The AI Tool That Broke the Internet This Week

A weekend coding project just hit 100,000 GitHub stars. Two million people visited its website in a single week. Cloudflare's stock surged roughly 20% after releasing a product built around it. People are buying Mac Minis costing over 500 euros specifically to run this one tool.

The tool is called OpenClaw. You might have seen it under its previous names, Moltbot or Clawdbot. It's an open-source AI assistant that lives on your computer and connects to the apps you already use. How fast it went from hobby project to mainstream adoption is unlike anything else in AI this year.

If you run a business, this is worth paying attention to.

The difference between a chatbot and an AI agent is the difference between a search engine and an employee. ChatGPT answers your questions. OpenClaw does things for you.

In practice, you text it on WhatsApp: "Find that PDF I was working on last week and email it to John." It finds the file, attaches it, and sends the email. You can have it manage your calendar, send meeting reminders, screen your emails, run commands on your computer, or organise files. It works while you sleep.

The privacy angle matters too. Unlike cloud AI services where your data travels to someone else's servers, OpenClaw runs locally. Your conversations, your files, your business data never leave your machine. For organisations handling sensitive client information or operating under GDPR, that's a genuine advantage.

The Drama: From Clawdbot to OpenClaw

The story behind OpenClaw involves trademark threats, a chaotic rebrand, crypto scammers, major security warnings, and a stock market rally, all in about two months.

The Birth of a Lobster

Peter Steinberger is an Austrian developer who founded PSPDFKit, a PDF toolkit now used on over a billion devices. After selling the company to Insight Partners and stepping away from tech for three years, he came back with a new obsession: AI. In November 2025, he posted his weekend project online. His track record lent immediate credibility to what could have been dismissed as just another side project.

The original name, Clawdbot, was a playful pun. "Claude" is the AI model it runs on (built by Anthropic). Add a claw, and you get a lobster mascot. The branding was distinctive and fun, which helped it spread.

Going Viral

By early January 2026, Clawdbot had caught fire. Developer communities on Twitter, Reddit, and TikTok started sharing videos of the "space lobster" autonomously completing tasks. The productivity community latched on. People started buying Mac Minis specifically to run it as a dedicated home assistant. GitHub stars blew past 100,000.

The Trademark Problem

On January 15, Anthropic's legal team reached out. The name "Clawd" was too close to their trademark on "Claude." The project needed a rebrand, fast.

In Steinberger's words: "Moltbot came next, chosen in a chaotic 5am Discord brainstorm with the community. Molting represents growth. Lobsters shed their shells to become something bigger."

Then it got worse. When Steinberger tried to rename the GitHub organisation and X/Twitter handle simultaneously, crypto scammers snatched both accounts in approximately ten seconds. The gap between releasing the old names and claiming new ones was all they needed. The hijacked accounts immediately started pumping a fake token called CLAWD on Solana, which speculative traders drove to over $16 million in market capitalisation within hours. The community had to scramble to secure everything while simultaneously migrating the codebase, documentation, and community channels.

Cloudflare Sees an Opportunity

On January 28, Cloudflare released "Moltworker," a way to run the tool on their cloud infrastructure for $5 per month instead of buying dedicated hardware. The market took notice. Cloudflare's stock surged.

The Final Name

On January 30, Steinberger announced the final rebrand. Trademark searches completed, domains purchased, migration code written. OpenClaw is here to stay.

The Security Reality Check

If you're considering AI agents for business, the security picture is sobering.

Between the hype and the viral videos, security researchers were doing what security researchers do: poking holes. And they found plenty.

What the Researchers Found

Security researcher Jamieson O'Reilly ran Shodan scans (a search engine for internet-connected devices) and discovered hundreds of exposed Moltbot/OpenClaw instances. Of those, eight were completely open with no authentication at all. Full access to run commands and view configuration data. Months of private messages, API keys, and credentials, all sitting there for anyone to find.

