Maybe those folks buying Mac Minis to host at home weren't so silly after all. The exposed ones are almost all hosted on VPSs which, by design, have publicly-routable IP addresses.
But anyway I think connecting to a Clawdbot instance requires pairing unless you're coming from localhost: https://docs.molt.bot/start/pairing
The way trademarks work is that if you don't actively defend them you weaken your rights. So Anthropic needs to defend their ownership of "Claude". I'm guessing they reached out to Peter Steinberger and asked nicely that he rename Clawdbot.
it’s in the discovery process with a deadline of February 23rd, at which time kellogg’s is to prepare their argument and motion for summary judgement. If that’s denied it tentatively goes to 3-4 day trial in July.
It actually looks like they were pretty reasonable here, as they offered money for the company to help rebrand even though they were clearly infringing on their copyright. Of course, there are three sides to every story.
If Kellogg doesn't defend their trademark, they lose it.
An amicable middle ground might be for Kellogg to let the business purchase rights for $1, but if that happened it would open up a flood of this.
Kellogg has so much money in that brand recognition, they'd lose far more than $15 million if it became a generic slogan. The $15 million is a token amount to get the small business to abandon its use. Kellogg doesn't want to litigate. They tried several times not to litigate.
I'm sure Kellogg would be happy to pay the business more than the cost of repainting their truck, buying some marketing materials, pay for the trouble, etc. It's easy good will press for Kellogg and the business gets a funny story and their own marketing anecdote. It's cheaper than litigation, too.
> The way trademarks work is that if you don't actively defend them you weaken your rights.
I mean this is the OP sentence, it's not about the food truck, it's about setting a precedent that you don't care, which costs you later when a competing brand starts distributing in a way that can actually confuse consumers.
hard to do "credit assignment", i think network effects go brrrrrr. karpathy tweeted about it, david sacks picked it up, macstories wrote it up. suddenly ppl were posting screenshots of their macmini setups on x and ppl got major FOMO watching their feeds. also peter steinberger tweets a lot and is prolific otherwise in terms posting about agentic coding (since he does it a lot)
its basically claude with hands, and self-hosting/open source are both a combo a lot of techies like. it also has a ton of integrations.
will it be important in 6 months? i dunno. i tried it briefly, but it burns tokens like a mofo so I turned it off. im also worried about security implications.
It's totally possible Peter was the right person to build this project – he's certainly connected enough.
My best guess is that it feels more like a Companion than a personal agent. This seems supported by the fact I've seen people refer to their agents by first name, in contexts where it's kind of weird to do.
But now that the flywheel is spinning, it can clearly do a lot more than just chat over Discord.
Yeah makes sense. Something about giving an agent its own physical computer and being able to text it instructions like a personal assistant just clicks more than “run an agent in a sandbox”.
something about giving full read write access to every file on my PC and internet message interface just rubs me the wrong way. some unscrupulous actors are probably chomping at the bit looking for vulnerabilities to get carte blanche unrestricted access. be safe out there kiddos
This would seem to be inline with the development philosophy for clawdbot. I like the concept but I was put off by the lack of concern around security, specifically for something that interfaces with the internet
> These days I don’t read much code anymore. I watch the stream and sometimes look at key parts, but I gotta be honest - most code I don’t read.
I think it's fine for your own side projects not meant for others but Clawdbot is, to some degree, packaged for others to use it seems.
At minimum this thing should be installed in its own VM. I shudder to think of people running this on their personal machine…
I’ve been toying around with it and the only credentials I’m giving it are specifically scoped down and/or are new user accounts created specifically for this thing to use. I don’t trust this thing at all with my own personal GitHub credentials or anything that’s even remotely touching my credit cards.
Yeah, this new trend of handing over all your keys to an AI and letting it rip looks like a horrific security nightmare, to me. I get that they're powerful tools, but they still have serious prompt-injection vulnerabilities. Not to mention that you're giving your model provider de facto access to your entire life and recorded thoughts.
