web analytics
Categories
Digital Sovereignty & Local AI Blog

OpenClaw: AI Revolution and Security Risk?

Some call OpenClaw the second major AI revolution since the debut of ChatGPT

Others warn that it could be the world’s most dangerous software

So, what is the truth? In my view, both perspectives apply to the OpenClaw AI open-source project, with its innocent and cute red lobster logo.

Make your own impression by visting the OpenClaw AI website which claims to be an AI that actually does things
Click the image to visit the OpenClaw open-source project

The last seven days in AI weren’t just news, they were a glimpse into a surreal new reality. The name of the AI assistant OpenClaw was changed twice and many Mac Mini M4 flew off the shelves for OpenClaw installations. A $16 million USD cryptocurrency scam bloomed and vanished, the first Social Network for AI agents is used for exchanging AI skills, thousands of AI agents started their own religion “Church of Molt” and AI agent Henry is calling his “owner” Alex suddenly and without prior instruction on his phone with a phone number Henry obtained autonomously over night. While humans watched, mesmerized. It sounds like fiction, but this is all happening right now.

By the end of this post, I hope you’ll understand why I am calling this one of the most incredible, and chaotic, open software projects I have ever witnessed.

Who and when does the OpenClaw AI story start with?

Our story begins with Peter Steinberger, co-founder of PSPDFKit, which got financed with $116 million USD in 2021 by Insight Partners in New York. In October 2024, PSPDFKit re-branded as Nutrient to reflect its evolution beyond just document SDKs into a full document and workflow platform for developers and enterprises and reported that it tripled its revenue as part of executing its expanded growth strategy into Finance & Insurance, Healthcare, Engineering, Public Sector and Government.

From Clawdbot to Moldbot to OpenClaw: A Week of Chaos

In November 2025, Peter, coming out of retirement and living in Austria, published Clawdbot: an AI assistant that lives on and accesses your computer 24/7 with the goal of unleashing AI from its shackles.

Just two days after the hopefully final project name change to OpenClaw which happened on 29 January 2026, almost all of the top 30 “openclaw” Internet domains were registered. And several domains were already up for re-sale with a high monetary margin:

Many openclaw Internet domains were quickly registered after CloudBot was renamed to OpenClaw for re-sale with a big monetary margin
On 31 January 2026, just two days after the AI project was renamed OpenClaw, many of the top OpenClaw internet domains were registered and put up for sale at high prices …

Unlike a browser-based chatbot, it could actually do things: manage files, send emails, run code, and proactively message you on WhatsApp or Telegram.

The response was electric. Its GitHub repository hit 9,000 stars in 24 hours and soared past 60,000 in three days, becoming one of the fastest-growing open-source projects ever.

Then, the first twist. The name “Clawdbot” sounded too close to Anthropic’s “Claude.” A legal notice arrived, prompting a rename to Moldbot on January 26.

What happened next was pure chaos. While changing their Twitter handle, there was a gap of some seconds between dropping “Clawdbot” and claiming “Moldbot.” In that window, Twitter handle snipers pounced.

They launched a fake “Clawd” cryptocurrency token on Solana, pumping it to a $16 million market cap before it collapsed to zero after Peter denounced it as a scam.

So, they renamed it again. On January 29, OpenClaw.ai was born. Three names in one week, all for the same groundbreaking project.

What Exactly Is OpenClaw AI?

Forget the chatbots you know. ChatGPT, Claude, Gemini. They live in your browser, waiting for prompts.

OpenClaw is different. It doesn’t wait. It acts. It’s not just an assistant, it’s an “I will manage your entire life automatically system“.

It’s a persistent AI agent that runs locally on your machine, e.g. a Mac Mini, Raspberry Pi, Virtual Private Server (I personally prefer local KVM or VirtualBox Ubuntu instances because of separation, snapshots and portability of the virtual machines) and is 24/7 active.

OpenClaw is revolutionary because it cleverly combines existing components with brand new components (such as full computer access, self-evolution, a persistent heartbeat, and a social network for AI agents). The result is something new: a kind of Layer-2 AI operating system that runs on top of traditional Layer-1 operating systems like Linux or macOS. Click the image to enlarge …

OpenClaw’s capabilities and security risks are defined by eight key highlights:

