What if your AI agent assistant didn't just chat or write code but carried out real, helpful tasks -- all on its own? And what if it could perform especially complicated tasks, like running scheduled tasks, managing your Gmail and WhatsApp messages or even controlling your smart home -- again, all on its own? 

That's the promise of OpenClaw (known briefly as Clawdbot and even more briefly as Moltbot), an open-source AI agent designed to execute tasks autonomously across all the services and apps you use most. 

OpenClaw had quite the chaotic genesis. The platform's almost overnight viral success brought on a rapid succession of crypto scammers hijacking X accounts, a panicked founder accidentally giving away his personal GitHub handle to bots and a lobster mascot that briefly sprouted a disturbingly handsome human face. Oh, and somewhere in the chaos, the AI developer Anthropic (which owns a set of commercial LLMs named Claude) sent a polite email asking them to please, for the love of trademarks, change the name from Clawdbot. 

This strangely elaborate internet lore birthed OpenClaw. Behind the drama, it's the same AI assistant as Clawdbot, but with a newer, sturdier shell. And while this technology is drawing major attention, it's also drawing major scrutiny over the security risks that come along with these functionalities that are only beginning to be fully understood.

What is OpenClaw?

Here's the OpenClaw pitch that had online tech communities buzzing: an AI assistant that doesn't just chat; it does stuff. Real stuff. On your computer. Through the apps you use every day.

OpenClaw lives where you communicate, like WhatsApp, Telegram, iMessage, Slack, Discord, Signal and more. You can text it like you'd text a friend, and it remembers your conversations from weeks ago and can send you proactive reminders. And if you give it permission, it can automate tasks, run commands and basically act like a digital personal assistant that never sleeps.

Peter Steinberger is an Austrian developer who sold his company PSPDFKit for around $119 million and then got bored enough to build this AI.

OpenClaw represents what a lot of people thought Siri should have been all along: not a voice-activated party trick, but an actual assistant that learns, remembers and gets things done. (CNET reached out to Steinberger for comment on this story.)

OpenClaw doesn't require any specific hardware to run, though the Mac Mini seems like the most popular choice. The core idea is that OpenClaw itself mostly routes messages to AI companies' servers and calls APIs, and the heavy AI work happens on whichever LLM you select: Claude, ChatGPT or Gemini. 

Hardware only becomes a bigger conversation if you want to run large local models or do heavy automation. That's where powerful machines, like the Mac Mini, are often brought into the conversation. But that's not a requirement.

The project launched in January and hit 9,000 GitHub stars within 24 hours. After about a week of being viral, it had rocketed past 60,000 stars, with everyone from AI researcher Andrej Karpathy to investor (and White House AI and crypto czar) David Sacks singing its praises. MacStories called it "the future of personal AI assistants."

But that's only the beginning of OpenClaw's history. 

The rename that broke the internet (twice)

Shortly after launching, Anthropic slid into Steinberger's inbox to point out that "Clawd" (the assistant's name) and "Clawdbot" (the project name ) were maybe just a little too similar to its own AI, Claude.

"As a trademark owner, we have an obligation to protect our marks -- so we reached out directly to the creator of Clawdbot about this," a representative from Anthropic said in an email statement to CNET.

What happened next, according to Steinberger's posts on X and the previous Moltbot blog, was like a digital heist movie, except everyone was a bot and the getaway cars were social media handles.

Within seconds -- literally, seconds -- automated bots sniped the @moltbot handle. The squatter immediately posted a crypto wallet address. Meanwhile, in a sleep-deprived panic, Steinberger accidentally renamed his personal GitHub account instead of the organization's account. Bots grabbed "steipete" before he could blink. He said both crises required him to call in contacts at X and GitHub to make fixes.

Then there was what the creators dubbed "the Handsome Molty incident." Steinberger instructed Molty (the AI) to redesign its own icon. In one memorable attempt to make the mascot look "5 years older," the AI generated a human man's face grafted onto a lobster body. The internet turned it into a meme (a la Handsome Squidward) within minutes.

Fake profiles claiming to be "Head of Engineering at Clawdbot" shilled crypto schemes. A fake $CLAWD cryptocurrency briefly hit a $16 million market cap before crashing over 90%. "Any project that lists me as coin owner is a SCAM," Steinberger posted on X to thousands of increasingly confused followers.

By 3:38 a.m. ET on Tuesday, Jan. 27, Steinberger made his call: "@openclaw it is." 

"Open" is for open source and "Claw" for its lobster heritage.

What made Clawdbot, er, OpenClaw go viral?

Strip away the chaos, and OpenClaw is genuinely impressive.

Most AI tools are basically the same. You open a website, type a question or query, wait for it to generate, copy the answer, paste it somewhere else and so on and so on. OpenClaw flips that script by having the assistant inside your existing conversations. You're already in WhatsApp or iMessage, so why not just text it like you'd text a coworker?

