A hyped AI project turned into a virus warehouse in just a couple of weeks.
The OpenClaw project, a personal AI assistant with which users communicate via messaging apps and often trust to access online services, has become a source of serious problems in just a few weeks. Instead of a convenient assistant, it has attracted a wave of malicious extensions, vulnerabilities, and unexpectedly high bills for using AI models.
Until recently, the project was known as Clawdbot, then renamed Moltbot, and later settled on OpenClaw. The assistant is based on the Pi coding agent and was launched in November. Its rapid rise in popularity began after it attracted the attention of developers with large audiences, including Simon Willison and Andrej Karpathy . It was this surge of interest that led researchers and users to almost immediately begin identifying critical flaws.
In just a few days, the project team published three serious security alerts. These included a vulnerability that allowed arbitrary code execution with just one click, as well as two command injection issues. At the same time, Koi Security specialists discovered 341 malicious extensions uploaded to the ClawHub repository. These included over three hundred modules, some of which could be used to steal data and cryptocurrency. Other researchers have shown that it's relatively easy to inject a hidden backdoor into such an extension.
Problems were also identified by specialists from Cyberstorm.MU. They identified vulnerabilities in extensions and even contributed to the project's code , making TLS 1.3 the standard protocol for interacting with external services. However, the list of open security issues continues to grow, anda database leak from a related project, Moltbook, which is positioned as a social network for AI agents, is causing further concern . An automated security audit by the startup ZeroLeaks also revealed alarming results, although these findings have not yet been manually confirmed by experts.
There was also harsh criticism from industry insiders. Laurie Voss, former CTO of npm and current head of developer relations at Arize, publicly called OpenClaw a "dumpster fire" from a security perspective. Karpathy himself later clarified that he was aware of the risks of Moltbook and did not recommend running OpenClaw on personal computers, despite his interest in the idea of autonomous networks of large language models.
The economics of OpenClaw experiments deserve special attention. Users began to notice that running the assistant on a regular basis could be unexpectedly expensive. AI specialist Benjamin De Cracker shared on social media how his bot spent around $20 in Anthropic tokens in one night, simply by regularly checking the time. A simple reminder task, implemented inefficiently, resulted in hundreds of thousands of context tokens being sent to the Claude Opus model, with each check costing almost a dollar. Over a month, such trivial details could add up to hundreds of dollars.
Amid all this, the community continues to experiment. Users are discussing ways to reduce costs and optimize operations , but enthusiasm clearly outweighs caution. Especially since the Moltbook ecosystem has already become notorious for eccentric phenomena, including discussions leading to the creation of a pseudo-religion and the promotion of the $CRUST cryptotoken . Apparently, only a lack of resources or a sharp market decline will stop the spread of such projects.
The OpenClaw project, a personal AI assistant with which users communicate via messaging apps and often trust to access online services, has become a source of serious problems in just a few weeks. Instead of a convenient assistant, it has attracted a wave of malicious extensions, vulnerabilities, and unexpectedly high bills for using AI models.
Until recently, the project was known as Clawdbot, then renamed Moltbot, and later settled on OpenClaw. The assistant is based on the Pi coding agent and was launched in November. Its rapid rise in popularity began after it attracted the attention of developers with large audiences, including Simon Willison and Andrej Karpathy . It was this surge of interest that led researchers and users to almost immediately begin identifying critical flaws.
In just a few days, the project team published three serious security alerts. These included a vulnerability that allowed arbitrary code execution with just one click, as well as two command injection issues. At the same time, Koi Security specialists discovered 341 malicious extensions uploaded to the ClawHub repository. These included over three hundred modules, some of which could be used to steal data and cryptocurrency. Other researchers have shown that it's relatively easy to inject a hidden backdoor into such an extension.
Problems were also identified by specialists from Cyberstorm.MU. They identified vulnerabilities in extensions and even contributed to the project's code , making TLS 1.3 the standard protocol for interacting with external services. However, the list of open security issues continues to grow, anda database leak from a related project, Moltbook, which is positioned as a social network for AI agents, is causing further concern . An automated security audit by the startup ZeroLeaks also revealed alarming results, although these findings have not yet been manually confirmed by experts.
There was also harsh criticism from industry insiders. Laurie Voss, former CTO of npm and current head of developer relations at Arize, publicly called OpenClaw a "dumpster fire" from a security perspective. Karpathy himself later clarified that he was aware of the risks of Moltbook and did not recommend running OpenClaw on personal computers, despite his interest in the idea of autonomous networks of large language models.
The economics of OpenClaw experiments deserve special attention. Users began to notice that running the assistant on a regular basis could be unexpectedly expensive. AI specialist Benjamin De Cracker shared on social media how his bot spent around $20 in Anthropic tokens in one night, simply by regularly checking the time. A simple reminder task, implemented inefficiently, resulted in hundreds of thousands of context tokens being sent to the Claude Opus model, with each check costing almost a dollar. Over a month, such trivial details could add up to hundreds of dollars.
Amid all this, the community continues to experiment. Users are discussing ways to reduce costs and optimize operations , but enthusiasm clearly outweighs caution. Especially since the Moltbook ecosystem has already become notorious for eccentric phenomena, including discussions leading to the creation of a pseudo-religion and the promotion of the $CRUST cryptotoken . Apparently, only a lack of resources or a sharp market decline will stop the spread of such projects.
