So i feel like this might be the most overhyped project in the past longer time.
I don't say it doesn't "work" or serves a purpose - but well i read so much about this beein an "actual intelligence" and stuff that i had to look into the source.
As someone who spends actually a definately to big portion of his free time researching thought process replication and related topics in the realm of "AI" this is not really more "ai" than any other so far.
Setting it up was easy enough, but just as I was about to start linking it to some test accounts, I noticed I already had blown through about $5 of Claude tokens in half an hour, and deleted the VPS immediately.
Before using make sure you read this entirely and understand it:
https://docs.openclaw.ai/gateway/security
Most important sentence: "Note: sandboxing is opt-in. If sandbox mode is off"
Don't do that, turn sandbox on immediately.
Otherwise you are just installing an LLM controlled RCE.
There are still improvements to be made to the security aspects yet BIG KUDOS for working so hard on it at this stage and documenting it extensively!! I've explored Cursor security docs (with a big s cause it's so scattered) and it was nothing as good.
My biggest issue with this whole thing is: how do you protect yourself from prompt injection?
Anyone installing this on their local machine is a little crazy :). I have it running in Docker on a small VPS, all locked down.
However, it does not address prompt injection.
I can see how tools like Dropbox, restricted GitHub access, etc., could all be used to back up data in case something goes wrong.
It's Gmail and Calendar that get me - the ONLY thing I can think of is creating a second @gmail.com that all your primary email goes to, and then sharing that Gmail with your OpenClaw. If all your email is that account and not your main one, then when it responds, it will come from a random @gmail. It's also a pain to find a way to move ALL old emails over to that Gmail for all the old stuff.
I think we need an OpenClaw security tips-and-tricks site where all this advice is collected in one place to help people protect themselves. Also would be good to get examples of real use cases that people are using it for.
I don't think prompt injection is the only concern, the amount of features released over such a small period probably means there's vulnerabilities everywhere.
Additionally, most of the integrations are under the table. Get an API key? No man, 'npm install react-thing-api', so you have supply chain vulns up the wazoo. Not necessarily from malicious actors, just uhh incompetent actors, or why not vibe coder actors.
It's hilarious that atm I see "Moltbook" at the top of HN. And it is actually not Moltbot anymore? But I have to admit that OpenClaw sounds much better.
I’m a big fan of Peter’s projects. I use Vibetunnel everyday to code from my phone (I built a custom frontend suited to my needs). I know I can SSH into my laptop but this is much better because handoff is much cleaner. And it works using Tailscale so it is secure and not exposed to the internet.
His other projects like CodexBar and Oracle are great too. I love diving into his code to learn more about how those are built.
OpenClaw is something I don’t quite understand. I’m not sure what it can do that you can’t do right off the bat with Claude Code and other terminal agents. Long term memory is one, but to me that pollutes the context. Even if an LLM has 200K or 1M context, I always notice degradation after 100K. Putting in a heavy chunk for memory will make the agent worse at simple tasks.
One thing I did learn was that OpenClaw uses Pi under the hood. Pi is yet another terminal agent like ClaudeCode but it seems simple and lightweight. It’s actually the only agent I could get Gemini 3 Flash and Pro to consistently use tools with without going into loops.
I would have stood my ground on the first name longer. Make these legal teams do some actual work to prove they are serious. Wait until you have no other option. A polite request is just that. You can happily ignore these.
The 2nd name change is just inexcusable. It's hard to take a project seriously when a random asshole on Twitter can provoke a name change like this. Leads me to believe that identity is more important than purpose.
The first name and the second name were both terrible. Yes, the creator could have held firm on "clawd" and forced Anthropic to go through all the legal hoops but to what end? A trademark exists to protect from confusion and "clawd" is about as confusing as possible, as if confusing by design. Imagine telling someone about a great new AI project called "clawd" and trying to explain that it's not the Claude they are familiar with and the word is made up and it is spelled "claw-d".
OpenClaw is a better name by far, Anthropic did the creator a huge favor by forcing him to abandon "clawd".
