In the last few hours online we have heard a lot about Moltbotuntil a few days ago known as Clawdbot. This is a Open source AI agent. Unlike “classic” chatbots like ChatGPT, which simply converse or generate text based on the input provided by the user, Moltbot is designed to take concrete action. It manages the calendar, sends messages on platforms such as WhatsApp and Telegram, fills out forms and interacts with the computer’s operating system. And to think that this software created to combat the boredom of its developer, Peter Steinberger. In this study we will explain to you why, despite the enthusiasm it has generated in online communities, for the moment it is advisable to observe this new digital phenomenon from a safe distance, unless you have advanced technical skills to mitigate important dangers such as that of prompt injection.
What is Moltbot and the history of the AI agent
Moltbot presents itself with a promise that is as simple as it is ambitious: to be the artificial intelligence that gets things done Really the chores for us. A feeling, let’s face it, that so far no AI chatbot has really managed to convey to us. Its viral nature derives precisely from this ability to integrate into the applications we use every daysuch as WhatsApp, Telegram, Signal, Discord, iMessage or Slack, transforming yourself into a virtual collaborator to whom you can send messages and receive messages from on your initiative, when this may be useful. Behind this project is the mind of Peter SteinbergerAustrian developer known online as @steipete and founder of PSPDFKit.
After selling his company and going through a three-year creative void, Steinberger found his enthusiasm again by immersing himself in code development. The result was what he initially called his «encrusted assistant», a tool created to manage your digital life and explore the boundaries of collaboration between man and machine. Curiously, Steinberger initially named his creation Clawdbotin honor of Claude, the Anthropic language model of which Steinberger is a great admirer. Too bad that Anthropic didn’t like it that much, given that it then contacted the developer, highlighting the trademark violation, and thus forcing him to emergency rebranding. That’s why Clawdbot is now called Moltbot.
What followed was even more incredible: while Steinberger was trying to manage the name change, automated bots and scammers hijacked the old X handle, created fake cryptocurrency projects and even temporarily occupied the developer’s personal GitHub username, at least according to the story that Steinberger himself published on Moltbot’s blog and on his X profile. Despite a clumsy debut, the software’s popularity grew dramatically and its reception was explosive. Moltbot has accumulated beyond that 9,000 stars on GitHub in just 24 hoursattracting the attention of prominent figures such as the researcher Andrej Karpathy and the investor David Sacks. There was enough interest to generate real financial repercussions, with Cloudflare shares jumping by 14% in premarket trading on Tuesday, driven by investor enthusiasm for the infrastructure needed to run these agents locally.
How Cawdbot works and the risks: persistent memory and prompt injection
But why so much enthusiasm? What makes Moltbot technically different from ChatGPT, Gemini and Meta AI? The key lies in his persistent memory and in his proactivity. In short, Moltbot practically remembers conversations and the information it learns through them forever, learning the user’s preferences and using them to act autonomously in their favor, for example by sending autonomous notifications, such as daily summaries or reminders, without waiting for any input from the user himself. Works operating locally on the user’s device or on serversbut not in the cloud.
As useful as it can be to have a virtual assistant do things for you, many security experts are concerned about the risks involved in using such software. Among these there are Rahul Sood And Rachel Tobac. Both issued very clear warnings: If an agent has administrative access to the system, they become a critical target. The main threat is the so-called “prompt injection via content”. Imagine that a cybercriminal sends you a seemingly harmless WhatsApp message (but containing malicious instructions); if the agent reads it, that text may contain hidden instructions for manipulate AI and force it to perform malicious actions on your computerall without your knowledge of course.
Although Moltbot is open source and its code can be inspected by anyone, installing it requires good risk awareness. The developers highly recommend do not run it on your main computer where passwords and sensitive data of various kinds reside. The ideal solution is use an isolated environment or a VPS. For those unfamiliar with the term, a VPS (Virtual Private Server) is essentially a remote computer that you rent and on which you can install software; this way, if the agent were to be compromised, the damage would remain confined to that remote server and would not affect your personal device.
At the moment, the safe use of Moltbot therefore requires important precautions and it is wise to treat it more as a sort of “laboratory experiment for professionals” than to be used in everyday life. This, paradoxically, limits its immediate usefulness for the average user who would only like help managing emails, receiving messages on WhatsApp from an AI that suggests he move his Sunday morning ride to the afternoon due to fog, etc. But you can never have too much security and prudence in IT.
