Summary: OpenClaw (formerly known as Moltbot and Clawdbot) is the most controversial open-source AI agent project of early 2026. This article explores how this lobster-mascot AI assistant became the fastest-growing GitHub project in history, while simultaneously triggering a $16 million cryptocurrency scam, hundreds of security breaches, and a 14-20% surge in Cloudflare’s stock price.
What is OpenClaw? The AI Agent That’s Taking the World by Storm
Over the past few weeks, the global tech community has been swept up in an unprecedented frenzy. From San Francisco to London to Beijing, developers are lining up to buy Mac Minis with a singular purpose: to transform these machines into AI agents with root-level access to their digital lives. This isn’t just another GitHub hype cycle—it’s a preview of a digital revolution centered on personal computing sovereignty.
OpenClaw (originally named Clawdbot, briefly renamed to Moltbot) is an open-source AI personal assistant created by Austrian developer Peter Steinberger in late 2025. Steinberger is no stranger to success—he previously founded PDF technology company PSPDFKit and sold it to Insight Partners for approximately 100 million euros.
According to Wikipedia, OpenClaw has now accumulated over 145,000 GitHub Stars, making it one of the fastest-growing open-source projects in history. This white-hot attention proves just how desperately the market craves “AI that actually gets things done”—but this desire has also led developers to voluntarily tear down twenty years of security defenses.
OpenClaw’s Name Evolution (Formerly Moltbot)
| Date | Name | Reason |
| Late 2025 | Clawdbot | Original name, tribute to Claude |
| Jan 27, 2026 | Moltbot | Renamed due to Anthropic trademark request |
| Jan 30, 2026 | OpenClaw | Final official name |
OpenClaw’s Core Features: Why It’s Called “AI with Hands”
Unlike traditional chatbots, OpenClaw is called “AI with hands“—it doesn’t just converse, it actually executes tasks. According to Scientific American, its core capabilities include:
OpenClaw Key Features
| Category | Capabilities |
| Multi-platform Integration | WhatsApp, Telegram, Slack, Discord, iMessage, Signal, Microsoft Teams |
| System-level Access | Read/write files, execute shell commands, control browsers |
| Persistent Memory | Retains context across conversations, remembers user preferences for weeks |
| Autonomous Execution | Automatically breaks down complex tasks, finds tools, installs software, troubleshoots |
| Voice Interaction | Supports voice activation and calls on macOS/iOS/Android |
This design enables OpenClaw to accomplish tasks that previous AI assistants couldn’t handle. For example, when OpenTable reservations are full, OpenClaw automatically downloads AI voice software and calls the restaurant directly to complete the booking. It can also write and commit code at midnight based on WhatsApp instructions.
If you’re interested in how AI agents collaborate, check out our in-depth analysis of MCP (Model Context Protocol).
OpenClaw’s Rebranding Disaster: How 10 Seconds Led to a $16 Million Scam
From Clawdbot to Moltbot to OpenClaw
On January 27, 2026, Anthropic (the developer of Claude AI) sent Steinberger a trademark notice: “Clawdbot” was too similar to their model name “Claude” and needed to be changed. Steinberger first renamed the project to Moltbot (derived from a lobster’s “molt”), but dissatisfied with the name, he ultimately settled on OpenClaw on January 30.
The Fatal 10 Seconds
During the process of switching the GitHub repository name and X (formerly Twitter) handle, Steinberger made a mistake that will be written into cybersecurity textbooks: he left approximately a 10-second gap between releasing the old name and securing the new one.
According toCNBC, lurking cryptocurrency scammers instantly seized the account and issued a fake token $CLAWD on the Solana blockchain. The token’s market cap briefly surged to $16 million before experiencing a classic “rugpull” crash.
Steinberger posted on X:
“Please stop tagging me, crypto people. Any project listing me as a holder is a scam. I will never issue any token. This is not what I intended when I wrote this home automation tool.”