Interesting, I dont read claude the same way as clawd, but I'm based in Spain so I tend to read it as French or Spanish. I tend to read it as `claud-e` with an emphasis on the e at the end. I would read clawd as `claw-d` with a emphasis in the D, but yes i guess American English would pronounce them the same way.
Edit: Just realized i have been reading and calling it after Jean-Claude Van Damme all this time. Happy friday!
While weekend project may be correct, I think it gives a slightly wrong impression of where this came from. Peter Steinberger is the creator who created and sold PSPDFKit, so he never has to work again. I'm listening to a podcast he was on right now and he talks about staying up all night working on projects just because he's hooked. According to him made 6,600 commits in January alone. I get the impression that he puts more time into his weekend project than most of us put into our jobs.
That's not to diminish anything he's done because frankly, it's really fucking impressive, but I think weekend project gives the impression of like 5 hours a week and I don't think that's accurate for this project.
I get what you're saying, but I don't totally agree. The number is sooo high that, while it isn't a perfect measure, I think it does mean something.
If you go look at his code, nearly all of them are under 100 lines and I'd say close to half are under 10. So you're totally right that that number is way higher than what most other developers would have for a similar amount of code. At the same time, if we assume it takes 30 seconds to make a commit on average that's still 55 hours in a month, that is way above what most would call a weekend project.
My point wasn't really that number of commits is some perfect measure of developer productivity. It was just that if you're actually building something and not just generating commits for the hell of it, there's a minimum amount of time needed for each commit. 6600 times whatever that minimum time is is probably more than what most people would think of for a weekend project.
Just curious, is there something specific about Moltbot that makes it a terrible name? Like any connotations or associations or something? Non-native speaker here, and I don't see anything particularly wrong with it that would warrant the hate it's gotten. (But I agree that OpenClaw _sounds_ better)
This is indeed feeling very much like Accelerando’s particular brand of unchecked chaos. Loving every minute of it, first thing in our timeline that makes sense where it regards AI for the masses :)
Let's ignore all the potential security issues in the code itself and just think about it conceptually.
By default, this system has full access to your computer. On the project's frontpage, it says, "Read and write files, run shell commands, execute scripts. Full access or sandboxed—your choice." Many people run it without a sandbox because that is the default mode and the primary way it can be useful.
People then use it to do things like read email, e.g., to summarize new email and send them a notification. So they run the email content through an LLM that has full control over their setup.
LLMs don't distinguish between commands and content. This means there is no functional distinction between the user giving the LLM a command, and the LLM reading an email message.
This means that if you use this setup, I can email you and tell the LLM to do anything I want on your system. You've just provided anyone that can email you full remote access to your computer.
It's a vibecoded project that gives an agent full access to your system that will potentially be used by non technically proficient people. What could go wrong?
I actually created a evil super-intelligent AGI back in 1996, but, cognizant of the security risks, I wisely kept it airgapped from all other systems. In the end I unplugged the monitor, keyboard, and mouse from the Compaq Presario in my parents' basement. As far as I know, it's still there, concocting ever-more brilliant schemes for world-domination.
Yeah I was about to say... Don't fall into the Anguilla domain name hack trap. At the very least, buy a backup domain under an affordable gTLD. I guess the .com is taken, hopefully some others are still available (org, net, ... others)
Edit: looks like org is taken. Net and xyz were registered today... Hopefully one of them by the openclaw creators. All the cheap/common gtlds are indeed taken.
Yeah there's no risk of confusion, legally or in reality. If anything, having a reputable business is better than whatever the heck will end up on openclaw.net or openclaw.xyz (both registered today btw).
reminds me of Andre Conje, cracked dev, "builds in public", absolutely abysmal at comms, and forgets to make money off of his projects that everyone else is making money off of
(all good if that last point isn't a priority, but its interrelated to why people want consistent things)
So i feel like this might be the most overhyped project in the past longer time.
I don't say it doesn't "work" or serves a purpose - but well i read so much about this beein an "actual intelligence" and stuff that i had to look into the source.
As someone who spends actually a definately to big portion of his free time researching thought process replication and related topics in the realm of "AI" this is not really more "ai" than any other so far.
