard-deletes. You stay in control of every removal.
What OpenClaw actually installs
Knowing the footprint explains why a quick delete never works. A standard install puts four things on your machine:
The CLI package
A global npm/pnpm/bun package — the part `npm uninstall` actually removes, and the only part.
A background gateway
Registered as a login service (launchd on macOS, a systemd user service on Linux, Task Scheduler on Windows) so it survives reboots. Service names vary by install era: ai.openclaw.gateway, bot.molt.gateway, or com.clawdbot.gateway.
A state directory
Chat history, skill files and session data in ~/.openclaw — plus legacy ~/.clawdbot or ~/.moltbot folders if you installed before the renames.
Credentials in plaintext
API keys and OAuth tokens the agent used, stored readable on disk. Deleting files doesn’t revoke what already leaked from them.
Why “npm uninstall -g openclaw” isn’t enough
The single most repeated mistake in every removal guide: uninstalling the package removes the CLI, not the agent’s life on your machine. What survives a global uninstall:
Data and config directories
The agent’s home folder — including chat history, skill files and credentials — stays behind, along with legacy folders from the Clawdbot and Moltbot eras.
The background gateway
If the gateway was registered as a login service, it can keep running (or restart on reboot) after the package is gone. Check with: lsof -i :18789 on macOS/Linux, or netstat -ano | findstr 18789 on Windows.
Leaked keys
Any API key or token the agent held in plaintext is still valid until you rotate it at the provider. Uninstalling revokes nothing.
Remove OpenClaw on macOS
The scanner automates the finding; these are the same steps by hand. Quarantine rather than delete where you can.
- 01
Remove the package
Whichever package manager installed it:
npm uninstall -g openclaw # or: pnpm remove -g openclaw / bun remove -g openclaw - 02
Find the login service
Names vary across the Clawdbot/Moltbot/OpenClaw eras, so match broadly:
launchctl list | grep -iE "openclaw|molt|clawd" - 03
Unload it
Use the label the previous step printed:
launchctl bootout gui/$(id -u)/ai.openclaw.gateway - 04
Deal with the data folders
List them, then quarantine (the scanner does this reversibly) or remove once you’re sure:
ls -d ~/.openclaw ~/.clawdbot ~/.moltbot 2>/dev/null - 05
Verify the port is closed
No output means nothing is listening any more:
lsof -i :18789
Remove OpenClaw on Windows
Same idea in PowerShell — package, scheduled task, folders, port.
- 01
Remove the package
npm uninstall -g openclaw - 02
Find the scheduled task
Get-ScheduledTask | Where-Object { $_.TaskName -match "openclaw|molt|clawd" } - 03
Unregister it
Use the task name the previous step printed:
Unregister-ScheduledTask -TaskName "OpenClaw Gateway" -Confirm:$false - 04
Check the data folders
Get-ChildItem "$env:USERPROFILE\.openclaw","$env:APPDATA\openclaw" -ErrorAction SilentlyContinue - 05
Verify the port
An empty result means the gateway is gone:
netstat -ano | findstr 18789
Remove OpenClaw on Linux
Package, user service, folders, port — plus one check the other platforms don’t need: your shell profile.
- 01
Remove the package
npm uninstall -g openclaw - 02
Find and stop the user service
systemctl --user list-units | grep -iE "openclaw|molt|clawd" systemctl --user disable --now openclaw-gateway.service - 03
Check the data folders
ls -d ~/.openclaw ~/.clawdbot ~/.moltbot 2>/dev/null - 04
Check your shell profile
Some installers append PATH or env lines:
grep -iE "openclaw|molt" ~/.bashrc ~/.zshrc 2>/dev/null - 05
Verify the port
ss -ltnp | grep 18789
Installed with Docker?
Containers, images and volumes live outside the filesystem paths a scanner reads — remove them with Docker itself.
- 01
Find and remove containers
docker ps -a | grep -iE "openclaw|molt|clawd" docker rm -f <container-id> - 02
Remove the image
docker images | grep -iE "openclaw|molt" docker rmi <image-id> - 03
Remove volumes (this is where the state lives)
docker volume ls | grep -iE "openclaw|molt" docker volume rm <volume-name> - 04
Compose installs
From the folder that holds the compose file:
docker compose down --volumes
Revoke what the agent could reach
Removal cleans your disk; it does nothing about the accounts the agent was authorized into. If you ever connected a service, revoke the grant at that service — this is the step every quick guide skips:
myaccount.google.com → Security → Third-party apps with account access → remove the agent.
GitHub
Settings → Applications → Authorized OAuth Apps → revoke.
Slack
Workspace settings → Manage apps → remove the integration.
Discord
User Settings → Authorized Apps → deauthorize.
Microsoft
account.live.com/consent/Manage → remove access.
WhatsApp & Telegram
WhatsApp: Settings → Linked devices → log out the agent. Telegram: Settings → Devices → terminate the session.
Then rotate any API keys the scan flagged (OpenAI, Anthropic, and any others in the agent’s config) at the provider’s dashboard — a leaked key stays valid until you revoke it, not until you delete the file it sat in.