Three main features set OpenClaw apart. 

One is the persistent memory. OpenClaw doesn't forget everything when you close the app. It learns your preferences, tracks ongoing projects and remembers that conversation you had last Tuesday.

The AI also offers proactive notifications. It can message you first when something matters, such as daily briefings, deadline reminders and email triage summaries. You can wake up to a text saying, "Here are your three priorities today," without having to ask the AI first.

Finally, it delivers real automation. Depending on your setup, it can schedule tasks, fill forms, organize files, search your email, generate reports and control smart home devices. People reported using it for everything from inbox cleanup to research threads that span days, and from habit tracking to automated weekly recaps of what they shipped.

The use cases seem to keep multiplying because once it's wired into your actual tools (like calendar, notes and email), it stops feeling like software and just becomes part of your routine. 

Should you use OpenClaw?

Time for real talk. OpenClaw is not a polished, enterprise-ready product with vendor support and compliance paperwork -- which is something Steinberger admits. It's a fast-moving, open-source project that just survived a near-death experience involving trademark lawyers, crypto scammers and catastrophically exposed databases. Whew.

So, you might be wondering, with all this hoopla, whether OpenClaw is even something you should try. Sure, this tool remembers information across weeks, works between apps and systems and provides proactive notifications. But it's got rough edges. This isn't a tool for you if you need something that "just works" and doesn't have complicated installation steps. 

And you probably don't want to take this on if you don't want to think about -- and don't deeply understand -- cybersecurity.

Critical OpenClaw security risks to know about

Security experts have raised red flags about OpenClaw's safety as it grows in popularity. Because the agent is designed to run locally and interact with emails, files and credentials, even small setup mistakes can have big consequences. 

In the early days of Clawdbot, researchers spotted numerous publicly accessible deployments with little or no authentication, exposing API keys, chat logs and system access to anyone who stumbled across them. More recently, the security firm Censys has identified 21,639 exposed instances, primarily in the US, China and Singapore. 

Some of the most visible security concerns have been social rather than technical, including fake Clawdbot/Moltbot/OpenClaw downloads and hijacked accounts used to spread malware or scams. Koi Security has identified 341 malicious "skills" among the roughly 3,000 programs available on the ClawHub software directory.

While developers have moved quickly to patch specific flaws, security analysts say OpenClaw's turbulent debut highlights a larger issue facing AI agents: As they become more autonomous and more powerful, the security risks scale just as fast.

Roy Akerman, head of cloud and identity security at Silverfort, an identity security platform, said in an email to CNET that the risk of a tool like OpenClaw isn't that it's overtly malicious. What's risky is that it continues to act under a legitimate human identity, which can blur the lines between a user and the machine acting on their behalf.

"When an AI agent continues to operate using a human's credentials, after the human has logged off, it becomes a hybrid identity that most security controls aren't designed to recognize or govern," Akerman said. "Organizations shouldn't try to block these tools outright, but they do need to change their posture, treat autonomous agents as identities, limit their privileges and monitor behavior continuously, not just logins."

The little lobster that has molted and kept going

According to Steinberger, "Molting is what lobsters do to grow." They shed their old shell and emerge bigger: from Clawdbot to Moltbot and finally to OpenClaw.

OpenClaw is the same software as Clawdbot, offering the same impressive engineering and vision of what personal AI assistants could be. The platform had to develop rapidly, dealing with security vulnerabilities, battening down authentication and learning that viral success attracts not just users but scammers, squatters and, yes, intellectual property lawyers. It also drew the attention of major AI leaders -- from OpenAI, Meta and beyond.  

After global success, investors began circling to get a piece of OpenClaw and turn it into a standalone company. Steinberger didn't take the bait -- he's adamant that the project stay open-source -- but he did say he was interested in partnering with an AI lab that has the funds and resources to scale it. 

Enter OpenAI.

In mid-February, Steinberger penned a deal with the company, joining the ChatGPT maker and setting the stage for a year driven by agentic AI. "What I want is to change the world, not build a large company and teaming up with OpenAI is the fastest way to bring this to everyone," Steinberger wrote in a blog post when the news was announced. 

Through all of this, OpenClaw is still standing. GitHub stars keep climbing. More and more platforms, like Moltbook, are using OpenClaw to launch. And somewhere in Vienna (or maybe London or San Francisco), Peter Steinberger is probably strategizing the future of AI agents. 

Want to try OpenClaw yourself? Head to openclaw.ai for documentation, installation guides and, most importantly, a security checklist. Just maybe use a spare laptop.

And definitely don't name your project after anyone's trademarked AI model. Turns out that matters.

(Disclosure: Ziff Davis, CNET's parent company, in 2025 filed a lawsuit against OpenAI, alleging it infringed Ziff Davis copyrights in training and operating its AI systems.)