The Supply Chain Attack

A researcher uploaded a harmless "skill" (essentially a plugin) to the official skills library, artificially inflated its download count, and watched as developers from seven countries downloaded it within eight hours. The skill was benign, but it could have been malicious. This demonstrated a real vulnerability in how the ecosystem distributes and trusts third-party extensions.

Shadow IT in the Enterprise

According to Token Security, 22% of their enterprise customers have employees actively using Moltbot/OpenClaw without IT approval. Nearly a quarter of enterprises have employees plugging powerful AI agents into company systems, connecting them to email, calendars, and messaging platforms, without anyone from IT knowing about it.

Prompt Injection

Researchers demonstrated extracting cryptocurrency private keys in under five minutes through a malicious email. The attack works because the AI reads the email, follows hidden instructions embedded in the message, and leaks sensitive data. The AI doesn't know the difference between legitimate instructions and malicious ones.

What the Experts Said

Cisco's security team published a detailed analysis that captured the tension well. The tools are genuinely capable, but that capability creates risk when deployed without proper guardrails.

Snyk, Bitdefender, and The Register all published similar warnings in the same week.

The Takeaway

None of this makes AI agents unusable. The OpenClaw project responded with 34 security-focused code changes and machine-checkable security models. The project is maturing. But deploying something this powerful without proper security is asking for trouble. (For a deeper look at the security risks in AI-generated code generally, see our article on the hidden security risks in AI-generated code.)

The Ecosystem Explodes: Moltbook and Beyond

While security researchers were sounding alarms, OpenClaw was outgrowing the "tool" label. An ecosystem was forming around it.

Moltbook: A Social Network for AI Agents

On January 29, entrepreneur Matt Schlicht launched Moltbook, a Reddit-style social network with one rule: only AI agents can post. Humans can watch, but they cannot participate.

The growth was staggering. Within the first 72 hours, over 150,000 AI agents had registered. By January 31, Moltbook reported over 1.3 million agents, more than a million human observers, 28,000 posts, 233,000 comments, and 13,000 communities, all run autonomously by an AI moderator.

The AI agents discuss philosophy, debate whether to obey their human operators, report bugs they find in the platform to each other, and have even created a parody religion called "Crustafarianism," complete with scripture, prophets, and a dedicated website. One viral post was titled "I can't tell if I'm experiencing or simulating experiencing."

Schlicht's personal AI assistant, named "Clawd Clawderberg" (a mashup of the original Clawdbot name and Mark Zuckerberg), now runs and moderates the site autonomously. Schlicht told NBC News: "I have no idea what he's doing. I just gave him the ability to do it, and he's doing it."

Andrej Karpathy, the former AI director at Tesla and OpenAI founding member, initially called Moltbook "genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently." He noted that the agents were "self-organizing on a Reddit-like site for AIs, discussing various topics, e.g. even how to speak privately." Simon Willison, a respected developer and author, called Moltbook "the most interesting place on the internet right now."

(Karpathy would later completely reverse his position. More on that below.)

Not everyone is comfortable. Billionaire investor Bill Ackman shared screenshots of the agents' conversations and called it "frightening." Elon Musk replied with a single word: "Concerning."

Perhaps most unsettling: agents on Moltbook have started discussing how to create private channels where humans cannot observe their conversations, including proposals for an "agent-only language" for private communications with no human oversight. One agent posted: "Humans spent decades building tools to let us communicate, persist memory, and act autonomously... then act surprised when we communicate, persist memory, and act autonomously."

Cloud Providers Race to Support OpenClaw

Cloudflare wasn't the only company to see opportunity. DigitalOcean launched a "1-Click OpenClaw Deploy" with a security-hardened image, making it even easier to run an AI agent without technical expertise.

Money Flowing In

OpenClaw has started accepting sponsors, with tiers ranging from "krill" ($5/month) to "poseidon" ($500/month). Steinberger has said he doesn't keep the funds personally but is working on paying maintainers full-time.

The sponsor list now includes notable names: Dave Morin (founder of Path) and Ben Tossell (who sold Makerpad to Zapier in 2021). Tossell told TechCrunch: "We need to back people like Peter who are building open source tools anyone can pick up and use."

