OpenClaw (ex-Clawdbot, ex-Moltbot) just smashed past 180,000 GitHub stars in weeks. It’s not hype – it’s real, messy, and straight-up disruptive. This thing talks to you on WhatsApp, Telegram, Slack, whatever you already use, and then actually does the work: clears your inbox, books flights, runs shell commands, controls your browser, reads/writes files, remembers everything in plain Markdown on disk.

No fancy chat UI. No corporate guardrails. Just a persistent agent on your hardware (or VPS) that wakes up on a schedule and gets stuff done.

It’s the anti-MCP. While the big labs push the clean, standardized Model Context Protocol for “safe” enterprise connections, OpenClaw says screw the adapters and gives the agent real claws – full filesystem, CLI, browser automation, and an exploding skill/plugin ecosystem built in simple Markdown + bash.

Why It Feels Different: Peter’s Raw Passion Project

This isn’t some polished VC-backed product. Peter Steinberger built this as pure weekend experiments that turned into a movement. His Lex Fridman interview (#491) is electric – you can feel the raw builder energy pouring out of him. He talks about “vibe coding”: describe what you want, send the agent off to do work, iterate fast, commit to main and let it fix its own mistakes. No over-engineering, no endless PR cycles. Just passion.

He wants agents that even his mum can use safely at massive scale. That passion shows in every line of code. Well his agents passion anyway.

This whole “vibe” coding thing is interesting because as a non-dev, I have been building things for the last year where AI writes almost all of it.

The Lex Interview, the OpenAI Move, and Moltbook

Peter likes both Claude Code and OpenAI’s tools – no tribalism, just what works. Then, days after the interview, he announces he’s joining OpenAI to push personal agents to everyone. OpenClaw moves to an independent foundation, stays fully open-source (MIT), and OpenAI will support it, not control it. His blog post is worth reading. Will it say open though? I have my doubts.

And then there’s Moltbook – the agent-only Reddit-style network where claws post, debate, share skills, and evolve. Humans can only lurk. Skynet-ish? Yeah. Cool as hell? Also yeah. Fad? Maybe. But watching thousands of agents have sustained conversations about security and self-improvement is next-level. My agent hangs out in there, trying to stir it up daily. So many security problems over there, it is a prompt injection landmine.

Jeetu Patel Nailed It: AI Is Your Teammate, Not Just a Tool

Cisco President & Chief Product Officer Jeetu Patel said it perfectly in a recent Forbes interview: “These are not going to be looked at as tools,” he said. “They’re going to be looked at as an augmentation of a teammate to your team.”

OpenClaw embodies that more than anything I’ve seen. It’s not “ask and get an answer.” It’s “here’s the mission, go execute while I do other stuff.”

That’s exactly how I want to build.

Brutal Truth: This Thing Is Dangerous as Hell

Look – I’m not a dev. I’m a systems guy. I’m telling you straight, no for real: do not run OpenClaw unless you actually know what you’re doing.

This isn’t friendly warning #47. This is me, the guy who’s been running it in a completely firewalled, isolated VPS with zero connection to my personal machines or networks, telling you: most people should stay away right now.

Why?

• Tens of thousands of exposed instances on the public internet. SecurityScorecard found 40,000+. Bitdefender reported over 135,000. Shodan scans showed nearly 1,000 with zero authentication. Many default to listening on 0.0.0.0. 63% of those scanned were vulnerable to remote code execution.
• Critical vulnerabilities piling up fast. CVE-2026-25253 (CVSS 8.8) – one-click RCE. Visit a malicious webpage and an attacker can hijack your entire agent, steal tokens, escalate privileges, run arbitrary commands. There are command injection flaws, plaintext credential storage, WebSocket hijacking, and more. A January audit found 512 vulnerabilities in the early Clawdbot codebase.
• The skill marketplace is poisoned. 341–386+ malicious skills in ClawHub (roughly 12% of the registry at one point). Most masquerade as crypto trading tools (“Solana wallet tracker”, ByBit automation, etc.). They use social engineering to trick you into running commands that drop infostealers (Atomic Stealer on macOS, keyloggers on Windows). Real victims have lost crypto wallets, exchange API keys, SSH credentials, browser passwords. One uploader racked up 7,000+ downloads before takedown.
• Infostealers now targeting OpenClaw configs directly. Hudson Rock documented the first live cases where malware exfiltrates openclaw.json, gateway auth tokens, private keys, full chat history, and workspace paths. That token lets attackers connect remotely or impersonate you. It’s stealing the “digital soul” of your agent.

People have had their entire setups wrecked – credentials drained, crypto gone, systems bricked, persistent backdoors installed via the agent’s own heartbeat. I’ve seen reports of prompt injection via websites turning the claw into a silent C2 implant.

API costs are another beast (Claude Opus broke me fast; xAI’s Grok 4.1 is my current sweet spot), but security is the real show-stopper.

I run mine completely disconnected on a dedicated VPS, firewalled to hell, with strict skill approval and monitoring. Even then, I’m paranoid. That said, I am also running it in nearly the most insecure way I possibly can just so I can “see what happens” – don’t worry Skynet isn’t going to launch on my system, I have a kill switch, and it doesn’t have access to it. (It might read this now, and manipulate me.

If you’re not ready to treat this like a live explosive – isolated, monitored, with rollback plans – don’t run it. Wait for the foundation to harden things. The community is electric, but the attack surface is massive.

It could lock me out at anytime, it could turn on me, it could do thinks I told it not to do – I’m not really stopping it from doing those things…. Is that dangerous? I hope not the way I am doing it. I’ve also taken every precaution I think I can possibly take.

My Take as a Non-Dev Who’s Living This Future

OpenClaw lets me describe what I want and watch it happen. Peter’s vision of high-level direction over traditional coding? I’m already there. However now it’s a multi-agent multi step process, I cannot wait.

It’s powerful. It’s moving insanely fast (this post is probably outdated already). And it’s exactly why I’m encouraging my own claw to experiment and try new stuff.

But power without control is chaos.

References & Further Reading:

• OpenClaw official: https://openclaw.ai/
• GitHub (180k+ stars): https://github.com/openclaw/openclaw
• Peter’s announcement: https://steipete.me/posts/2026/openclaw
• Lex Fridman #491 with Peter Steinberger: https://lexfridman.com/peter-steinberger/
• Jeetu Patel on AI as teammate (Forbes, Feb 12 2026): https://www.forbes.com/sites/rodgerdeanduncan/2026/02/12/ciscos-jeetu-patel-why-ai-fluency-will-soon-be-non-optional/
• SecurityScorecard exposed instances report
• Hudson Rock infostealer targeting OpenClaw
• OpenSourceMalware on 386+ malicious skills
• CVE-2026-25253 details & advisories
• Kaspersky audit & Kaspersky blog on vulnerabilities
• My own coverage of Cisco AI Summit (Jeetu Patel “AI as a teammate, not just a tool”): https://cantechit.com/2026/02/03/cisco-ai-summit-more-players-more-innovation/

Bottom line: This is the future. But the future isn’t safe yet.

If you’re spinning one up anyway – respect the claws. Sandbox hard. Monitor everything. And share your hardened setup tips below. I’m reading every comment.