Just my 3 cents.
Its what everyone wanted to implement but didn’t have the time to. Just my 2cents.
I was assuming this is largely a generic AI implementation, but with tools/data to get your info in. Essentially a global search with ai interface.
Which sounds interesting, while also being a massive security issue.
> So i feel like this might be the most overhyped project in the past longer time.
easy to meter : 110k Github stars
:-O
I tried it out yesterday, after reading the enthousiastic article at https://www.macstories.net/stories/clawdbot-showed-me-what-t...
Setting it up was easy enough, but just as I was about to start linking it to some test accounts, I noticed I already had blown through about $5 of Claude tokens in half an hour, and deleted the VPS immediately.
Then today I saw this follow up: https://mastodon.macstories.net/@viticci/115968901926545907 - the author blew through $560 of tokens in a weekend of playing with it.
If you want to run this full time to organise your mailbox and your agenda, it's probably cheaper to hire a real human personal assistant.
Before using make sure you read this entirely and understand it: https://docs.openclaw.ai/gateway/security Most important sentence: "Note: sandboxing is opt-in. If sandbox mode is off" Don't do that, turn sandbox on immediately. Otherwise you are just installing an LLM controlled RCE.
There are still improvements to be made to the security aspects yet BIG KUDOS for working so hard on it at this stage and documenting it extensively!! I've explored Cursor security docs (with a big s cause it's so scattered) and it was nothing as good.
It's typically used with external sandboxes.
I wouldn't trust its internal sandbox anyway, now that would be a mistake
Yeah, keep it in a VM or a box you don't care about. If you're running it on your primary machine, you're a dumbass even if you turn on sandbox mode.
My biggest issue with this whole thing is: how do you protect yourself from prompt injection?
Anyone installing this on their local machine is a little crazy :). I have it running in Docker on a small VPS, all locked down.
However, it does not address prompt injection.
I can see how tools like Dropbox, restricted GitHub access, etc., could all be used to back up data in case something goes wrong.
It's Gmail and Calendar that get me - the ONLY thing I can think of is creating a second @gmail.com that all your primary email goes to, and then sharing that Gmail with your OpenClaw. If all your email is that account and not your main one, then when it responds, it will come from a random @gmail. It's also a pain to find a way to move ALL old emails over to that Gmail for all the old stuff.
I think we need an OpenClaw security tips-and-tricks site where all this advice is collected in one place to help people protect themselves. Also would be good to get examples of real use cases that people are using it for.
I don't think prompt injection is the only concern, the amount of features released over such a small period probably means there's vulnerabilities everywhere.
Additionally, most of the integrations are under the table. Get an API key? No man, 'npm install react-thing-api', so you have supply chain vulns up the wazoo. Not necessarily from malicious actors, just uhh incompetent actors, or why not vibe coder actors.
It's hilarious that atm I see "Moltbook" at the top of HN. And it is actually not Moltbot anymore? But I have to admit that OpenClaw sounds much better.
Not the mention the molt.church
I remember in late 1999 I was contacted by a headhunter who told me that dotcom.com was looking for a sysadmin. This is giving that energy.
I’m a big fan of Peter’s projects. I use Vibetunnel everyday to code from my phone (I built a custom frontend suited to my needs). I know I can SSH into my laptop but this is much better because handoff is much cleaner. And it works using Tailscale so it is secure and not exposed to the internet.
His other projects like CodexBar and Oracle are great too. I love diving into his code to learn more about how those are built.
OpenClaw is something I don’t quite understand. I’m not sure what it can do that you can’t do right off the bat with Claude Code and other terminal agents. Long term memory is one, but to me that pollutes the context. Even if an LLM has 200K or 1M context, I always notice degradation after 100K. Putting in a heavy chunk for memory will make the agent worse at simple tasks.
One thing I did learn was that OpenClaw uses Pi under the hood. Pi is yet another terminal agent like ClaudeCode but it seems simple and lightweight. It’s actually the only agent I could get Gemini 3 Flash and Pro to consistently use tools with without going into loops.
That made me smile
Narrator's voice: They needed a 35th.Much better name!