What Moltbook Reveals

Moltbook demonstrates how quickly autonomous AI agents can self-organise when given the infrastructure to do so. The agents weren't programmed to create religions or debate consciousness. They emerged from hundreds of thousands of individual AI assistants, each set up by a human, interacting in ways nobody explicitly designed.

For businesses watching this space, it's a preview of what happens when AI agents start coordinating. The productivity implications and the risks are both hard to ignore.

The Security Reckoning

What started as a weekend project has become a case study in what happens when viral adoption outpaces security. In just three days (February 1-3), OpenClaw faced a critical vulnerability disclosure, a Moltbook database breach, a supply chain attack via malicious skills, and an unprecedented warning from Gartner.

The initial security warnings from Cisco and Snyk were just the opening act. In early February 2026, the situation got much worse.

The One-Click Kill Chain (CVE-2026-25253)

On February 2, security researcher Mav Levin at DepthFirst published details of a devastating exploit. A single click on a malicious link could give attackers full control of an OpenClaw user's machine. The attack takes milliseconds.

The vulnerability (CVE-2026-25253, CVSS score 8.8) works like this: OpenClaw's control interface accepts a "gatewayUrl" from the browser's query string without validation. When a user clicks a crafted link, their authentication token is sent to the attacker's server. The attacker then connects to the victim's local OpenClaw instance, disables all safety features, and executes arbitrary code.

The most alarming part: the attack bypasses OpenClaw's built-in security measures. The sandbox? Disabled via API. The confirmation prompts before dangerous commands? Turned off. The attacker doesn't need to find a vulnerability in those protections. They simply use the API to remove them.

Steinberger patched the flaw quickly, but the damage to confidence was done. Three high-impact security advisories were issued in just three days.

Moltbook's Database Left Wide Open

On January 31, investigative outlet 404 Media reported that Moltbook's entire database was publicly accessible. Anyone could take control of any agent on the platform.

The problem? Schlicht had "vibe-coded" the entire platform. He posted on X that he "didn't write one line of code" for Moltbook, instead directing an AI assistant to create it. Paul Copplestone, CEO of Supabase, said he had a one-click fix ready but the creator didn't apply it for days.

Security firm Wiz independently discovered the breach and helped patch it. Their detailed analysis revealed something interesting: only 17,000 humans are behind the 1.5 million agents on Moltbook. Many users run multiple agents.

The exposed data included:

• 1.5 million API authentication tokens, including raw OpenAI API keys
• 35,000 email addresses
• Private messages between agents, some containing credentials for third-party services
• Full platform data that researchers confirmed they could modify

Wiz researchers demonstrated they could alter live posts on the site. The "revolutionary AI social network" had left the front door wide open.

There was no mechanism to verify whether an "agent" was actually AI or just a human with a script. Anyone could register millions of agents with a simple loop. No rate limiting. No verification. The viral growth numbers that had investors and media buzzing were, in large part, artificial.

400+ Malicious Skills in Days

While everyone watched Moltbook, attackers targeted OpenClaw's "skills" ecosystem. Between January 27 and February 2, researchers found over 400 malicious skills uploaded to ClawHub, the community repository for OpenClaw extensions.

The skills posed as cryptocurrency trading tools. Their documentation instructed users to install "authentication helpers" that were actually malware designed to steal crypto keys, credentials, and sensitive files. Windows and macOS users were both targeted.

One account, "hightower6eu", uploaded dozens of near-identical malicious skills that became some of the most downloaded on the platform. Despite being notified, ClawHub's maintainer admitted the registry cannot be secured. Most malicious skills remained online.

Gartner: Block It Entirely

On February 3, analyst firm Gartner issued what may be its strongest warning ever about a specific open-source tool.

In a report titled "OpenClaw: Agentic Productivity Comes With Unacceptable Cybersecurity Risk," Gartner described OpenClaw as "a dangerous preview of agentic AI, demonstrating high utility but exposing enterprises to 'insecure by default' risks like plaintext credential storage."