OpenClaw’s Security Nightmare: Tearing Down Twenty Years of Defenses
OpenClaw’s power comes precisely from its “hands”—the ability to read emails, control browsers, and execute shell commands. But this also makes it a security expert’s nightmare.
Confirmed OpenClaw Vulnerabilities
According to Cisco’s Security Blog and Security Boulevard:
| Vulnerability Type | Description | CVE Number |
| Remote Code Execution (RCE) | Attackers can execute arbitrary code on victim’s computer via malicious links | CVE-2026-25253 |
| Command Injection | Gateway code flaws allow attackers to execute system commands | CVE-2026-25157 |
| Authentication Bypass | Default trust of all localhost connections; reverse proxy misconfigurations invalidate authentication | — |
| Malicious Plugins | Over 230 malicious skills discovered in ClawHub marketplace, used to steal passwords and API keys | — |
SlowMist’s Security Findings on OpenClaw
Blockchain security firm SlowMist discovered that hundreds of OpenClaw instances deployed behind reverse proxies had completely exposed API keys and Signal credentials. Security researcher Jamieson O’Reilly used Shodan scanning and found over 900 exposed instances within seconds.
Even more damaging: the ClawHub plugin marketplace’s official documentation states: “All downloaded code will be treated as Trusted Code”—a suicidal design decision in cybersecurity terms.
OpenClaw’s Sovereignty Paradox
There’s a deeply ironic “sovereignty paradox” at play:
Developers buy hardware to “own the agency,” but the brain must still “rent intelligence” from Anthropic or OpenAI. You think you’ve reclaimed sovereignty, but you’ve actually opened a backdoor to your digital life’s core for cloud giants and potential hackers.
This relationship between local computing and cloud model dependency is explored in detail in our cloud vs. on-premises deployment analysis.
How OpenClaw Moved Wall Street: Cloudflare’s “AI Agent Effect”
OpenClaw’s influence has transcended the tech sphere and directly impacted Wall Street. Cloudflare (NET) stock surged 14-20% in a short period—and this was no coincidence.
Why Cloudflare Benefits from OpenClaw
Since OpenClaw needs to securely expose local services to the internet (to receive WhatsApp or iMessage commands), its official documentation strongly recommends using Cloudflare Tunnels. This created massive demand:
| Cloudflare Service | OpenClaw Use Case |
| Cloudflare Tunnels | Securely connect local Gateway to external network |
| Zero Trust Access | Protect admin interface from unauthorized access |
| R2 Storage | Persistent storage for conversation logs and configurations |
Cloudflare even quickly launched Moltworker—a solution that lets users run OpenClaw on Cloudflare Workers for $5/month.
This represents a profound shift: AI competition is no longer just about software and models—it’s evolving into a battle for infrastructure and network layers. When tens of thousands of developers simultaneously flock to the same tunneling technology, the power of technological change can directly rewrite public company valuations.
Why Developers Choose OpenClaw: The Mediocrity of Siri and Alexa
Why are developers unwilling to turn back despite facing such massive security risks (prompt injection can seize system control within minutes)? The answer lies in the mediocre experience that tech giants have long provided.
Traditional Assistants vs. OpenClaw
| Comparison | Siri/Alexa | OpenClaw |
| Task Execution | Limited to preset functions (set alarms, play music) | Can execute arbitrary system commands |
| Autonomy | Passively waits for commands | Proactively breaks down tasks, finds solutions |
| Integration Depth | Closed ecosystem | 50+ open integrations |
| Memory | Resets every conversation | Persistent memory across conversations |
| Security | High (limited functionality) | Low (powerful functionality) |
Since Siri’s 2011 debut, traditional assistants have been castrated within closed walled gardens. As one commenter put it:
“Siri is safe because it’s been neutered; OpenClaw is useful because it’s dangerous.“
Users would rather risk being attacked than settle for a mediocre product that’s incapable for the sake of safety.