Sam Altman was also recently encouraging people to give OpenAI models full access to their computing resources.
I run it in an LXC container which is hosted on a proxmox server, which is an Intel i7 NUC. Running 24x7. The container contains all the tools it needs.
No need to worry about security, unless you consider container breakout a concern.
That's almost 100% likely to have already happened without anyone even noticing. I doubt many of these people are monitoring their Moltbot/Clawdbot logs to even notice a remote prompt or a prompt injection attack that siphons up all their email.
I’m out of the loop clearly on what clawdbot/moltbot offers (haven’t used it)- I’d love a first hand explanation from users for why you think it has 70k stars. I’ve never seen a repo explode that much.
It was a pain to set up, since I wanted it to use my oauth instead of api tokens. I think it is popular because many people don't know about claude code and it allows for integrations with telegram and whatsapp. Mac mini's let it run continuously -- although why not use a $5/m hetzner?
It wasn't really supported, but I finally got it to use gemini voice.
People are hooking this thing up to Telegram and their private notes and their Gmail and letting it loose. I cannot see any way that doesn't end badly.
I'm seeing a bunch of people buy a separate Mac Mini to run this on, under the idea that this will at least stop it from destroying their main machine. That's fine... but then they hook that new Mac Mini up to their Gmail and iMessage accounts, at which point they've opened up a bunch of critical data.
This is classic Normalization of Deviance: https://embracethered.com/blog/posts/2025/the-normalization-... - every time someone gets away with running this kind of unsafe system without having their data stolen they'll become more confident that it's OK to keep on using it like this.
(I should note that I've been predicting a headline-grabbing prompt injection attack in the next six months every six months for over two years now and it still hasn't happened.)
>and honestly? "Molt" fits perfectly - it's what lobsters do to grow.
So do we think Anthropic or the artist formerly known as Clawdbot paid for the tokens to have Claude write this tweet announcing the rename of a Product That Is Definitely Not Claude?
My experience. I have it running on my desktop with voice to text with an API token from groq, so I communicate with it in WhatsApp audios. I Have app codes for my Fastmail and because it has file access can optimize my Obsidian notes. I have it send me a morning brief with my notes, appointments and latest emails. And of course I have it speaking like I am some middle age Castillian Lord.
How is that adding value to your life or productivity in any way? You just like working via text message instead of using a terminal? I don't get it. What do you do when it goes off the rails and starts making mistakes?
Is the app legitimate though? A few of these apps that deal with LLMs seem too good to be true and end up asking for suspiciously powerful API tokens in my experience (looking at Happy Coder).
It's legitimate, but its also extremely powerful and people tend to run it in very insecure ways or ways where their computer is wiped. Numerous examples and stories on X.
I used it for a bit, but it burned through tokens (even after the token fix) and it uses tokens for stuff that could be handled by if/then statements and APIs without burning a ton of tokens.
But it's a very neat and imperfect glimpse at the future.
Already seeing some of the new Moltbot deployments exposed to the Internet: https://www.shodan.io/search/report?query=http.favicon.hash%...
Maybe those folks buying Mac Minis to host at home weren't so silly after all. The exposed ones are almost all hosted on VPSs which, by design, have publicly-routable IP addresses.
But anyway I think connecting to a Clawdbot instance requires pairing unless you're coming from localhost: https://docs.molt.bot/start/pairing
The way trademarks work is that if you don't actively defend them you weaken your rights. So Anthropic needs to defend their ownership of "Claude". I'm guessing they reached out to Peter Steinberger and asked nicely that he rename Clawdbot.
Last year in my area, a food truck decided to call itself Leggo My Egg Roll, and obvious play on Eggo waffles tagline.
Kellogg sent them a cease and desist, they decided to ignore it. Kellogg then offered to pay them to rebrand, they still wouldn’t.
They then sued for $15 million.
Funny. I was expecting LEGO not Kellogg.
...and then what happened?