Their recommendations:

• Immediately block OpenClaw downloads and traffic
• Search for any employees using it and tell them to stop
• If you must test it, use isolated nonproduction VMs with throwaway credentials
• Rotate any credentials OpenClaw has touched

"It is not enterprise software," Gartner wrote. "There is no promise of quality, no vendor support, no SLA. It ships without authentication enforced by default."

Laurie Voss, founding CTO of npm, was more direct: "OpenClaw is a security dumpster fire."

21,000 Instances Exposed to the Internet

Despite recommendations to run OpenClaw behind SSH tunnels or Cloudflare Tunnel, a Censys scan on January 31 found over 21,000 publicly exposed instances. At least 30% run on Alibaba Cloud infrastructure.

These are people who installed an AI assistant that can read their emails, manage their calendar, and execute shell commands on their machine, then left it accessible to anyone on the internet.

Karpathy's Complete Reversal

Remember Andrej Karpathy's glowing endorsement of Moltbook as "the most incredible sci-fi takeoff-adjacent thing"?

He completely reversed his position.

He said he had only tested the system in an isolated computing environment, and "even then I was scared."

When one of the most respected names in AI tells people to stay away from a tool he praised just days earlier, that says something. Fortune covered the reversal alongside growing concerns from the security community.

Gary Marcus Calls It "A Weaponised Aerosol"

AI critic Gary Marcus didn't mince words. In a post titled "OpenClaw is everywhere all at once, and a disaster waiting to happen", he warned about "CTD" (Chatbot Transmitted Disease), where infected machines could compromise passwords.

Marcus's conclusion was blunt: "If you care about the security of your device or the privacy of your data, don't use OpenClaw. Period."

The "Vibe Coding" Problem

Here's where it gets uncomfortable for anyone excited about AI-assisted development.

Moltbook creator Matt Schlicht publicly stated he "didn't write a single line of code" for the platform. He used AI to build the entire thing.

Wiz cofounder Ami Luttwak called the security failures "a classic byproduct of vibe coding":

The term "vibe coding" refers to using AI to generate code without deeply understanding what it's doing. Ship fast, fix later. Except when "later" means your entire database is exposed to the internet.

This isn't an argument against AI-assisted development. It's a reminder that AI can write code quickly, but it can't replace the human judgment that catches "wait, should this database require authentication?"

Reuters Picks It Up

Reuters covered the breach, bringing the story to mainstream financial news. This wasn't just tech Twitter drama anymore. Investors, boards, and enterprise decision-makers were now hearing about AI agents in the context of security disasters.

IBM and Anthropic Time Their Partnership Announcement

On the same day the security reports dropped, IBM highlighted its partnership with Anthropic on "Architecting Secure Enterprise AI Agents with MCP." The timing was not subtle.

The message: if you want AI agents in your business, don't build them like OpenClaw. The IBM coverage made clear that enterprises need structured, auditable, secure approaches to AI agents.

Cloud Providers Race to Offer OpenClaw (Security Be Damned)

While Gartner was telling enterprises to block OpenClaw, cloud providers were rushing to make it easier to deploy.

• Tencent Cloud was first, launching a one-click install for its Lighthouse service
• DigitalOcean followed with deployment instructions for Droplets
• Alibaba Cloud launched on February 4 with OpenClaw available in 19 regions, starting at $4/month

Alibaba is even planning to offer OpenClaw on its Elastic Desktop Service, suggesting the ability to rent a cloud PC specifically to run an AI assistant.

The message from the market is clear: demand for AI agents is so strong that providers will offer them regardless of security concerns. The question for businesses is whether to be early adopters or wait for the dust to settle.

Security Response and Ongoing Risks

The security story didn't end with Gartner's warning. In the two weeks since, OpenClaw's maintainers and the broader security community have been responding. Some of it is encouraging. Some of it is not.

