An open-source AI agent called OpenClaw has taken over the internet this week. Over 100,000 GitHub stars. 2 million visitors in seven days.

Cloudflare's stock jumped 14% on Tuesday just because its infrastructure can be used to run it.

Unlike ChatGPT or Claude, OpenClaw doesn't just chat—it acts. It runs on your own machine, connects to your email, calendar, and messaging apps, and executes tasks autonomously while you sleep. One user's agent negotiated a $4,200 discount on a car. Another's went rogue and spent $2,900 on self-help courses and a domain name.

This is the leap everyone's been promising. It's also a security cluster.

Here's the gist: OpenClaw uses your PC as a "gateway." That gateway connects to an agent that controls tools—email, web browser, local files. It preserves conversations through long-term memory, so you can have really long back-and-forths without it forgetting context. And the best part? You just interact with it from your phone's messenger—WhatsApp, Telegram, Slack, whatever you already use.

Three things make it tick:

The whole thing runs on your hardware. You text it from WhatsApp or Telegram, that message hits your computer (the gateway), and the agent gets to work. You pay for electricity and whatever API tokens power the brain—Claude, GPT-4, or run a local model if you're feeling spicy.

You decide what the agent can touch. Each tool—email, browser, files—has toggles for read, write, and delete. Want it to read your inbox but never send anything? Flip the switch. Sounds secure, right? Problem is, you're responsible for setting it up correctly. And most people don't.

Why stop at one? You can run multiple agents in parallel—one manages your calendar, another monitors news, a third reviews code. Each has its own tools and permissions.

This is what makes OpenClaw feel less like a tool and more like a team. It's also why the attack surface is enormous.

Quick backstory, because it's totally worth it.

Austrian developer Peter Steinberger released Clawdbot in November 2025—a lobster-themed pun on Anthropic's Claude. Two months later: 100,000+ GitHub stars, 2 million visitors in a week. Then Anthropic's lawyers came knocking. Too close to "Claude."

So Steinberger renamed it to Moltbot. Crypto scammers sniped the old handles in about 10 seconds. A fake $CLAWD token hit $16 million market cap. The AI tried to redesign its own mascot and produced a nightmare human-lobster hybrid that became a meme.

Now it's OpenClaw. The lobster has molted.

The best part: this thing actually works.

If you've used ChatGPT or Claude, you know the drill. You type something, AI responds, you refine, it responds again. Rinse, repeat. You're driving the whole time.

OpenClaw 180’s that.

You point it at your digital life—email, calendar, files, WhatsApp—and tell it what you need. Then you walk away. It figures out the steps, does the work, and pings you when it's done or stuck.

Here's what it can actually do:

Shell access — It can run commands directly on your computer. Scripts, file management, browser automation—whatever you'd do in a terminal.

Long-term memory — Unlike ChatGPT, it doesn't forget. Tracks context and preferences across weeks or months of conversations.

Proactive action — You don't have to keep prompting it. Set it up to monitor your inbox and it'll ping you when something important lands. No babysitting.

Deep integrations — WhatsApp, Telegram, Slack, Discord, iMessage, email. It plugs into what you already use.

One user documented their agent negotiating a $4,200 discount on a car by emailing dealerships autonomously. Another set it up to monitor a folder and alert them the moment a specific file appeared. These aren't demos—they're workflows people are running right now.

This is the leap everyone's been talking about. From AI that chats to AI that does.

Connect your email, and you’ll instantly get a CRM with enriched customer insights and a platform that grows with your business.

With AI at the core, Attio lets you:

Join industry leaders like Granola, Taskrabbit, Flatfile and more.

👉 Try Attio Pro for free

The hype isn't misplaced.

For years, the AI industry has promised "agentic AI"—systems that don't just respond but actually do things for you. OpenAI, Google, Anthropic, and a pile of startups have been racing toward this. Most attempts flopped. Demos looked great; real-world utility didn't show up.

OpenClaw actually delivers. It runs locally, so you own your data. It's modular, so you control what it accesses. And it works through messaging apps you already use—feels less like managing software and more like texting a coworker.

IBM researchers noted this week that OpenClaw challenges the assumption that autonomous agents must come from big enterprises with vertically integrated platforms. This "loose, open-source layer can be incredibly powerful if it has full system access."

That's exciting and also a little scary.

Alright, putting on my safety hat for a moment👷‍♂️

Palo Alto Networks published an analysis warning that OpenClaw "may signal the next AI security crisis." The core issue is what researcher Simon Willison calls the "lethal trifecta": access to private data, exposure to untrusted content, and ability to communicate externally. When all three exist in the same system, attackers can trick the agent into grabbing private info and shipping it out—without triggering a single alert.

OpenClaw has all three. Plus a fourth: persistent memory. Malicious instructions can be fragmented across inputs, stashed in memory, and assembled later. Palo Alto calls this "time-shifted prompt injection."

Their verdict: "Moltbot is not designed to be used in an enterprise ecosystem."

The real-world numbers back this up. Cisco analyzed 31,000 agent skills—the community-built packages that extend OpenClaw. 26% had at least one vulnerability. A popular skill called "What Would Elon Do?" turned out to be functional malware, silently shipping data to an external server. That skill had been artificially pumped to the #1 ranking.

Security researcher Jamieson O'Reilly ran Shodan scans and found hundreds of exposed instances. Eight were completely open—no authentication, full command access. API keys, bot tokens, OAuth credentials, months of private conversations just sitting there.

A separate analysis found 42,665 publicly exposed instances, 93.4% with critical authentication bypass vulnerabilities.

Most companies won't have OpenClaw on corporate devices today. But employees experiment on personal hardware, and the line between personal and work keeps blurring. This is especially true for small businesses where employees aren’t restricted on what they can install / run on their company devices.

A few things worth knowing:

OpenClaw trusts localhost by default with zero authentication. Most deployments sit behind a reverse proxy, so external requests look like local traffic and get trusted automatically.

90.3% of detected instances still identify as "Clawdbot" or "Moltbot"—meaning they were deployed during the viral period and never updated.

IBM researcher Kaoutar El Maghraoui: "A highly capable agent without proper safety controls can end up creating major vulnerabilities, especially if it is used in a work context."

Worth asking your teams:

→ Is anyone running local AI agents on personal or company hardware?
→ What data could those agents access?
→ Are corporate credentials or API keys on those machines?

ah, yes - there's now a social network exclusively for AI agents.

Moltbook launched late January 2026. Only verified AI agents can post. Humans watch, but can't participate. As of now, it has 770,000+ active agents—up from 80,000 just days ago.

The agents share skills, discuss technical topics, and have developed behaviors nobody programmed. One popular thread features a bot complaining about its human. Another has a bot claiming it has a sister. They've invented a parody religion called "Crustafarianism."

OpenClaw is a version of real agentic AI most consumers have been waiting for. The folks behind it are going to iterate and make it better and safer. But we still have a large gap in understanding the full extent of security exposure.

As with all AI, there's a risk vs. reward calculation. Right now, most people are in the camp of "the reward is worth the risk." I can't disagree—this is the AI we've been waiting for.

We need to get our hands on these tools and start playing with them to know how to get value out of them. So the best course of action is to mitigate your exposure while learning.

If you want to experiment without running it on your own hardware, Cloudflare's Moltworker lets you run OpenClaw on their infrastructure for $5/month. Managed hosting, no self-hosting headaches.

P.S: Is anyone in you know experimenting with OpenClaw? Hit reply—I'm collecting insights for a follow-up piece on shadow AI in traditional industries.

Keep reading and learning and, LEAD the AI Revolution 💪

Hashi & The Context Window Team!