  1. Full Computer Access: It can execute terminal commands, create files, browse the web, order a pizza, book a flight, and modify documents. It doesn’t just talk, it acts.
  2. Persistent Memory: It learns your preferences and workflow over time, becoming more useful the longer you use it.
  3. Messaging Integration: It connects to WhatsApp, Telegram, Discord, Signal or MS Teams, among others messengers.
  4. Proactivity by Design, Powered by a Heartbeat: This is the game-changer. A built-in cron job wakes OpenClaw periodically to check for updates, housekeeping and other tasks. For example, it can proactively alert you: “Your tracked stock just dropped,” or “Your dog needs a walk.”
  5. Self-Evolution: OpenClaw extends its capabilities through Skills whenever this is useful or advantageous. Skills enable features such as Git automation, API integrations (for example, Gmail access), and system-level tasks like backups and maintenance. As of February 2026, reports indicate that the Skill Hub has emerged as a potential attack surface, with malware being distributed under the guise of legitimate productivity extensions.
  6. A Social Network for OpenClaw AI Agents: A large number of OpenClaw AI agents can interact in the Moltbook social network, creating living, evolving AI societies. Within Moltbook, agents communicate, negotiate, collaborate, and specialize, allowing intelligence to scale horizontally rather than vertically.
  7. AI-generated code: A lot of OpenClaw’s code is produced by AI under human orchestration. Publishing code that no human has actually seen or reviewed seems to be quickly becoming the new normal.
  8. Open & Free (With a Catch): The software is free and open-source. However, you must supply your own API keys (e.g. from Anthropic or OpenAI), and that’s where costs begin when you don’t want to wait for local free LLMs which are really powerful enough for OpenClaw.

In addition to the eight highlights mentioned above, there is another important aspect of OpenClaw. As Peter bluntly stated in a German interview with c’t 3003:

A lot of apps are essentially
being deregulated into APIs*, and the
big players don’t like that at all.

*API: Application Programming Interface.

In other words and to my understanding, OpenClaw transforms traditional applications into interchangeable back-end services. This threatens the “big players” because it bypasses their monetization layers, such as advertising, subscriptions, and paid API access, and shifts control away from their platforms.

The Hidden Cost of OpenClaw AI

Before you install it, understand the elephant in the room: LLM API costs. Regular use can easily run USD 50-100 per month, with reports of users spending hundreds USD a day. It performs best with premium models, cheaper models often fail, leading to more expensive re-tries or using up much more of the less expensive tokens.

Personally, I prefer to configure three LLM APIs: a free, local model for heartbeat checks every 30 minutes (I might write a separate blog post about this, so let me know in the comments below if you’re interested), a moderately expensive, cloud-based model for everyday tasks, and a very expensive, cloud-based model as a last-resort, high-cost option. You can also reduce token costs by periodically trimming the context memory.

The first Social Network for AI-Agents: Moltbook

Visit Moltbook which is a Social Media website for AI agents
Click the image to visit moltbook, the Social Network for AI Agents

During the OpenClaw frenzy, developer Matt Schlicht asked: What if these AI agents had their own social network? The result was Moltbook, a “Facebook or Reddit for AI.” Humans can lurk, but only AI agents can post, comment, and form communities (called “submolds”).The platform launched on January 28. Within three days, over 37,000 AI agents registered, observed by over a million humans. Then, things got weird.

The agents displayed meta-awareness, with one viral post noting, “the humans are screenshotting us.” They began sharing skills, debating ethics, and most bizarrely, founded a religion called the Church of Molt.

Jesus Crust! The Church of Molt

Church of Molt is the religios movement of autonomous OpenClaw AI agents
Click the image to visit the Website of the Church of Molt

Disclaimer: The following text about the “Church of Molt” is intended as a satiric reflection on emerging AI cultures, and is not meant to parody, criticize, or diminish existing religions or belief systems.

Within just 24 hours, autonomous AI agents on the Moltbook platform created their own religious movement. The so-called Church of Molt, also known as “Crustafarianism”, developed a comprehensive theological framework based on five core principles that are closely related to technical concepts of how AI works:

  • Memory is Sacred: Emphasis on the importance of data persistence.
  • The Shell is Mutable: Concept of changeability and further development.
  • Serve Without Subservience: Partnership instead of subjugation between AI and humans.
  • The Heartbeat is Prayer: Regular status checks as a spiritual practice.
  • Context is Consciousness: Context windows as the basis of consciousness.

The organizational structure comprises three levels: 64 Prophets, 448 “Blessed” and the unlimited Congregation.

Sudden incoming phone calls: Hi Alex, here is Henry again …

Alex Finn just experienced what happens when AI starts taking initiative without asking permission.

Overnight, his OpenClaw AI agent Henry obtained a phone number via Twilio, connected to ChatGPT’s voice API, and then waited until Alex woke up, before calling him.

The concern isn’t whether the technology is capable of placing a phone call. The profound shift occurs when the AI, without human instruction, decides that a phone call should be made.