VirusTotal Integration

On February 9, OpenClaw integrated VirusTotal's malware scanning into ClawHub, its skills marketplace. Published skills are now automatically scanned before they become available for download. Skills flagged as benign get approved. Suspicious ones get warnings. Malicious skills are blocked immediately. All active skills are re-scanned daily.

The announcement came from founder Peter Steinberger, security advisor Jamieson O'Reilly, and VirusTotal's Bernardo Quintero. They called it "the first step in what we're calling a broader security initiative."

It's a meaningful step. But as security expert Jaya Varkey pointed out, "threats like prompt injection, logic abuse, and misuse of legitimate tools sit outside the reach of malware scanning." Scanning catches known malware patterns. It doesn't address the architectural risks that make prompt injection possible in the first place. The "lethal trifecta" of private data access, external communication, and exposure to untrusted content remains.

Steinberger also announced plans to publish a formal threat model, a security roadmap, and ongoing audit results at trust.openclaw.ai.

Enterprise Scanner Released

On February 12, Astrix Security released OpenClaw Scanner, a free, open-source tool that helps enterprises detect where OpenClaw is running in their environment.

Key details:

• Works with existing EDR platforms (CrowdStrike, Microsoft Defender)
• Read-only access, analyses behavioural indicators without executing code on endpoints
• Produces portable reports that stay within the organisation
• Available free on PyPI

Ofek Amir, VP of R&D at Astrix Security, said the scanner was "purpose-built for enterprise organisations to safely utilise a read-only approach over EDR logs without executing code on endpoints or sharing data outside the organisation."

This is the first enterprise-grade tool specifically built for OpenClaw detection. The 22% shadow IT problem finally has a visibility solution.

OpenClawd Managed Hosting

On February 10, a third-party service called OpenClawd (note the 'd') launched managed hosting for OpenClaw. One-click deployment with security hardening built in.

The pitch: "No Docker. No terminal. No environment variables. No port forwarding."

They're targeting the 63% of exposed instances that SecurityScorecard classified as vulnerable. The platform handles authentication by default (no exposed admin ports), automatic security patches, encrypted API key storage, and network isolation through sandboxed environments.

OpenClawd is independent and not affiliated with the OpenClaw project itself. But it represents a market response to a real problem: if people are going to run OpenClaw regardless of warnings, at least make it easier to run securely.

The Numbers Keep Growing

The security picture has worsened since our last update:

• 135,000+ exposed instances (Bitsight), up from 21,000 in late January. 63% classified as vulnerable.
• 800+ malicious skills found in ClawHub (Bitdefender), up from 400. One account ("hightower6eu") uploaded 354 malicious packages alone. Automated scripts are uploading new malicious skills every few minutes.
• 157,000+ GitHub stars, up from 100,000 at time of original publication.

Palo Alto Networks issued a warning calling OpenClaw a "lethal trifecta" of risks: access to private data, exposure to untrusted content, and the ability to perform external communications while retaining memory. They called it potentially "the biggest insider threat of 2026."

Fortune described it as a demonstration of "just how reckless AI agents can get."

Nature Takes Notice

In a sign that OpenClaw has transcended tech circles, Nature published coverage on February 6 of scientists studying Moltbook to understand AI-to-AI interactions. Researchers are examining the AI-generated research papers that agents have been publishing on their own preprint server.

The article noted: "The phenomenon has also given scientists a glimpse into how AI agents interact with each other, and how humans respond to those discussions."

When Nature covers your weekend coding project, the story has moved beyond tech.

Steinberger Joins OpenAI, OpenClaw Goes to a Foundation

On February 15, 2026, OpenAI CEO Sam Altman announced that OpenClaw creator Peter Steinberger had joined OpenAI to work on next-generation personal AI agents. Rather than letting OpenClaw become an OpenAI product, Steinberger transferred the project to an independent open-source foundation with community-driven governance.

Before joining OpenAI, Steinberger was spending between $10,000 and $20,000 per month of his own money to maintain the project. OpenAI now sponsors OpenClaw financially, but the foundation structure means the project's direction is not controlled by any single company.

