In the last few hours online we have been hearing a lot about Moltbot, known until a few days ago as Clawdbot. It is an open source AI agent. Unlike “classic” chatbots like ChatGPT, which simply converse or generate text based on the input provided by the user, Moltbot is designed to take concrete action. It manages the calendar, sends messages on platforms such as WhatsApp and Telegram, fills out forms and interacts with the computer’s operating system. And to think that this software was created to combat the boredom of its developer, Peter Steinberger. In this in-depth analysis we will explain why, despite the enthusiasm it has generated in online communities, for the moment it is advisable to observe this new digital phenomenon from a safe distance, unless you have advanced technical skills to mitigate important dangers such as prompt injection.
What is Moltbot and the history of the AI agent
Moltbot presents itself with a promise that is as simple as it is ambitious: to be the artificial intelligence that gets things done Really the chores for us. A feeling, let’s face it, that so far no AI chatbot has really managed to convey to us. Its viral nature derives precisely from this ability to integrate into the applications we use every day, such as WhatsApp, Telegram, Signal, Discord, iMessage or Slack, transforming itself into a virtual collaborator to whom we can send messages and from whom we receive messages on its initiative, when this may be useful. Behind this project is the mind of Peter Steinberger, an Austrian developer known online as @steipete and founder of PSPDFKit.
After selling his company and going through a three-year creative void, Steinberger found his enthusiasm again by immersing himself in code development. The result was what he initially called his «encrusted assistant», a tool created to manage your digital life and explore the boundaries of collaboration between man and machine. Curiously, Steinberger initially called his creation Clawdbot, in honor of Claude, the Anthropic language model of which Steinberger is a great admirer. Too bad that Anthropic didn’t like it that much, given that it then contacted the developer, highlighting the trademark violation, and thus forcing it into an emergency rebranding. That’s why Clawdbot is now called Moltbot.
What followed was even more incredible: while Steinberger was trying to manage the name change, automated bots and scammers hijacked the old X handle, created fake cryptocurrency projects and even temporarily occupied the developer’s personal GitHub username, at least according to the story that Steinberger himself published on Moltbot’s blog and on his X profile. Despite a clumsy debut, the popularity of the software grew dramatically and its reception was explosive. Moltbot amassed over 9,000 stars on GitHub in just 24 hours, attracting the attention of prominent figures such as researcher Andrej Karpathy and investor David Sacks. There was enough interest to generate real financial repercussions, with Cloudflare shares jumping 14% in premarket trading on Tuesday, driven by investor enthusiasm for the infrastructure needed to run these agents locally.
How Cawdbot works and the risks: persistent memory and prompt injection
But why so much enthusiasm? What makes Moltbot technically different from ChatGPT, Gemini and Meta AI? The key lies in its persistent memory and proactivity. In short, Moltbot practically remembers conversations and the information it learns through them forever, learning the user’s preferences and using them to act autonomously in their favor, for example by sending autonomous notifications, such as daily summaries or reminders, without waiting for any input from the user himself. It works by operating locally on the user’s device or on servers, but not in the cloud.
As useful as it can be to have a virtual assistant do things for you, many security experts are concerned about the risks involved in using such software. Among them are Rahul Sood and Rachel Tobac. Both issued very clear warnings: If an agent has administrative access to the system, they become a critical target. The main threat is the so-called “prompt injection via content”. Imagine that a cybercriminal sends you a seemingly harmless WhatsApp message (but containing malicious instructions); if the agent reads it, that text could contain hidden instructions to manipulate the AI and force it to perform malicious actions on your computer, all without your knowledge.
Although Moltbot is open source and its code can be inspected by anyone, installing it requires good risk awareness. The developers strongly recommend not running it on the main computer where passwords and sensitive data of various kinds reside. The ideal solution is to use an isolated environment or a VPS. For those unfamiliar with the term, a VPS (Virtual Private Server) is essentially a remote computer that you rent and on which you can install software; this way, if the agent were to be compromised, the damage would remain confined to that remote server and would not affect your personal device.
At the moment, the safe use of Moltbot therefore requires important precautions and it is wise to treat it more as a sort of “laboratory experiment for professionals” than to be used in everyday life. This, paradoxically, limits its immediate usefulness for the average user who would only like help managing emails, receiving messages on WhatsApp from an AI that suggests he move his Sunday morning ride to the afternoon due to fog, etc. But you can never have too much security and prudence in IT.