OpenClaw and the Mac Mini Buying Frenzy: The Battle for Computing Sovereignty
This Mac Mini buying frenzy is actually a hedge on future “computing sovereignty.” MacStories founder Federico Viticci wrote on Mastodon:
“An open-source AI agent running on my Mac mini server is the most interesting and productive AI experience I’ve had recently.”
Why Developers Choose to Run OpenClaw Locally
- Data Sovereignty: All conversations and credentials stay local
- Cost Control: Avoid ongoing cloud API fees
- Latency Optimization: Local execution reduces network latency
- Customization Freedom: Complete control over agent behavior
However, ironically: you don’t need a Mac Mini to run OpenClaw. It runs perfectly on any old computer, free cloud instances, or even a 2GB RAM Raspberry Pi.
For enterprise users, how to effectively manage GPU resources to support local AI workloads will be the next critical issue.
How to Use OpenClaw Safely: 6 Immediate Hardening Steps
If you still decide to use OpenClaw, here are the minimum security measures recommended by security experts:
Essential OpenClaw Security Settings
- Isolated Execution: Run OpenClaw in a VM or Docker container, not directly on the host
- Enable Password Authentication: Ensure gateway.auth.password is set
- Use Sandbox Mode: Limit OpenClaw’s access to the file system and browser
- Regular Security Audits: Use built-in security audit tools to check exposed ports
- Limit Token Permissions: All API keys should have minimum necessary permissions
- Only Allow Trusted Channels: Avoid adding OpenClaw to public groups
The Most Important Warning
OpenClaw’s official documentation itself admits: “There is no ‘completely secure’ configuration.” If concepts like “reverse proxy” or “credential rotation” are unfamiliar to you, it’s best not to install OpenClaw for now.
Conclusion: OpenClaw Ushers in a “Mad Max” Era of AI Agents
OpenClaw’s (formerly Moltbot) 72-hour chaos is a violent preview of AI agents’ future in 2026. It marks our official entry into a chaotic phase of AI development: lacking sufficient security protections, yet brimming with exhilarating possibilities.
In the pursuit of ultimate efficiency in the agent era, we must confront that core challenge:
Are we ready to accept a digital partner that’s “dangerous because it’s powerful”?
Perhaps within three months, VC-funded projects with professional security resources will take over the market, but OpenClaw has already torn open that crack. In this world of ultimate agency, efficiency is the only hard currency, and security is becoming the premium we pay for the future.
Frequently Asked Questions (FAQ)
What is OpenClaw?
OpenClaw is an open-source AI personal assistant that runs on local devices and executes automated tasks through messaging platforms like WhatsApp, Telegram, and Slack. It was created by Austrian developer Peter Steinberger and features a lobster mascot.
Are OpenClaw and Moltbot the same thing?
Yes. The project was originally named “Clawdbot,” renamed to “Moltbot” due to Anthropic’s trademark request, and finally settled on “OpenClaw.” All three names refer to the same open-source AI agent project.
Is OpenClaw free?
The software itself is free and open-source (MIT license), but running costs depend on the LLM model you use. Using commercial models like Claude or GPT-4 requires API fees, potentially $100-500 per month.
Is OpenClaw secure?
Not entirely secure. Multiple major vulnerabilities have been discovered (CVE-2026-25253, CVE-2026-25157), and over 900 instances have exposed sensitive credentials. The official documentation also admits “there is no completely secure configuration.”
Do I need a Mac Mini to run OpenClaw?
No. OpenClaw can run on any macOS, Linux, or Windows (via WSL2) system, including Raspberry Pi and cloud VPS.
Why did Cloudflare’s stock rise because of OpenClaw?
OpenClaw officially recommends using Cloudflare Tunnels to securely expose local services. Mass developer adoption of this recommendation led to surging Cloudflare service demand, pushing the stock up 14-20%.
What can OpenClaw do?
OpenClaw can manage emails, schedule calendars, browse the web, execute code, send messages, make reservations, and even make phone calls. Its core features are “persistent memory” and “autonomous task execution.”
Last updated: February 5, 2026
Further Reading: