📁 last Posts
0

Moltbot Is Now "OpenClaw"—and It’s Creating a Security Firestorm

SALIM ZEROUALI SALIM ZEROUALI
A digital illustration showing a mechanical robotic claw emerging from a computer monitor displaying a WhatsApp interface labeled "OpenClaw". The claw is unlocking a safe containing personal files, a calendar, and a skull icon. Stickers on the monitor show the crossed-out names "Moltbot" and "Clawdbot," with a "SCAM ALERT" warning in the background, symbolizing the vulnerabilities of local AI agents.
A conceptual illustration of the OpenClaw AI agent (formerly Moltbot and Clawdbot) reaching out of a chat interface to access a secured safe, highlighting the potential security risks of granting AI deep system permissions.

By: Zerouali Salim

📅 2,February, 2026

🔥 Moltbot Is Now "OpenClaw"—and It’s Creating a Security Firestorm

The viral AI agent that promises to control your computer via WhatsApp keeps changing its name, but the security risks are sticking around.

What started as a quiet side project has morphed into one of the wildest experiments in the AI landscape. Originally dubbed Clawdbot (and later Moltbot), the project created by PSPDFKit founder Peter Steinberger has racked up over 100,000 stars on GitHub.

Its hook? It delivers on the promise that most current LLMs can’t touch: Agency.

AI agent messaging interface via WhatsApp

While ChatGPT talks, OpenClaw acts. It uses a messaging-based interface to execute real commands on your local machine. That capability pushed the project from a cool GitHub repo to a viral phenomenon—and straight into a legal and security minefield.

Following a trademark dispute with AI giant Anthropic earlier this week, Steinberger rebranded the project to Moltbot. Then, late Thursday, he announced yet another pivot: the tool is now OpenClaw. (Steinberger has been contacted for comment, and this story will be updated if he responds).

With every name change, the user base grows—and so does the attack surface. What was pitched as a local, private AI assistant is now being flagged by security researchers and regulators as a textbook case of "Shadow AI": a tool with rapid adoption, deep system permissions, and just enough confusion for scammers to exploit.

🤖 The Agentic Shift: Why It’s Different

To understand the hype, you have to look under the hood. Most AI tools live in a browser tab. OpenClaw is an agent. It lives on your hardware and connects to your life via messaging apps like WhatsApp, Telegram, Discord, and Slack.

A simple text like "Check my calendar and reschedule my flight" isn't just a query; it triggers actual code execution. OpenClaw opens browsers, clicks buttons, accesses files, and runs system commands. While it pings cloud models for inference, the execution is local. The pitch is total control and data sovereignty.

🛑 "Sudo" Rights and Mac Mini Farms

For developers, this is the dream. For the average user, it’s a loaded gun.

To function effectively, OpenClaw often requires broad system permissions, sometimes escalating to root or sudo access.

Mac Mini server rack farm for AI agents

The tool’s efficiency has spawned a cottage industry of "personal AI infrastructure." Social media is flooded with images—both real and AI-generated—of Mac Minis stacked in server racks, running fleets of OpenClaw agents. It’s being sold as the new, cheap, decentralized alternative to Big Tech clouds. But the reality is much messier.

Running middleware locally doesn't eliminate risk; it just shifts the liability to you. Instead of trusting AWS or Azure, you are now the sysadmin responsible for patching, permissions, and network security.

⚠️ Exposed Dashboards and "Sitting Ducks"

The cracks are already showing. Axios reported that hundreds of malicious Moltbot instances were left wide open to the public internet, exposing chat logs, API keys, and even remote command execution capabilities. Bitdefender confirmed similar findings, noting that many user dashboards were leaking credentials simply because they were misconfigured.

🔄 The Rebrand Roulette

Confusion is a scammer’s best friend, and OpenClaw has provided plenty of it.

The rapid-fire name changes—from Clawdbot to Moltbot to OpenClaw—created a vacuum that bad actors rushed to fill. Malwarebytes documented a wave of typosquatting domains and cloned GitHub repos appearing almost instantly after the rebrands. These supply-chain attacks often start with clean code to gain trust before injecting malicious updates later.

  • 👾 The Verge noted that scammers even launched a fake crypto token capitalizing on the old "Clawdbot" name.
  • 📉 Meanwhile, Business Insider reported that Steinberger himself faced harassment and a temporary GitHub account compromise.

None of this required zero-day exploits; it just required hype and user confusion.

💉 The Prompt Injection Nightmare

Granting an AI agent administrative privileges turns theoretical risks into critical vulnerabilities.

If OpenClaw misinterprets a command—or if an attacker feeds it a "poisoned" document—the agent has the power to act on that bad data. OWASP has already flagged prompt injection as a top-tier threat for LLMs, and Wired has demonstrated how malicious emails or files can trick AI agents into exfiltrating private data.

When that agent has access to your terminal, your email, and your file system, the stakes are significantly higher.

🏢 Shadow AI in the Enterprise

Perhaps most alarming is how fast this is bleeding into the corporate world. Token Security reported that within a single week, 22% of their clients had employees actively using modified versions of the software. Nooma Security found that in over half of their large enterprise clients, users were granting the tool privileged access without IT approval.

This is classic "Shadow IT," supercharged by AI. Security teams didn't deploy this; they inherited the risk.

⚖️ The Verdict: Not for Normies

OpenClaw is marketed as easy to install—often just a one-line command. But the documentation reveals a labyrinth of system paths, OAuth credentials, and API keys. Complex setups lead to shortcuts, and shortcuts lead to insecure configurations.

Steinberger has responded responsibly, rolling out security audits, automated checks, and better documentation. But the default user experience remains fragile.

The bottom line?

OpenClaw is a fascinating glimpse into the future where messaging apps become universal remote controls for our digital lives. But right now, it is an engineer’s toy, not a consumer product.

🛠️ If you are a dev: Sandbox it. Run it on an air-gapped machine or a VM. Rotate your keys.

🚫 If you are a casual user looking for a better Siri? Stay away. OpenClaw hasn't reached its "final form" yet—no matter what the README says.

SALIM ZEROUALI
SALIM ZEROUALI
Welcome to your premier destination for exploring the technology that shapes tomorrow. We believe the future isn't something we wait for; it's a reality we build now through a deep understanding of emerging science and technology. The "Global Tech Window" blog is more than just a website; it's your digital laboratory, combining systematic analysis with practical application. Our goal is to equip you with the knowledge and tools not only to keep pace with development but to be at the forefront of it. Here begins your journey to mastering the most in-demand skills and understanding the driving forces behind digital transformation: For technologists and developers, you'll find structured learning paths, detailed programming tutorials, and analyses of modern web development tools. For entrepreneurs and those looking to make money, we offer precise digital marketing strategies, practical tips for freelancing, and digital skills to boost your income. For tomorrow's explorers, we delve into the impact of artificial intelligence, explore intelligence models, and provide insights into information security and digital protection. Browse our sections and start today learning the skills that

You may like these posts

Comments