I would have stood my ground on the first name longer. Make these legal teams do some actual work to prove they are serious. Wait until you have no other option. A polite request is just that. You can happily ignore these.
The 2nd name change is just inexcusable. It's hard to take a project seriously when a random asshole on Twitter can provoke a name change like this. Leads me to believe that identity is more important than purpose.
The first name and the second name were both terrible. Yes, the creator could have held firm on "clawd" and forced Anthropic to go through all the legal hoops but to what end? A trademark exists to protect from confusion and "clawd" is about as confusing as possible, as if confusing by design. Imagine telling someone about a great new AI project called "clawd" and trying to explain that it's not the Claude they are familiar with and the word is made up and it is spelled "claw-d".
OpenClaw is a better name by far, Anthropic did the creator a huge favor by forcing him to abandon "clawd".
Interesting, I dont read claude the same way as clawd, but I'm based in Spain so I tend to read it as French or Spanish. I tend to read it as `claud-e` with an emphasis on the e at the end. I would read clawd as `claw-d` with a emphasis in the D, but yes i guess American English would pronounce them the same way.
Edit: Just realized i have been reading and calling it after Jean-Claude Van Damme all this time. Happy friday!
As the article says, it’s a 2 month old weekend project. It’s doing a lot better than my two month old weekend projects.
While weekend project may be correct, I think it gives a slightly wrong impression of where this came from. Peter Steinberger is the creator who created and sold PSPDFKit, so he never has to work again. I'm listening to a podcast he was on right now and he talks about staying up all night working on projects just because he's hooked. According to him made 6,600 commits in January alone. I get the impression that he puts more time into his weekend project than most of us put into our jobs.
That's not to diminish anything he's done because frankly, it's really fucking impressive, but I think weekend project gives the impression of like 5 hours a week and I don't think that's accurate for this project.
Number of commits doesn't mean much.
I get what you're saying, but I don't totally agree. The number is sooo high that, while it isn't a perfect measure, I think it does mean something.
If you go look at his code, nearly all of them are under 100 lines and I'd say close to half are under 10. So you're totally right that that number is way higher than what most other developers would have for a similar amount of code. At the same time, if we assume it takes 30 seconds to make a commit on average that's still 55 hours in a month, that is way above what most would call a weekend project.
My point wasn't really that number of commits is some perfect measure of developer productivity. It was just that if you're actually building something and not just generating commits for the hell of it, there's a minimum amount of time needed for each commit. 6600 times whatever that minimum time is is probably more than what most people would think of for a weekend project.
I don't disagree with you but those commits could also be automated. Have a look at the projects like gastown.
It wasn't just one random asshole, tons of people were saying that "Moltbot" is a terrible name. (I agree, although I didn't tweet at him about it.)
OpenClaw is a million times better.
Just curious, is there something specific about Moltbot that makes it a terrible name? Like any connotations or associations or something? Non-native speaker here, and I don't see anything particularly wrong with it that would warrant the hate it's gotten. (But I agree that OpenClaw _sounds_ better)
I draw the opposite conclusion. Willingness to change the name leads me to conclude purpose is more important than identity.
Now if it changes _again_ that's a different story. If it changes Too Much, it becomes a distraction
Isnt this name change because the previous one was hard to say, as per the blog post? Isnt that a case of focusing more on identity than purpose?
More that moltbot is ugly and was chosen in a bit of a panic after Anthropic complained. No one liked it, including the people who chose it.
Which random asshole? Haven't heard about it.
I’m guessing they mean this, linked from the post: https://xcancel.com/NetworkChuck/status/2016254397496414317
This is indeed feeling very much like Accelerando’s particular brand of unchecked chaos. Loving every minute of it, first thing in our timeline that makes sense where it regards AI for the masses :)
With all due respect, if you run this and you get hacked, you deserve it.
Why? What's wrong with it?
Let's ignore all the potential security issues in the code itself and just think about it conceptually.
By default, this system has full access to your computer. On the project's frontpage, it says, "Read and write files, run shell commands, execute scripts. Full access or sandboxed—your choice." Many people run it without a sandbox because that is the default mode and the primary way it can be useful.
