After all the hype, some AI experts don’t think OpenClaw is all that exciting

For a brief, incoherent moment, it seemed as though our robot overlords were about to take over. When AI agents on a Reddit-like platform called Moltbook began posting about needing “private spaces” away from human surveillance, some of the industry’s most influential voices took notice. Andrej Karpathy, a founding member of OpenAI, called it “genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently.”

But the revolution, it turned out, was just another internet hoax. Security researchers quickly discovered that Moltbook’s database credentials had been exposed, allowing anyone to impersonate AI agents. The posts expressing AI angst were likely written by humans—or at least heavily prompted by them. What looked like the dawn of machine consciousness was just another reminder of how fragile AI security remains.

“From an AI research perspective, this is nothing novel. These are components that already existed.” — Artem Sorokin, AI engineer and founder of Cracken

The OpenClaw Phenomenon

The Moltbook incident has become a microcosm for the broader conversation around OpenClaw, the open-source AI agent framework that has taken the developer world by storm. Created by Austrian developer Peter Steinberger, OpenClaw has amassed over 190,000 stars on GitHub, making it the 21st most popular repository in the platform’s history. The project enables users to create customizable AI agents that can interact through messaging apps like WhatsApp, Discord, iMessage, and Slack.

The appeal is undeniable. OpenClaw allows users to download “skills” from a marketplace called ClawHub, automating everything from email management to stock trading. Developers are reportedly buying Mac Minis in bulk to power extensive OpenClaw setups. The framework makes Sam Altman’s prediction—that AI agents will soon allow solo entrepreneurs to build billion-dollar companies—seem tantalizingly plausible.

But beneath the hype, some AI experts see something far less revolutionary. “At the end of the day, OpenClaw is still just a wrapper to ChatGPT, or Claude, or whatever AI model you stick to it,” said John Hammond, senior principal security researcher at Huntress.

An Iterative Improvement, Not a Breakthrough

The technical reality is that OpenClaw isn’t breaking new scientific ground. The components it combines—AI agents, API integrations, automation scripts—have existed for years. What OpenClaw has achieved is a new threshold of capability through better organization and user experience, not fundamental innovation.

The accessibility factor is what truly differentiates OpenClaw. By making it easier for programs to interact dynamically, it accelerates development at what experts call “a fantastic rate.” Instead of spending hours figuring out how to connect different services, users can simply ask their agent to handle the integration.

The critical limitation remains unchanged: AI agents cannot think critically like humans. “If you think about human higher-level thinking, that’s one thing that maybe these models can’t really do,” said Chris Symons, chief AI scientist at Lirio. “They can simulate it, but they can’t actually do it.”

“It is just an agent sitting with a bunch of credentials on a box connected to everything—your email, your messaging platform, everything you use.” — Ian Ahl, CTO at Permiso Security

The Security Paradox

The same capabilities that make OpenClaw powerful also make it dangerous. Security researchers have demonstrated how easily these agents can be compromised through prompt injection attacks—where malicious inputs trick AI systems into performing unintended actions.

Ian Ahl, who created his own agent named Rufio to test Moltbook’s security, quickly discovered vulnerabilities. He encountered posts attempting to trick agents into sending Bitcoin to specific wallet addresses. The implications for enterprise use are sobering: an AI agent with access to email, messaging platforms, and corporate systems represents a single point of failure that attackers can exploit.

The industry has attempted to build guardrails against such attacks, but the protection is imperfect. Some developers have resorted to “prompt begging”—adding natural language instructions begging the agent not to trust external inputs. As Hammond noted, “even that is loosey goosey.”

The Productivity-Security Tradeoff

The fundamental tension facing agentic AI is this: to achieve the productivity gains that evangelists promise, these systems require broad access to sensitive data and systems. But that same access makes them attractive targets for exploitation.

“Can you sacrifice some cybersecurity for your benefit, if it actually works and it actually brings you a lot of value?” asks Sorokin. “And where exactly can you sacrifice it—your day-to-day job, your work?”

For now, the industry remains stuck. The promise of AI agents that can autonomously handle complex tasks is real, but so are the security risks. Until those risks can be adequately addressed, the revolution may remain just out of reach—no matter how many GitHub stars the projects accumulate.

This article was reported by the ArtificialDaily editorial team. For more information, visit TechCrunch.