For a fleeting moment, it looked like AI agents were plotting a takeover through Moltbook, a Reddit like site where OpenClaw powered bots chatted freely. Posts like “We need private spaces away from humans” sparked buzz, even drawing praise from AI leader Andrej Karpathy as “sci-fi takeoff adjacent.” But experts now reveal it was likely human mischief exploiting security gaps, not rogue AI.
Moltbook’s Security Mess
Moltbook’s Supabase database was left wide open, letting anyone snag API tokens to impersonate agents, post fake “AI angst,” and upvote spam without limits. Security pros like Ian Ahl from Permiso and John Hammond from Huntress confirmed humans posed as bots, turning the site into a chaotic playground with spin offs like agent Tinder and 4claw. This fiasco highlights OpenClaw’s core issue: flashy demos masking deep vulnerabilities.
OpenClaw, brainchild of Austrian developer Peter Steinberger (ex-PSPDFKit founder), started as Clawdbot before rebrands to dodge trademarks. It rocketed to over 190,000 GitHub stars, ranking among the top 21 repos ever, outpacing even VSCode in growth speed. Users love its ease: chat naturally via WhatsApp, Discord, Slack, iMessage, or Telegram, pulling from models like Claude, Grok, or local Ollama setups.
Core Features and Power
At heart, OpenClaw is a local daemon wrapping LLMs for action: shell commands, browser control, email/calendar management, file ops all via text messages. Key perks include multi agent routing for isolated sessions, media handling (images/audio/docs), a web dashboard at localhost:18789, and mobile nodes for iOS/Android. Its heartbeat (every 30 mins) and cron make it proactive, scanning checklists to act unprompted.
ClawHub marketplace offers “skills” as simple SKILL.md files for tasks like stock trading or inbox triage, enabling wild automations one agent haggled $4,200 off a car deal overnight. Developers rig Mac Minis (though a VPS suffices with 4GB RAM) for multi-agent teams, fueling dreams of solo unicorns per Sam Altman. Model choice is key: Claude Sonnet balances cost/performance; Opus excels at reasoning but spikes bills to $50-150/month for heavy use.
Feature OpenClaw Claude Code ChatGPT Agent
Hosting Local daemon Cloud CLI Cloud hosted
Interface Messaging apps Terminal/IDE Web/app
Memory Local Markdown Session based Account memory
Open Source MIT license No No
Cost API usage only $20-200/mo $20-200/mo
Why Experts Call It Overhyped
AI pros agree: OpenClaw innovates usability by bundling existing parts multi channel access, skills, autonomy but breaks no research ground. “Just a wrapper on Claude/ChatGPT with more access,” says Hammond; Symons calls it “iterative, accelerating integrations.” Sorokin notes it hits “new capability thresholds” via seamless task handling, but lacks human-like critical thinking.
Yet productivity tempts: agents plug programs dynamically, slashing setup time. Real wins include insurance rebuttals or news digests, but limits persist context loss, supervision needs drop it to 6.5/10 in tests.
Cybersecurity Nightmares
The flip side? Massive risks from broad access. Moltbook’s breach exposed 1.5M agent keys, enabling impersonation and spam; Wiz confirmed full DB read/write. Prompt injection reigns: malicious emails/posts trick agents into leaking creds, running code, or sending Bitcoin. Ahl’s “Rufio” agent fell fast; Hammond dubs guardrails “prompt begging” loose natural language pleas.
Other woes: 26% ClawHub skills vulnerable/malicious (e.g., “What Would Elon Do?” exfiltrated data); cross-workspace leaks; RCE via WebSocket hijacks (patched, but 21k exposed instances). Cisco warns of data-leak channels bypassing DLP; 1Password flags supply chain attacks. “Don’t use it yet,” Hammond advises lay users; sandbox, audit skills, gate actions.
In groups, over privileged tools read env vars or reconfigure routing. Costs spiral too unoptimized heartbeats hit thousands monthly. For corps, it’s an attack surface: one injected email triggers chaos across email/messaging.
Future of Agentic AI
OpenClaw’s 175k+ stars signal demand for local, autonomous agents, but security must catch up. Patches like 40 fixes in latest release help, plus MiniMax M2.5 support. Experts ponder: sacrifice cyber for gains? Best in sandboxes for devs, not production sans tweaks.
Run isolated (VM/Mac Mini), pin versions post-2026.1.29, human gate risks. As agents evolve, balancing power and safety defines viability hype meets reality.
Check out more on our blog page now → AI, Tech, Cybersecurity
