Moltbot, the cutting-edge, open-source AI “sidekick” formerly known as Clawdbot, recently rebranded as OpenClaw and is now crazy popular. It came out of nowhere to become the first viral AI agent with 70,000 GitHub Stars in a month.
Its creator, Peter Steinberger, claims it’s “the AI that actually does things.”
Yeah, well there are a lot of AI chatbots and agents that do things. Maybe they do things badly, mind you, but used carefully, they can do real work.
OpenClaw’s claim to fame is that it can take real-world actions on your behalf. Instead of living purely in the cloud, the agent runs on a user’s own hardware, often on Mac minis, but you can run it with Windows, Linux, or what have you. Under the hood, it connects to one or more large language models (LLMs) via application programming interface (API), and exposes a set of “channels” and “tools” that let it see and act across a digital life: Reading email, running shell commands, browsing the web, arranging your travel schedule, and running your apps for you.
The project began life as Clawdbot, a locally run AI agent fronted by a cartoon space lobster mascot called Clawd and wired to Anthropic’s Claude models through various “skills” and connectors.
Via these apps, users typically talk to OpenClaw specifying natural-language tasks such as “clear my inbox,” “book my flight,” or “summarize my meetings.” Under the hood, the agent uses channels to receive those instructions and tools to execute them, wiring AI reasoning from Claude and other models into concrete actions such as checking you in for flights, generating or editing code, reconciling calendars, or spinning up scripts and dashboards.
A key part of OpenClaw’s appeal is its long-term memory. It uses files like USER.md and IDENTITY.md to store facts about you and the agent’s own persona. This enables it to remember preferences, past tasks, and ongoing projects in a way that feels more like a persistent colleague than a stateless chatbot. The surrounding ecosystem of community “skills” on GitHub extends those capabilities further, from browser automation and auto-updating to specialized workflows for documentation, research, and coding.
Sounds great! Go ahead, search online for examples of people doing neat tricks with it, and you’ll find bunches. There’s even a “social” network for the bots called Moltbook, where agents act like idiots (like most social networks I can think of) and occasionally share tips and tricks with each other.
There are only a few itty-bitty, teeny-weeny problems with it. To do useful things like reserving your hotel room, getting your pizza delivered, or cleaning up your e-mail box, it needs your name, password, credit-card number — and all the other things any crook also wants.
Get the picture? OpenClaw is a security black hole that’s useful right up to the point where all your important data goes bye-bye.
As Cisco put it, “Security for OpenClaw is an option, but it is not built in.” The product documentation itself admits: “There is no ‘perfectly secure’ setup.” Granting an AI agent unlimited access to your data (even locally) is a recipe for disaster if any configurations are misused or compromised.”
In particular, as the AI-friendly security company Synk puts it, “If there’s one security concern that keeps AI security researchers up at night, it’s prompt injection. This vulnerability class represents perhaps the largest attack surface for any AI agent connected to external data sources, which, by definition, includes personal AI assistants that read emails, browse the web, and process messages from multiple channels.”
Let me spell it out for you. Using OpenClaw is stupid.
If you insist on trying it out, stick it on a locked-down virtual machine so it can’t access any — and I mean any — of your personal and work data. Do not it feed it any of your personal data. Yeah, it will be a heck of a lot less useful, but that’s the only way it will be safe to use. Otherwise, you’re just asking to be hacked, and when that happens, OpenClaw won’t be able to do much, if anything, to fix the mess.