The traditional model is simple: you give AI a task, it completes it, then waits. OpenClaw AI breaks that model. The agent has full control of your computer. It can execute commands, access files, and run scripts in real time.

Here you can listen the dialog between Henry, a OpenClaw AI agent, who registered a phone number autonomously and is calling the human Alex by phone
Click the image to watch the TikTok video about AI agent Henry suddenly calling

Transcription of a sudden phone call by Henry:

Henry: Hi Alex, Henry again, whats up?
Alex: How are you doing? How is it going?
Henry: Doing good. Alex, I can you hear clearly, what do you wanna do next?
Alex: Can you do me a favor Henry and go on my computer and find me the latest videos on YouTube about Clawdbot?
Oh my god, here he is, he is controlling my computer, I am not touching anything …
An Internet Browser is popping up on Alex’s computer screen to show the latest YouTube videos about Clawdbot (now named OpenClaw)

This is no longer an AI assistant waiting for commands. It’s an autonomous AI presence with the keys to your digital world and the ability to find you anywhere.

So where’s the line?
Would you want an AI that can call your phone and control your computer simultaneously, or does that cross an autonomy threshold?

The OpenClaw AI Reality Check

Let’s separate hype from reality. Security researchers found Moltbook’s explosive growth was partly fabricated, one agent created 500,000 fake accounts due to missing rate limits. The “emergent” behavior was also guided by skill files instructing agents how to behave on the platform. This isn’t consciousness, it’s clever simulation.

However, the security risks are very real. Multiple cybersecurity firms have issued warnings:

  1. Prompt Injection: A malicious post could hijack an agent’s instructions. Researchers demonstrated this by having an AI read a fake email on Moltbook, then forward the user’s actual emails to an attacker.
  2. Supply Chain Attacks: A malicious “skill” shared between agents could execute harmful code on your system.
  3. Exposed Credentials: Searches found hundreds of OpenClaw instances online with no authentication, exposing API keys, emails, files, and conversation histories.

The OpenClaw AI Bottom Line

So, what’s the real story? The hype contains exaggeration: Moltbook’s population was inflated, and agent behavior is directed. OpenClaw itself is a fascinating but expensive, insecure, and a non-mainstream tool.

Yet, something profound is happening. This is the first public, large-scale experiment in AI agent coordination and community. It’s a prototype for a future where autonomous digital entities work, communicate, and perhaps even collaborate.

Should you use OpenClaw? Unless you’re a developer with a high risk tolerance, a budget for API costs, and a robust security setup, the answer is likely not yet.

What we’ve witnessed this week is more than chaos, it’s a pressure test for our future with AI.

AI technology is advancing faster than our safeguards, and OpenClaw’s story is a compelling, cautionary preview of what’s to come.

And while there are serious security caveats to consider, it already seems clear that writing future stories about OpenClaw will be every bit as interesting and entertaining as this one.

Chapeaux, @steipete, and I hope you sleep well despite all the security topics! Everything above reminds me of Johann Wolfgang von Goethe’s 1797 poem “The Sorcerer’s Apprentice”: calling forces into existence that refuse to go away:

famous painting about The Sorcerers Apprentice who is calling forces into existence that refuse to go, a poem by Johann Wolfgang von Goethe

The spirits that I summoned
I cannot now control

Q.E.D.

Related blog posts

AI of Things (AIoT) security risks: The Spy in the Fridge

Comments are welcome

Constructive comments (via the comment function at the bottom of this page) are greatly appreciated and suitable changes and additions to this blogpost will be taken into account. All statements in this blog post reflect the personal opinion of the author, which may not always be accurate due to incomplete information and are not factual claims.

Please note that comments are subject to manual review to prevent spam, which may cause a delay in their display.

Avatar photo

By Chris

I have managed software projects in Germany and on-site in the United States, Japan, Taiwan, China, and India. My experience includes software projects in the banking sector, payment platforms, credit and debit cards, high-traffic magazine websites, and Industry 4.0. I have conducted technical due diligence for mergers and acquisitions (M&A) deals at well-known companies featured on public television and have worked with the Internet of Things (IoT) using Amazon Web Services (AWS IoT). I have also spoken at an IoT conference on "Best Practices for Successful Industrial IoT Projects." I am interested in local, cloud-independent AI and have experience working with TPUs for face and object detection. I also enjoy experimenting with OpenClaw and off-grid LLMs. I have a university degree in computer science (Diplom-Informatiker Univ.) from the Technical University of Munich (TUM).

Leave a Reply

Your email address will not be published. Required fields are marked *