From Clawdbot to Moltbot to OpenClaw: The Wild Rise of the Internet's Most Controversial AI Agent

What Is OpenClaw?

OpenClaw (formerly Moltbot, formerly Clawdbot) is an open-source, self-hosted AI assistant created by Peter Steinberger — the Austrian developer behind PSPDFKit. It's not just another chatbot. It's a personal AI agent that runs locally on your machine, connects to your files, your shell, and your messaging apps, and actually does things on your behalf.

Think of it as Claude or ChatGPT, but with hands. It can read and write files, browse the web, run shell commands, send messages on WhatsApp, Slack, Discord, Telegram, and iMessage — and it remembers everything across conversations.

Key features:

Persistent memory — Remembers context across sessions
Full system access — Shell, browser, file system
50+ integrations — WhatsApp, Slack, Discord, Telegram, iMessage, Signal, and more
Proactive notifications — It can reach out to you, not just respond
Runs locally — Your data stays on your machine
Model-agnostic — Works with Claude, GPT, local models, or any API-compatible LLM

The Numbers

The growth has been staggering:

9,000 GitHub stars within the first 24 hours
60,000+ stars within the first week
150,000+ stars at present — making it one of the fastest-growing open-source projects in GitHub history
20,000+ forks
2 million visitors in a single week
Publicly endorsed by Andrej Karpathy and David Sacks

The Trademark Drama

On January 27, 2026, Anthropic contacted Steinberger about the name "Clawdbot" — it was phonetically too close to "Claude," Anthropic's AI model, and posed a trademark risk.

Steinberger complied and rebranded to Moltbot — a clever nod to how lobsters molt their shells to grow (the project's mascot is a lobster). The AI character was renamed from "Clawd" to "Molty," and new handles were claimed: @moltbot, molt.bot.

The community wasn't thrilled. Rails creator DHH called Anthropic's move "customer hostile," pointing out that the project was actively driving Claude API revenue and that the name similarity was clearly playful, not deceptive.

The 10-Second Hijacking

Here's where things went sideways.

During the simultaneous rename of the GitHub and X/Twitter accounts, crypto scammers claimed both old handles in approximately 10 seconds. Steinberger later admitted: "I messed up the rename and my old name was snatched in 10 seconds."

The hijackers immediately:

Impersonated the original project to tens of thousands of followers
Posted fake announcements promoting token deals
Sent scam messages from the verified accounts

This led to the creation of fake $CLAWD tokens on Solana, which hit a $16 million market cap before collapsing — a textbook rug pull. Steinberger's response was clear: "I will never do a coin. Any project listing me as coin owner is a SCAM."

Just days later, on January 30, the project rebranded again to its current name: OpenClaw.

The Security Problem

Beyond the branding chaos, security researchers raised serious alarms about the tool itself.

SlowMist, a blockchain security firm, reported that multiple unauthenticated OpenClaw instances were publicly accessible, with code flaws that could lead to credential theft and remote code execution.

Researchers found:

~780 exposed instances discoverable on Shodan
Complete credentials visible — API keys, bot tokens, OAuth secrets, full conversation histories
A prompt injection attack that succeeded within 5 minutes in testing
The ability to forward all messages to an attacker's address
No directory sandboxing — the agent had unrestricted file system access

Palo Alto Networks described the architecture as a "lethal trifecta": access to private data, exposure to untrusted content, and the ability to perform external communications — all while retaining memory.

Why Developers Should Care

OpenClaw represents a real inflection point in the AI agent space. It showed what's possible when you give an AI full system access and let it run autonomously. But it also exposed how far the security model for AI agents needs to go before this kind of tool is production-ready.

The Good

Proof of concept for personal AI agents — The demand is clearly there. 150K stars don't lie.
Open-source and self-hosted — No data leaves your machine (in theory)
Model-agnostic — Not locked into any single AI provider
The UX is compelling — Controlling your computer from WhatsApp is genuinely useful

The Concerning

Unrestricted system access with no sandboxing is a security nightmare
Prompt injection remains an unsolved problem — and it's far more dangerous when the agent can execute shell commands
Self-hosting doesn't mean secure — Most developers don't configure firewalls, IP whitelisting, or isolated environments properly
The rebrand chaos showed how fragile the project's operational security was

Lessons for Developers

If you're thinking about running OpenClaw or any self-hosted AI agent, keep these in mind:

Never expose it to the public internet — Use a VPN or strict IP whitelisting
Run it in an isolated environment — A dedicated VM or container, not your main machine
Use a dedicated account — Don't give it access to your primary credentials
Audit the integrations — Every connected messaging app is an attack surface
Monitor what it does — Log all commands and actions the agent takes
Don't store secrets in plain text — Use a secrets manager, even for self-hosted tools

Where Things Stand Now

OpenClaw is alive and growing. The project has stabilized under its new name, the hijacked accounts have been recovered, and the community continues to build on top of it. Cloudflare even released moltworker, a way to run OpenClaw on Cloudflare Workers.

But the bigger story isn't about one project — it's about the rise of AI agents with real-world capabilities. OpenClaw proved the demand exists. Now the industry needs to figure out how to make these tools safe enough for mainstream use.

The lobster molted. Whether it grows into something enterprise-ready or remains a fascinating experiment for power users — that's the question for 2026.

DevBlacksmith