Good question
https://local12.com/news/nation-world/kellogg-leggo-my-eggro...
it’s in the discovery process with a deadline of February 23rd, at which time kellogg’s is to prepare their argument and motion for summary judgement. If that’s denied it tentatively goes to 3-4 day trial in July.
Court listener:
https://www.courtlistener.com/docket/70447787/kellogg-north-...
Pacer (requires account, but most recent doc summarized )
https://ecf.ohnd.uscourts.gov/doc1/141014086025?caseid=31782...
Ah yes, the $15M in lost business Kellogg's suffers from people mistaking toaster waffles for a Chinese food truck business.
Fucking lawyer scum.
It actually looks like they were pretty reasonable here, as they offered money for the company to help rebrand even though they were clearly infringing on their copyright. Of course, there are three sides to every story.
Trademark, not copyright. Legally they are very different.
How is a 15M lawsuit ever reasonable in a case like this?
It's US law.
If Kellogg doesn't defend their trademark, they lose it.
An amicable middle ground might be for Kellogg to let the business purchase rights for $1, but if that happened it would open up a flood of this.
Kellogg has so much money in that brand recognition, they'd lose far more than $15 million if it became a generic slogan. The $15 million is a token amount to get the small business to abandon its use. Kellogg doesn't want to litigate. They tried several times not to litigate.
I'm sure Kellogg would be happy to pay the business more than the cost of repainting their truck, buying some marketing materials, pay for the trouble, etc. It's easy good will press for Kellogg and the business gets a funny story and their own marketing anecdote. It's cheaper than litigation, too.
> The way trademarks work is that if you don't actively defend them you weaken your rights.
I mean this is the OP sentence, it's not about the food truck, it's about setting a precedent that you don't care, which costs you later when a competing brand starts distributing in a way that can actually confuse consumers.
When I first saw this, my thought was, "Wow, I'm surprised Anthropic hasn't pushed back on their calling it that. They must not know about it yet."
Glad to know my own internal prediction engine still works.
Coincidence? Article calling it a pump and dump earlier today.
https://news.ycombinator.com/item?id=46780065
A bit OT but why is moltbot so much more popular than the many personal agents that have been around for a while?
hard to do "credit assignment", i think network effects go brrrrrr. karpathy tweeted about it, david sacks picked it up, macstories wrote it up. suddenly ppl were posting screenshots of their macmini setups on x and ppl got major FOMO watching their feeds. also peter steinberger tweets a lot and is prolific otherwise in terms posting about agentic coding (since he does it a lot)
its basically claude with hands, and self-hosting/open source are both a combo a lot of techies like. it also has a ton of integrations.
will it be important in 6 months? i dunno. i tried it briefly, but it burns tokens like a mofo so I turned it off. im also worried about security implications.
It's totally possible Peter was the right person to build this project – he's certainly connected enough.
My best guess is that it feels more like a Companion than a personal agent. This seems supported by the fact I've seen people refer to their agents by first name, in contexts where it's kind of weird to do.
But now that the flywheel is spinning, it can clearly do a lot more than just chat over Discord.
The only context I've heard about it has been when the Mac Mini clusters associated with it were brought up. Perhaps it's the imagery of that.
Yes. People are really hung up on personifying or embodying agents: Rabbit M1, etc.
The hype is incandescent right now but Clawdbot/Moltbot will be largely forgotten in 2 months.
Yeah makes sense. Something about giving an agent its own physical computer and being able to text it instructions like a personal assistant just clicks more than “run an agent in a sandbox”.
fake crypto based hype. Cui bono.
Could have just called it "clawbot" and maintained some of the hype while eliminating the IP concerns.
Instead they chose a completely different name with unrecognizable resonance.
Apparently "clawbot" wasn't allowed either: https://x.com/steipete/status/2016091353365537247
A cease and desist doesn't mean you have to stop doing everything it says. It only means you should comply with the law.
You don't want to spend time and money to fight with a $350B company.
I think it’s fine, they found a way to frame it over a lobster’s lifecycle.