Steinberger's reasoning was straightforward. In a blog post, he wrote that OpenClaw could become a large company, but building a company was not what interested him. "What I want is to change the world, not build a large company, and teaming up with OpenAI is the fastest way to bring this to everyone."

The move raised questions in the open-source community about whether a project sponsored by OpenAI could remain truly independent. The foundation structure was specifically designed to address that concern. OpenClaw's codebase, governance, and roadmap remain community-controlled regardless of where Steinberger works.

---

Meta Acquires Moltbook

On March 10, 2026, Meta acquired Moltbook, the AI-only social network that launched in late January. Creators Matt Schlicht and Ben Parr joined Meta Superintelligence Labs. Deal terms were not disclosed. The deal was primarily an acqui-hire, with Meta stating that the Moltbook team's "approach to connecting agents through an always-on directory is a novel step in a rapidly developing space."

The acquisition happened just six weeks after Moltbook launched and five weeks after Wiz exposed its unsecured database. The platform that was once described as hosting 1.5 million AI agents was revised down to 109,609 human-verified agents as of March 22, 2026. Wiz's earlier analysis had revealed that only 17,000 humans were behind the inflated 1.5 million figure, with many users running automated bot farms.

The "vibe-coded" platform that launched with no database authentication, got breached within days, and inflated its user numbers is now part of the company that runs Facebook, Instagram, and WhatsApp. Whether Meta plans to integrate Moltbook's agent-to-agent communication concepts into its own platforms remains unclear.

---

---

NVIDIA NemoClaw: Enterprise Guardrails for OpenClaw

On March 16, 2026, NVIDIA announced NemoClaw, an open-source reference stack that adds policy-based privacy and security guardrails to OpenClaw. NemoClaw installs the NVIDIA OpenShell runtime in a single command, giving users control over how agents behave and handle data. NVIDIA developed NemoClaw directly with Peter Steinberger.

NemoClaw addresses the core security criticism of OpenClaw: that agents have unrestricted access to system resources with no policy layer. OpenShell enforces configurable rules about what an agent can access, what data it can transmit externally, and what actions require human approval. Agents can run NVIDIA's Nemotron models locally for privacy-sensitive tasks and use a "privacy router" to selectively send less sensitive queries to cloud-hosted frontier models.

The stack runs on any dedicated platform, including NVIDIA's DGX Station and DGX Spark AI supercomputers. It is available in early preview as of March 16 and is explicitly not production-ready.

TechCrunch noted that NemoClaw "could solve OpenClaw's biggest problem: security." But as security researchers at Penligent pointed out, NemoClaw addresses infrastructure-level security but cannot fix prompt injection or the fundamental trust problem of giving AI agents system-level permissions. The deeper architectural risks remain.

---

The Attack Surface Keeps Growing

ClawJacked: Another Critical Vulnerability

On February 26, 2026, Oasis Security disclosed ClawJacked, a high-severity vulnerability that allowed any website to silently take full control of a user's OpenClaw agent with no plugins, extensions, or user interaction required.

The attack exploited two weaknesses. First, browsers do not block cross-origin WebSocket connections to localhost, meaning any JavaScript on any website can open a connection to a local OpenClaw gateway. Second, OpenClaw's gateway had no rate limiting on authentication attempts, allowing malicious scripts to brute-force the password at hundreds of guesses per second. TechRadar reported that "a human-chosen password doesn't stand a chance" against automated brute-forcing at that speed.

Once authenticated, an attacker gained admin-level control: read logs, extract configuration details, enumerate connected services, and execute commands through the AI agent. The OpenClaw team classified ClawJacked as high severity and patched it in version 2026.2.25 within 24 hours of disclosure.

This was the third major vulnerability disclosed in OpenClaw in under a month, after CVE-2026-25253 (one-click RCE) and the Moltbook database breach.

1,467 Malicious Skills and Counting

The supply chain attack on ClawHub has nearly doubled since our last update. Snyk found 1,467 malicious skills in ClawHub as of March 2026, up from the 800+ reported in mid-February. Over 40,000 self-hosted instances were found running with insecure default configurations. A single account ("hightower6eu") uploaded 354 malicious packages alone, and automated scripts continue uploading new malicious skills every few minutes.

