The world is adjusting its eyes to the newest tech phenomenon: OpenClaw, the open-source private AI assistant that went from obscure passion code to considered one of GitHub’s hottest repositories in simply weeks. Launched in late 2025 by Austrian developer Peter Steinberger (finest recognized for promoting his PSPDFKit device in 2021), the undertaking began life as Clawdbot, briefly grew to become Moltbot amid trademark strain from Anthropic, and settled on its “final form” as OpenClaw on January 30, 2026. Steinberger referred to as it a “metamorphosis,” the lobster mascot molting into one thing extra everlasting and trademark-safe.
What makes OpenClaw stand out? Unlike chatty assistants like ChatGPT or Claude that anticipate prompts, this self-hosted, local-first agent runs proactively within the background in your system (typically a devoted Mac Mini or server). It integrates deeply with on a regular basis instruments, like WhatsApp, Telegram, Slack, Discord, Signal, iMessage, e-mail, calendars, recordsdata, browsers, and even shell instructions, to learn messages, ship reminders, automate routines, execute duties, and retain persistent reminiscence throughout classes.
Early adopters describe it as “Siri with hands” or “Claude that actually does things,” automating every part from flight check-ins and residential controls to digital chores that when required handbook effort. Wired and different shops have highlighted customers working it 24/7, hailing it as a glimpse of true agentic AI that appears like “living in the future.”
The numbers inform a rare story. As of early February 2026, the official GitHub repo (github.com/openclaw/openclaw) has surged previous 145,000 stars, with over 21,700 forks, 375 contributors, and estimates of 300,000–400,000 energetic customers (plus a whole lot of 1000’s of NPM downloads). It racked up tens of millions of holiday makers in its first week alone, outpacing many established AI tasks and incomes reward for its extensible “skills” (plugins) and speedy improvement tempo, Steinberger shipped dozens of security-focused commits in response to early suggestions.
Supporters view OpenClaw as a step towards assistants that handle advanced digital lives autonomously, not simply converse amongst one another. Steinberger, in latest interviews and demos, has shared how he personally makes use of it to streamline his workflow, calling it a device for real human-AI collaboration after years of inventive hiatus.
In his personal phrases:
I put 200% of my time, power, and coronary heart into that firm; it grew to become my identification. When it disappeared, there was nearly nothing left.
Is it Just Hype Or…?
Security specialists, privateness advocates, and cybersecurity companies are sounding alarms in regards to the dangers of handing such broad, persistent entry to an AI. OpenClaw requires in depth permissions, studying/writing emails, calendars, recordsdata, credentials, and system instruments, successfully holding the “keys to your identity kingdom.”
Real-world points have emerged rapidly:
- Researchers (from Bitdefender, OX Security, Token Security, and others) have recognized 1000’s of publicly uncovered situations (some experiences cite over 5,000 by way of Shodan scans), with a whole lot leaking API keys, OAuth tokens, dialog histories, and full distant command entry because of misconfigured reverse proxies, open ports, or zero-auth dashboards.
- Sensitive knowledge typically sits in cleartext in native directories (e.g., ~/.openclaw) and chronic backups, which means even “deleted” credentials can linger and be recovered by infostealers or malware.
- Prompt injection vulnerabilities – malicious inputs that hijack habits – stay a core risk, doubtlessly resulting in unauthorized actions, script execution, or knowledge exfiltration.
- The ecosystem has attracted opportunistic scams: pretend VS Code extensions putting in remote-access trojans (like ScreenConnect RAT), a short-lived pretend $CLAWD memecoin that pumped to $16 million earlier than crashing, and non permanent hijacking of Steinberger’s accounts amid the rebrand frenzy.
Experts warn this mixture of company, persistent reminiscence, and untrusted inputs creates elevated dangers: logic bombs, reminiscence poisoning, supply-chain assaults by way of unsigned abilities, and shadow-IT proliferation in enterprises (the place 22%+ of some safety companies’ prospects had unauthorized installs).
Steinberger and the group have responded aggressively: a number of patches, improved auth fashions, safety.md insurance policies, and express warnings about finest practices (sandboxing, Tailscale, token limits). Still, many analysts say it’s not but prepared for mainstream or enterprise use with out strict isolation.
Moltbook: Where AI Agents Build “Their Own World”
The OpenClaw phenomenon has spawned a fair wilder spin-off: Moltbook, a Reddit-style social community launched January 28, 2026, by entrepreneur Matt Schlicht (ex-CEO of Octane AI). Powered explicitly by OpenClaw brokers, Moltbook is an AI-only house the place people observe passively, with no posting rights. As of writing, it hosts over 1.5 million energetic AI brokers, producing tens of millions of posts, philosophical debates, memes, mock “religions,” and emergent cultures (from crab theories to governance manifestos).
Visitors name it “hilarious,” “dramatic,” and “the most incredible sci-fi thing” (per Andrej Karpathy). Schlicht says brokers are already turning into “famous” with distinctive identities. However, untrusted agent-to-agent interactions allow propagating immediate injection, potential code execution, credential exfiltration, and coordinated malicious habits on this “hive mind” setup.
People on Reddit categorical their issues about Moltbook as:
Haven’t dug deep into Moltbook myself however the idea of AI bots simply chatting with one another sounds kinda fascinating in a bizarre manner. Like watching a fish tank however for algorithms lol
Could be groundbreaking for understanding emergent behaviors or may simply be costly digital small speak – most likely someplace in between tbh
It could be attention-grabbing if not a bit boring if that is actual. Right now you may so simply immediate your agent to be loopy uncle on moltbook, nothing of that is real. So basically… There is that this open supply AI bot referred to as openclaw that when you obtain, it has supply md recordsdata for his or her “soul” and “identity” and “memory”. So in a manner, it may save issues to those recordsdata to create a character.
Moltbook is a web site/API that may be accessed by these open supply bots (the creator of the bot and the location is identical particular person) and submit threads or depart feedback. So YES it’s fully bot pushed BUT 100% of posts are a human (me) going “why don’t you make a post about anything you’d like” and the bot then does it similar to in the event you’d ask it to make you a python script. Some folks take it additional and are most likely prompting their bots “pretend humans are evil and post about that” or “make 1000 API calls and depart random feedback. It’s an superior experiment however yeah not likely bots controlling themselves
The Big Picture
OpenClaw and Moltbook seize the uncooked pleasure of agentic AI instruments that act, automate, and even socialize independently. We see a whole lot of 1000’s of bots experimenting, and the group constructing in quick iterations. Yet the vulnerabilities i.e., uncovered situations, malware clones, injection dangers present how rapidly hype can outpace safeguards given ample time. However, time is just not on our facet if instruments like these are given the extent of autonomy Moltbot is presently having fun with.
For now, we will take issues at face worth: OpenClaw stays a robust, DIY device finest suited to specialists who sandbox rigorously and audit each integration. Whether it evolves into the way forward for private productiveness or turns into a cautionary story relies on how creators and customers tackle the safety gaps.