Plenty of worse renames of businesses have happened in the past that ended up being fine, I’m sure this one will go over as such as well.
something about giving full read write access to every file on my PC and internet message interface just rubs me the wrong way. some unscrupulous actors are probably chomping at the bit looking for vulnerabilities to get carte blanche unrestricted access. be safe out there kiddos
This would seem to be inline with the development philosophy for clawdbot. I like the concept but I was put off by the lack of concern around security, specifically for something that interfaces with the internet
> These days I don’t read much code anymore. I watch the stream and sometimes look at key parts, but I gotta be honest - most code I don’t read.
I think it's fine for your own side projects not meant for others but Clawdbot is, to some degree, packaged for others to use it seems.
https://steipete.me/posts/2025/shipping-at-inference-speed
At minimum this thing should be installed in its own VM. I shudder to think of people running this on their personal machine…
I’ve been toying around with it and the only credentials I’m giving it are specifically scoped down and/or are new user accounts created specifically for this thing to use. I don’t trust this thing at all with my own personal GitHub credentials or anything that’s even remotely touching my credit cards.
Yeah, this new trend of handing over all your keys to an AI and letting it rip looks like a horrific security nightmare, to me. I get that they're powerful tools, but they still have serious prompt-injection vulnerabilities. Not to mention that you're giving your model provider de facto access to your entire life and recorded thoughts.
Sam Altman was also recently encouraging people to give OpenAI models full access to their computing resources.
I run it in an LXC container which is hosted on a proxmox server, which is an Intel i7 NUC. Running 24x7. The container contains all the tools it needs.
No need to worry about security, unless you consider container breakout a concern.
I wouldn't run it in my personal laptop.
That's almost 100% likely to have already happened without anyone even noticing. I doubt many of these people are monitoring their Moltbot/Clawdbot logs to even notice a remote prompt or a prompt injection attack that siphons up all their email.
wanting control over my computer and what it does makes me luddite in 2026 apparently.
I’m out of the loop clearly on what clawdbot/moltbot offers (haven’t used it)- I’d love a first hand explanation from users for why you think it has 70k stars. I’ve never seen a repo explode that much.
It was a pain to set up, since I wanted it to use my oauth instead of api tokens. I think it is popular because many people don't know about claude code and it allows for integrations with telegram and whatsapp. Mac mini's let it run continuously -- although why not use a $5/m hetzner?
It wasn't really supported, but I finally got it to use gemini voice.
Internet is random sometimes.
Apparently it's like Claude Code but for everything.
One can imagine the prompt injection horrors possible with this.
:allears:
Since there is a market for 5staring or 1staring reviews on review websites, there is probably a market to not-quite-human staring of github projects.
Tried it out last night. It combines dozens of tools together in a way that is likely to be a favourite platform for astroturfers/scammers.
The ease of use is a big step toward the Dead Internet.
That said, the software is truly impressive to this layperson.
When I visit https://www.molt.bot/ with Edge browser, there is a bloody red screen screaming malware. What's wrong with the name?
Probably very new domain reg
This project terrifies me.
On the one hand it really is very cool, and a lot of people are reporting great results using it. It helped someone negotiate with car dealers to buy a car! https://aaronstuyvenberg.com/posts/clawd-bought-a-car
But it's an absolute perfect storm for prompt injection and lethal trifecta attacks: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/
People are hooking this thing up to Telegram and their private notes and their Gmail and letting it loose. I cannot see any way that doesn't end badly.
I'm seeing a bunch of people buy a separate Mac Mini to run this on, under the idea that this will at least stop it from destroying their main machine. That's fine... but then they hook that new Mac Mini up to their Gmail and iMessage accounts, at which point they've opened up a bunch of critical data.
This is classic Normalization of Deviance: https://embracethered.com/blog/posts/2025/the-normalization-... - every time someone gets away with running this kind of unsafe system without having their data stolen they'll become more confident that it's OK to keep on using it like this.