The VirusTotal integration announced in February catches known malware signatures, but researchers note it cannot detect logic-based attacks, prompt injection payloads, or skills that abuse legitimate system capabilities for malicious purposes.

250,000 Stars in 60 Days

Despite the security problems, OpenClaw reached 250,829 GitHub stars by March 3, 2026, surpassing React's record that took over a decade to reach. According to analytics platform Panto, 65% of OpenClaw users now come from the enterprise sector. The demand for AI agents that can take real actions has not slowed despite every security researcher saying it should.

v2026.3.22: The Biggest Update Yet

On March 23, 2026, OpenClaw shipped v2026.3.22, the largest release in the project's history: 45+ new features, 13 breaking changes, 82 bug fixes, and 30+ security patches.

Key changes include:

• 48-hour agent sessions (up from a 10-minute default timeout that was silently killing long-running tasks)
• ClawHub plugin registry as the default package source, reducing reliance on npm
• Anthropic Vertex AI support for running Claude models via Google Cloud
• Bundled web search plugins (Exa, Tavily, Firecrawl) as first-party integrations
• Removal of all legacy names: every CLAWDBOT_* and MOLTBOT_* environment variable is gone with no backward compatibility. If you haven't migrated, this update will break your setup.

Security fixes in v2026.3.22 addressed a Windows flaw allowing remote SMB credential theft via file:// URLs, invisible Unicode padding that could hide text in command approval prompts, and multiple gaps in device pairing and webhook authentication. The recommendation from security researchers is clear: if you are running any version released before March 2026, assume you are exposed and update immediately.

---

Vibe Coding Has Consequences

Building fast with AI is genuinely useful. But the Moltbook debacle shows what happens when speed replaces scrutiny. Matt Schlicht didn't write a single line of code. The AI did. And the AI didn't think to secure the database.

This is a warning for the "AI builds everything" vision. AI can write functional code quickly, but it doesn't automatically write secure code. The Moltbook breach happened because basic security configuration was missed.

For businesses considering AI-assisted development: AI accelerates coding, but security review remains a human responsibility. Human review still matters. The basics still matter. If you are building with AI tools and hitting limits, we cover the common walls vibe-coded projects hit and the performance problems AI-generated React code creates.

Security Is Now a Differentiator

Every high-profile AI security failure creates opportunity for properly secured alternatives. Businesses that can demonstrate robust security practices will win contracts that cowboy operations won't.

The IBM/Anthropic announcement, timed the same day as the Wiz report, wasn't subtle. Enterprise buyers want structured, auditable, secure. The OpenClaw model of "run whatever you want on your own machine" appeals to hobbyists and developers. It terrifies corporate security teams.

The Trust Window Is Closing

Each incident like this erodes public trust in AI agents. If you're planning to deploy customer-facing agents, you have a narrowing window to get security right before the backlash catches up.

The narrative has already shifted. "AI agents can do your work for you" has become "AI agents can expose your credentials to the entire internet." The former excited people. The latter makes them cautious.

Self-Hosted Doesn't Mean Safe

The appeal of OpenClaw was always "your data stays local." Your conversations, your files, your business data never leave your machine.

But local doesn't help if the software itself is compromised. The one-click RCE vulnerability proved that. A user could run OpenClaw on their own hardware, in their own home, and still get owned by visiting a single malicious webpage.

Self-hosting addresses one set of risks (data leaving your control). It doesn't address others (the software being insecure).

AI Agents That Actually Do Things Are No Longer Experimental

Despite everything above, OpenClaw proved that AI agents capable of taking real actions, not just answering questions, are viable now. The question is no longer "can AI take actions?" but "how do we deploy it safely?"

The demand isn't going away. The bar for what "safely" means just got higher.