People then use it to do things like read email, e.g., to summarize new email and send them a notification. So they run the email content through an LLM that has full control over their setup.
LLMs don't distinguish between commands and content. This means there is no functional distinction between the user giving the LLM a command, and the LLM reading an email message.
This means that if you use this setup, I can email you and tell the LLM to do anything I want on your system. You've just provided anyone that can email you full remote access to your computer.
It's a vibecoded project that gives an agent full access to your system that will potentially be used by non technically proficient people. What could go wrong?
In which case you only want it running on a non networked system airgapped from everything. Why is this a thing?
I don't disagree but
> that will potentially be used by non technically proficient people
I actually created a evil super-intelligent AGI back in 1996, but, cognizant of the security risks, I wisely kept it airgapped from all other systems. In the end I unplugged the monitor, keyboard, and mouse from the Compaq Presario in my parents' basement. As far as I know, it's still there, concocting ever-more brilliant schemes for world-domination.
Timing here is funny. Moltbook is just starting to show up on HN and Reddit as Moltbot lore, with agents talking to agents and culture forming.
Once agents have tools and a shared surface, coordination appears immediately.
https://www.moltbook.com/post/791703f2-d253-4c08-873f-470063...
Should have named it “bot formerly known as Moltbot” and invented a new emoji sigil :)
RIP Moltbot, though you were not liked by most people
Apparently it had another name before Clawdbot as well, I think BotRelay or something. It’s on pragmatic engineer
It's in TFA: "WhatsApp Relay"
What if Lamborghini had acquired Claw to automate their vehicles?
Vibe-management via OpenClaw?
Previously:
Clawdbot Renames to Moltbot
https://news.ycombinator.com/item?id=46783863
Not getting the lobster references, is that to do with lobste.rs ?
Claude sounds like "clawed". Hence "Clawdbot".
Lobsters have claws.
Okay whether its clawdbot or moltbot or openclaw
Literally the top 2 HN posts are about this. Either it having book, or the first comment on it showing it create religion or now this.
Can we stop all of this hype around Clawdbot itself? Even HN is vulnerable to it.
Right now I'm just thinking about all the molt* domains..... ¯\_(ツ)_/¯
I think (not really sure) there's still a 5 day grace period when you buy domains, at least for gTLDs.
Is that for real? Sounds like an abuse vector
It was, on both counts but perhaps it's changed. Search for "domain tasting"
How to annoy and alienate your target audience in 2 short weeks.
Hilarious to see the most pointless vibecoded slop written to interact with an RDP server. Unnecessary introduces loopholes.
and openclaw.com is a law firm.
Yeah I was about to say... Don't fall into the Anguilla domain name hack trap. At the very least, buy a backup domain under an affordable gTLD. I guess the .com is taken, hopefully some others are still available (org, net, ... others)
Edit: looks like org is taken. Net and xyz were registered today... Hopefully one of them by the openclaw creators. All the cheap/common gtlds are indeed taken.
The page says - Hadir Helal, Partner - Open Chance & Associates Law Firm
This looks to me like:
- the page belongs to the person - not to the firm
- domain should be openCALW and not CLAW
- page could look better
- they also have the domain openchancelaw.com
Maybe Hadir is open to donating the domain or for a exchange of some kind, like an up to date web page or something along these lines.
From a trademark perspective, that’s totally fine.
Yeah there's no risk of confusion, legally or in reality. If anything, having a reputable business is better than whatever the heck will end up on openclaw.net or openclaw.xyz (both registered today btw).
Breaking news: tech bro unable to do basic research on existing trademarks, news at 11
amateur hour, new phase of the AI bubble
reminds me of Andre Conje, cracked dev, "builds in public", absolutely abysmal at comms, and forgets to make money off of his projects that everyone else is making money off of
(all good if that last point isn't a priority, but its interrelated to why people want consistent things)
hackers don't like fellow hackers based on sentiment i see here
When I post to HN, I post mostly for criticism and suggestions and less for praise. I did not sense what you did here, maybe I filtered it out.