OpenYak looks like a genuinely capable local AI agent. File automation, data analysis, 46 MCP connectors, persistent memory. The price against Anthropic’s Claude Cowork is hard to argue with: free, open source, one-click install.
But there’s a detail buried in the feature list that should give you pause.
“Auto-updating via GitHub releases.”
That sentence is doing a lot of work. Every time OpenYak checks for an update, it trusts the GitHub repository to be exactly what it says it is. No controlled release pipeline, no security team standing between a commit and your machine.
This is not theoretical. In February 2026, an unknown actor exploited an insufficiently rotated token in Cline, the popular open-source AI coding tool, publishing an unauthorised version with a single modification: a postinstall hook that silently installed OpenClaw on every developer machine that updated during an eight-hour window.  No malware in the obvious sense. Just a trusted tool using its trusted update path to install something you didn’t ask for.
The capability set that makes OpenYak attractive (deep filesystem access, OAuth integrations, cross-platform messaging) is exactly what makes a compromised version catastrophic.
Claude Cowork is not free. Part of what you’re paying for is a controlled development environment and a release pipeline with security review baked in. Not glamorous, but real value.
If OpenYak appeals, run it on a standalone machine away from your primary credentials and production data. The openness that makes it free is the same openness that makes it vulnerable.
Sources: ∙ “Clinejection” supply chain attack ∙ OpenYak