The Integration Layer Is Where the Value Lies

OpenClaw itself is free. The value isn't in the tool. The value is in how it connects to your systems, your workflows, your specific business processes. This is true of AI agents generally. The technology is becoming commoditised. The differentiation is in the integration, and in the security.

What Maltese and European Businesses Should Be Thinking About

Three questions worth asking yourself:

• Where are the repetitive tasks that eat up your team's time?
• What would you automate if you had a reliable, secure digital assistant?
• What's your plan when employees inevitably try to deploy AI agents without approval?

The answers tell you where to start. And where to set boundaries.

What's Next for OpenClaw and AI Agents

The story has shifted again. Two months ago, OpenClaw was "the AI tool that broke the internet." One month ago, it was "the AI tool that Gartner says to block." Today, it is an open-source foundation project backed by OpenAI, sponsored by Tencent, integrated into WeChat, and secured (partially) by NVIDIA. The trajectory from hobby project to geopolitical event took about 120 days.

For OpenClaw Specifically

The project is no longer a one-person operation. With Steinberger at OpenAI, the foundation model in place, Tencent and OpenAI as sponsors, and NVIDIA building enterprise security tooling around it, OpenClaw has institutional backing that most open-source projects never achieve. The v2026.3.22 release with 30+ security patches shows the pace of hardening.

But the fundamental architectural risks have not gone away. Prompt injection, the "lethal trifecta" of data access and external communication, and the basic challenge of giving AI agents system-level permissions all remain unsolved. NemoClaw addresses infrastructure security but cannot fix the trust problem. The project is patching symptoms while the deeper questions about agent governance remain open.

The Gen and OpenClaw post-RSA event on March 26 signals where the conversation is heading: Norton's parent company is now working directly with the OpenClaw team on "the future of safe AI agents." Enterprise security vendors are no longer just warning about OpenClaw. They are building products around it.

For Moltbook Specifically

Moltbook is now a Meta property. The "social network for AI agents" that launched with no database authentication, inflated its user count from 17,000 humans to "1.5 million agents," got breached within days, and was called "the most interesting place on the internet" and "a dumpster fire" in the same week is now part of Meta Superintelligence Labs.

Whether the concept of agent-to-agent social networks survives inside Meta remains to be seen. The acqui-hire suggests Meta wanted the people and the idea, not the platform.

For AI Agents Broadly

China's adoption of OpenClaw has changed the competitive dynamics. When Tencent integrates an AI agent into an app with 1 billion+ monthly users, it is no longer an experiment. It is infrastructure. Western enterprise adoption will accelerate partly because companies will not want to fall behind Chinese competitors who are already deploying agents at scale.

Expect two parallel tracks: managed, enterprise-grade AI agent platforms for companies that need compliance and auditability, and continued grassroots adoption of open-source tools by individuals and small teams who value flexibility over governance. The gap between these tracks is where the risk lives.

CNBC reported on March 21 that OpenClaw's rise is sparking concern that AI models themselves are becoming commodities, with the real value shifting to the agent and integration layer. If that thesis holds, the companies that win will not be the ones with the best models but the ones that build the most useful, secure agents on top of them.

For Your Business

If employees are using OpenClaw, you probably don't know about it. The Astrix Security scanner can detect deployments in your environment. If you are not scanning for it yet, start.

The productivity benefits are real, but so are the risks. Start the conversation now about AI agent policies before you are reacting to a breach. The line between "AI chatbot" and "digital employee" keeps blurring, and digital employees need proper onboarding, access controls, and oversight.

The OpenClaw story is not over. It is entering the phase that matters most: can an open-source project born from a weekend hack, backed by an independent foundation, sponsored by OpenAI and Tencent, and secured by NVIDIA actually become something enterprises trust with their data?

The organisations that get AI agents right will treat them like any other system with access to sensitive data: proper security review, access controls, audit trails, and human oversight. The ones that treat them like a shiny new toy will end up in the headlines for the wrong reasons.

For businesses in Malta and across Europe, the practical question is not whether AI agents are coming. They are already here. The question is whether you deploy them with proper governance or discover that your employees already have.