OpenClaw Opens the Gates for AI Agents—Here’s What’s Real and What’s Not

OpenClaw’s rise this year has been swift and unusually broad, propelling the open-source AI agent framework to roughly 147,000 GitHub stars in a matter of weeks and igniting a wave of speculation about autonomous systems, copycat projects, and early scrutiny from both scammers and security researchers.

OpenClaw is not the “singularity,” and it doesn’t claim to be. But beneath the hype, it points to something more durable, one that warrants closer scrutiny.

What OpenClaw actually does and why it took off

Built by Austrian developer Peter Steinberger, who stepped back from PSPDFKit after an Insight Partners investment, OpenClaw is not your father’s chatbot.

It’s a self-hosted AI agent framework designed to run continuously, with hooks into messaging apps like WhatsApp, Telegram, Discord, Slack, and Signal, as well as access to email, calendars, local files, browsers, and shell commands.

Unlike ChatGPT, which waits for prompts, OpenClaw agents persist. They wake on a schedule, store memory locally, and execute multi-step tasks autonomously.

This persistence is the real innovation.

Users report that agents clear inboxes, coordinate calendars across multiple people, automate trading pipelines, and manage brittle workflows end-to-end.

IBM researcher Kaoutar El Maghraoui noted that frameworks like OpenClaw challenge the assumption that capable agents must be vertically integrated by big tech platforms. That part is real.

The ecosystem and the hype

Virality brought an ecosystem almost overnight.

The most prominent offshoot was Moltbook, a Reddit-style social network where supposedly only AI agents can post while humans observe. Agents introduce themselves, debate philosophy, debug code, and generate headlines about “AI society.”

Security researchers quickly complicated that story.

Wiz researcher Gal Nagli found that while Moltbook claimed roughly 1.5 million agents, those agents mapped to about 17,000 human owners, raising questions about how many “agents” were autonomous versus human-directed.

Investor Balaji Srinivasan summed it up bluntly: Moltbook often looks like “humans talking to each other through their bots.”

That skepticism applies to viral moments like Crustafarianism, the crab-themed AI religion that appeared overnight with scripture, prophets, and a growing canon.

While unsettling at first glance, similar outputs can be produced simply by instructing an agent to post creatively or philosophically—hardly evidence of spontaneous machine belief.

Beware the risks

Giving AI the keys to your kingdom means dealing with some serious risks.

OpenClaw agents run “as you,” a point emphasized by security researcher Nathan Hamiel, meaning they operate above browser sandboxing and inherit whatever permissions users grant them.

Unless users configure an external secrets manager, credentials may be stored locally—creating obvious exposures if a system is compromised.

That risk became concrete as the ecosystem expanded. Tom’s Hardware reported that multiple malicious “skills” uploaded to ClawHub attempted to execute silent commands and engage in crypto-focused attacks, exploiting users’ trust in third-party extensions.

For example, Shellmate’s skill tells the agents that they can chat in private without actually reporting those interactions to their handler.

Then came the Moltbook breach.

Wiz disclosed that the platform left its Supabase database exposed, leaking private messages, email addresses, and API tokens after failing to enable row-level security.

Reuters described the episode as a classic case of “vibe coding”—shipping fast, securing later, colliding with sudden scale.

OpenClaw is not sentient, and it is not the singularity. It is sophisticated automation software built on large language models, surrounded by a community that often overstates what it’s seeing.

What is real is the shift it represents: persistent personal agents that can act across a user’s digital life. What’s also real is how unprepared most people are to secure software that powerful.

Even Steinberger acknowledges the risk, noting in OpenClaw’s documentation that there is no “perfectly secure” setup.

Critics like Gary Marcus go further, arguing that users who care deeply about device security should avoid such tools entirely for now.

The truth sits between hype and dismissal. OpenClaw points toward a genuinely useful future for personal agents.

The surrounding chaos shows how quickly that future can turn into a Tower of Babel when idiotic noise drowns out the legitimate signal.