What the scanner checks — and what to review by hand
We’re precise about the split, because a web page that claims to see everything is lying to you.
| The scanner checks automatically | Review by hand afterwards |
|---|---|
| Current + legacy install & config folders (OpenClaw, Clawdbot, Moltbot) | Autostart entries: launchd agents (macOS), systemd user services (Linux), Task Scheduler (Windows) |
| Plaintext API keys and tokens in agent config folders | Rotate any flagged key at its provider (OpenAI, Anthropic, etc.) |
| Port 18789 accepting connections + running agent processes | OAuth grants: revoke the agent in Google, Slack, Discord and GitHub security settings |
| Installed AI app footprint (ChatGPT, Claude, Ollama, LM Studio, Cursor…) | Messaging links: WhatsApp Settings → Linked Devices, Telegram → Active Sessions; Docker containers and volumes if you installed that way |
The sections above walk through every manual step; your scan report tells you which ones actually apply to this machine.
When removal fights back
The recurring failure modes, and what each one means:
The gateway is back after a reboot
An autostart entry survived — launchd, systemd or Task Scheduler is relaunching it. The “find the service” step for your OS above locates the entry; remove that, not just the process.
Port 18789 is busy but no OpenClaw is found
Another tool may have claimed the port. The scan report names the process that’s listening, so you’re not guessing from the number alone.
A deleted folder keeps reappearing
A still-running process recreates its state directory on exit. Stop the service first, then quarantine the folder.
You installed to a custom path
A relocated state folder can sit outside every default location — ours included. A running gateway still shows up via the process and port checks; for the folder itself, search for the name you chose. Static path lists are exactly why “detect what’s present” beats “trust the docs”.
Exposed agents are a real attack surface
This isn’t theoretical hygiene. Censys measured 63,070 internet-exposed OpenClaw instances on 31 March 2026 — 63,005 of them still on the default port 18789, and researchers found over 21,000 with no authentication at all. A one-click config-exfiltration flaw (CVE-2026-25253) and malicious-skill campaigns (“ClawHavoc”, AMOS stealer distribution) targeted exactly these installs. Even an agent that never faced the internet holds plaintext keys worth rotating. Scanning your own machine takes two minutes; the sources below document the wider mess.
Honest limits
What it can’t tell you.
A web page can’t read your processes, ports, or whole disk — that’s a browser sandbox limit every tool shares. The full scan is a tiny local file you run; the browser preview is a partial check. And no scanner can revoke OAuth grants or rotate leaked keys for you — we list them, you close them.
Common questions.
I installed OpenClaw during the hype and now want it gone. Can this help?+
Yes — that’s exactly the case it’s built for. It finds OpenClaw’s residue and leftover credentials and quarantines them reversibly, so you can clean up completely without guesswork.
Does “npm uninstall -g openclaw” remove everything?+
No — that removes the CLI package only. Config and data folders, legacy Clawdbot/Moltbot directories, a still-registered gateway service and any plaintext credentials all survive it. That gap is what this scanner exists to find.
How do I completely uninstall OpenClaw on macOS or Windows?+
Uninstall the package, then hunt the residue: on macOS check ~/.openclaw plus the legacy ~/.clawdbot and ~/.moltbot folders and any gateway login item; on Windows check %USERPROFILE%\.openclaw and Task Scheduler; on both, confirm port 18789 is no longer listening and rotate any keys the agent held. The scanner above automates that residue hunt and quarantines findings reversibly.
What are the .clawdbot and .moltbot folders — can I delete them?+
They’re leftovers from OpenClaw’s earlier names (it was Clawdbot, then Moltbot, before the current name). If you’ve moved off the agent, they’re safe to remove — the scanner quarantines them reversibly instead of hard-deleting, so you can restore anything you change your mind about.
Why is OpenClaw still running after I deleted it?+
The gateway was likely registered as a login service (launchd on macOS, a systemd user service on Linux, Task Scheduler on Windows), so it restarts on boot. Verify with lsof -i :18789 or netstat -ano | findstr 18789, then remove the autostart entry — the scan report points at what it found listening.
Is OpenClaw malware?+
No — it’s a legitimate open-source project. But it runs with high privileges, stores credentials in plaintext, and exposed instances were hit by real attacks: CVE-2026-25253 allowed one-click config theft, and the “ClawHavoc” campaign spread malicious skills including the AMOS credential stealer. Treat an old install like an unlocked door, not a virus.
I installed it via Docker — does the scanner cover that?+
The scanner reads the filesystem, so it finds mounted config folders, but Docker containers, images and volumes need removing with Docker itself (docker rm / rmi / volume rm). The download page includes the exact commands as a manual step.
How is this different from enterprise shadow-AI tools?+
Tools like EDR-based agent scanners need CrowdStrike, Microsoft Defender or Jamf/Intune enrollment — an IT department. This is one readable script you can audit, run on your own laptop, and delete afterwards. Nothing reports to anyone but you.
Can I reinstall OpenClaw later after a full removal?+
Yes. Removal blacklists nothing — a fresh install recreates the CLI and writes a new state folder. If you restore a quarantined config to reuse it, rotate any keys inside first; they may have been exposed while the old install sat around.
I used a custom install or config path. Will the scan find it?+
Honest answer: a relocated state folder outside the default and legacy locations won’t be found by the path checks — that limitation applies to every path-based tool. A running gateway still shows up through the process and port checks. For the folder itself, search your disk for the name you chose.
Does anything get uploaded?+
No. The scanner runs entirely on your machine and only reports — nothing leaves your device.
Sources & further reading