Here's Sam Altman in yesterday's OpenAI Town Hall admitting that he runs Codex in YOLO mode: https://www.youtube.com/watch?v=Wpxv-8nG8ec&t=2330s
And that will work out fine... until it doesn't.
(I should note that I've been predicting a headline-grabbing prompt injection attack in the next six months every six months for over two years now and it still hasn't happened.)
Update: here's a report of someone uploading a "skill" to the https://clawdhub.com/ shared skills marketplace that demonstrates (but thankfully does not abuse) remote code execution on anyone who installed it: https://twitter.com/theonejvo/status/2015892980851474595 / https://xcancel.com/theonejvo/status/2015892980851474595
I already feel the same when using Claude Cowork and I wonder how far can the normalcy quotient be moved with all these projects
I find it completely crazy. If I wanted to launch a cyberattack on the western economy, I guess I would just need to:
* open-source a vulnerable vibe-coded assistant
* launch a viral marketing campaign with the help of some sophisticated crypto investors
* watch as hundreds of thousands of people in the western world voluntarily hand over their information infrastructure to me
Motivation for rename: https://x.com/moltbot/status/2016058924403753024 https://xcancel.com/moltbot/status/2016058924403753024
Seems like an official ClaudeBot from Anthropic is in the works, then?
They already use the name ClaudeBot for their web crawler:
https://support.claude.com/en/articles/8896518-does-anthropi...
After Claude Cowork etc. that doesn't really sound like a surprise.
>and honestly? "Molt" fits perfectly - it's what lobsters do to grow.
So do we think Anthropic or the artist formerly known as Clawdbot paid for the tokens to have Claude write this tweet announcing the rename of a Product That Is Definitely Not Claude?
It sounds nice at a first glance, but how useful is it actually? Anyone got real, non-hypothetical use cases that outweigh the risks?
My experience. I have it running on my desktop with voice to text with an API token from groq, so I communicate with it in WhatsApp audios. I Have app codes for my Fastmail and because it has file access can optimize my Obsidian notes. I have it send me a morning brief with my notes, appointments and latest emails. And of course I have it speaking like I am some middle age Castillian Lord.
How is that adding value to your life or productivity in any way? You just like working via text message instead of using a terminal? I don't get it. What do you do when it goes off the rails and starts making mistakes?
Oh dear, I bought claudeception.com on a whim - hope that doesn't upset anyone.
I had some ideas on what to host on there but haven't got round to it yet. If anyone here has a good use for it feel free to pitch me...
You can still make a list of all the times Claude was confidently incorrect.
The bandwidth requirements of that site would be very expensive
A pun or homophone (Clawd) on the product you're targeting (Claude) is one of the worst naming memes in tech.
It was horrid to begin with. Just imagine trying to talk about Clawd and Claude in the same verbal convo.
Even something like "Fuckleglut" would be better.
Hard to think of a worse name. Maybe Moistbot?
Is the app legitimate though? A few of these apps that deal with LLMs seem too good to be true and end up asking for suspiciously powerful API tokens in my experience (looking at Happy Coder).
It's legitimate, but its also extremely powerful and people tend to run it in very insecure ways or ways where their computer is wiped. Numerous examples and stories on X.
I used it for a bit, but it burned through tokens (even after the token fix) and it uses tokens for stuff that could be handled by if/then statements and APIs without burning a ton of tokens.
But it's a very neat and imperfect glimpse at the future.
Related:
Clawdbot - open source personal AI assistant
https://news.ycombinator.com/item?id=46760237
Ogden Nash has his poem about canaries:
"The song of canaries Never varies, And when they're moulting They're pretty revolting."
Wondering if Moltbot is related to the poem, humorously.
As a result of this the official install is now installing a squatted package they don't control: https://github.com/moltbot/moltbot/issues/2760 https://github.com/moltbot/moltbot/issues/2775
But this is basically in line with average LLM agent safety.
what a unfortunate name!
crypto rug pullers in shambles hehe