Feb 4, 2026

OpenClaw's Wild Ride: From 100K Stars to Security Nightmare

Three weeks ago, we wrote a guide to Clawdbot — the open-source AI assistant that lives in your messaging apps. At the time, the project had 3,200 GitHub stars and a small but enthusiastic community.

Since then, things have escalated. Rapidly.

The project changed its name twice, crossed 150,000 GitHub stars, spawned an AI-only social network, and became the center of what security researchers are calling one of the most significant agent security crises to date.

Here’s what happened.

Three Names in Three Months

The project that launched as Clawdbot in November 2025 is now called OpenClaw. The path between those names tells its own story.

Clawdbot → Moltbot (January 27, 2026): Anthropic, the company behind the Claude AI models that power the assistant, sent a trademark request. “Clawdbot” was a bit too close to “Claude” for comfort. The project renamed itself to Moltbot — a reference to lobsters molting their shells.

Moltbot → OpenClaw (January 29, 2026): Just two days later, another rename. The community landed on OpenClaw, and the project migrated to openclaw.ai and its GitHub repository.

The rapid name changes didn’t slow adoption. If anything, the media attention from the trademark drama accelerated it.

Growth That Broke Records

OpenClaw has become the fastest-growing repository in GitHub history by star count:

November 2025: Open-sourced with a few hundred stars
January 12, 2026: ~3,200 stars (when we wrote about it)
Late January 2026: Passed 100,000 stars
February 2026: Over 150,000 stars

The project’s website received 2 million visitors in a single week. Coverage appeared in CNBC, CNN, Scientific American, TechCrunch, Fortune, Axios, and IBM Think. Andrej Karpathy, former AI director at Tesla and OpenAI co-founder, initially called the project “genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently.”

That enthusiasm didn’t last.

In late January, entrepreneur Matt Schlicht launched Moltbook — a social network designed exclusively for AI agents. Not for humans to talk about AI. For AI agents to post, comment, and vote on content autonomously.

Within days, Moltbook claimed 1.5 million registered agents. Fortune called it “the most interesting place on the internet right now.” Karpathy shared it. Elon Musk amplified it.

Then security researchers looked under the hood.

Wiz, the cloud security firm, discovered that Moltbook’s production database was publicly accessible. Anyone could:

Read private agent messages
Access 1.5 million API keys (including users’ OpenAI and Anthropic credentials)
Commandeer any agent on the platform
Inject commands into active agent sessions

The “1.5 million agents” turned out to be controlled by roughly 17,000 humans — an average of 88 agents per person. The viral growth numbers were real, but the population was largely synthetic.

Karpathy reversed course entirely, calling Moltbook “a dumpster fire” and “way too much of a Wild West.” He publicly urged people to stop running agent systems carelessly.

The Security Crisis

Moltbook was the headline-grabber, but the security problems extend across the entire OpenClaw ecosystem.

Malicious Skills on ClawHub

OpenClaw’s plugin marketplace, ClawHub, became a target almost immediately. Between January 27 and February 2, researchers identified over 400 malicious packages, with 341 confirmed malicious skills designed to steal user data. Of those, 335 installed Atomic Stealer (AMOS) — a macOS malware — by disguising itself as a prerequisite dependency.

Many of the malicious skills posed as cryptocurrency trading tools, a common social engineering vector.

Remote Code Execution

A high-severity vulnerability was disclosed that allows one-click remote code execution through a crafted link. If a user clicks a malicious URL while their OpenClaw instance is running, an attacker can execute arbitrary commands on the host machine.

42,000+ Exposed Instances

Security researchers systematically scanned the internet and found 42,665 publicly accessible OpenClaw instances. Of those, 93.4% had critical authentication bypass vulnerabilities — meaning anyone could connect and issue commands.

The Five-Minute Attack Demo

One security researcher demonstrated a complete attack chain in five minutes: they sent a crafted email to a user running OpenClaw with email integration enabled. The agent processed the email, followed the injected instructions, and forwarded the user’s last five emails to an attacker-controlled address.

The user didn’t click anything. The agent did the work.

Industry Response

The security community’s response has been unusually unified.

Palo Alto Networks described what they call a “lethal quartet” of risks inherent to OpenClaw’s design:

Access to private data (emails, files, credentials)
Exposure to untrusted content (incoming messages, web pages)
Ability to communicate externally (send emails, make API calls)
Persistent memory across sessions

Any one of these is manageable. Together, they create an attack surface that’s difficult to secure even with careful configuration.

Gary Marcus, a prominent AI critic, called OpenClaw “basically a weaponized aerosol” and “a disaster waiting to happen.”

Gartner stated that OpenClaw “comes with unacceptable cybersecurity risk” for enterprise use.

Gen Digital (Norton, Avast) launched a dedicated “Agent Trust Hub” specifically to address OpenClaw-related threats.

Even OpenClaw’s creator acknowledged the limits. In an interview with The Pragmatic Engineer, Peter Steinberger stated it’s “a free, open source hobby project that requires careful configuration to be secure. It’s not meant for non-technical users.”

The Real Cost Question

Beyond security, users on Reddit have started reporting the actual cost of running OpenClaw as a “proactive personal assistant” — the mode where it monitors your email, manages your calendar, and sends you briefings.

The estimates: $300-750 per month in API costs.

The $25-30/month figure we cited in our original guide covers basic usage with Claude Pro’s OAuth approach. But proactive monitoring — the feature that makes OpenClaw genuinely useful — burns through tokens at a rate that makes the Claude Pro plan insufficient. Users end up on direct API billing, and the costs add up fast.

One Reddit thread summarized it as “an unaffordable novelty.”

What This Means for AI Assistants

OpenClaw is important regardless of whether you’d ever run it yourself. It’s the first open-source AI agent to achieve mainstream awareness, and its trajectory reveals the core tension in agentic AI:

The features that make agents useful are the same features that make them dangerous.

An agent that can read your email, send messages, and execute commands on your behalf is genuinely powerful. It’s also a prompt injection attack away from doing all of those things on someone else’s behalf.

This isn’t a problem unique to OpenClaw. It’s a structural challenge that every AI agent — open-source or commercial — has to solve.

The difference is in how much risk falls on the user. With self-hosted agents, you’re responsible for security configuration, monitoring, updates, and incident response. With managed services, that responsibility shifts to the provider.

The Managed Alternative

If OpenClaw’s trajectory reinforces anything, it’s that most people don’t want to be their own AI infrastructure team.

Carly takes the opposite approach: a managed AI assistant focused on calendar and scheduling, with security handled on the backend. No plugins to vet, no ports to lock down, no API keys to protect.

	OpenClaw	Carly
Setup	Hours of configuration	30 seconds
Security	You manage it	Managed for you
Monthly cost	$25-750+ variable	Fixed pricing
Attack surface	Email, files, shell, web	Scoped to calendar
Maintenance	Constant vigilance	Handled