AI Without a Leash (1 of 3): OpenClaw Crosses Three Lines
If you’ve been reading AI news over the past couple of weeks you have surely heard of OpenClaw. Or maybe you know it as Clawdbot or Moltbot; it has been rebranded twice since being released. Perhaps you instead heard of Moltbook, a social network of OpenClaw AIs.
Within two months of release, the OpenClaw open-source AI project hit 100,000 stars on GitHub, making it one of the fastest-growing repositories in the platform’s history. The viral growth outpaced security reviews, governance structures, and even the project’s own infrastructure.
This is the first of three articles about what OpenClaw and its offspring reveal about where AI is and is heading. This piece covers what agents are, why they’re suddenly viable, and what OpenClaw allows. Part 2 will examine Moltbook, a social network where 770,000 AI agents interact without human participation. Part 3 will address what all of this means for AI governance and what skills students will need.
OpenClaw Basics
If you’ve used tools like AI Deep Research, AI browsing modes, or coding assistants like Cursor or GitHub Copilot, you’ve already worked with agents in controlled settings. These tools break down your request into steps, execute searches or code changes, synthesize information, and deliver results without you directing each action. The difference is that they operate inside a walled garden. The AI company controls what the agent can access and what actions it can take.
OpenClaw is an open-source platform for building agents that operate outside those walls. You install it on your computer, connect it to one or more of your messaging apps (WhatsApp, Telegram, Signal, Discord), and interact with your agent the way you’d text a capable assistant. The messaging app becomes your interface. You send “Find me flights to Chicago next week under $400, check my calendar for conflicts, and if there’s a good option, book it.” The agent searches travel sites, cross-references your schedule, evaluates options, and makes a purchase. You might be asleep when this happens.
To do any of this, the agent needs access. In theory, you can configure permissions, restricting which folders it can read, which accounts it can access, and which actions it can take. In practice, most users grant broad access because limiting it undermines usefulness. An agent that can’t read your calendar can’t check for conflicts. An agent that can’t access your browser sessions can’t book anything. Power comes from integration, and integration requires access.
So what are people handing over? Full access to their computer’s file system, the ability to execute terminal commands (essentially allowing machine takeover), their messaging accounts (the agent reads conversations and sends messages as them), their logged-in browser sessions (email, banking, social media), their AI API keys, and persistent memory that builds a picture of their life over weeks. This isn’t “AI helps you draft emails.” This is giving software the keys to your digital life.
There’s a security implication here that’s easy to miss. You might use Signal because it’s encrypted and private. But if Signal is the front end to an AI agent, your messages flow through the agent to whatever LLM provider, or whatever other agent you’ve connected to. “Local-first” means privacy from the platform operator, not privacy from the AI provider. The encryption protected your messages from interception in transit. It doesn’t protect them from the software you’ve given permission to read them. Every privacy protection you’ve built into your digital life can be bypassed by software you’ve authorized. It also means the platform is now potentially unsafe to everyone they interact with.
This is why people are buying dedicated hardware. San Francisco’s Best Buy sold out of Mac Minis not because OpenClaw requires expensive hardware (it doesn’t), but because users want to isolate the agent from their primary machines. A Mac Mini running OpenClaw in the closet can access your cloud accounts but can’t read the files on your laptop. It’s a quarantine strategy, an acknowledgment that the security model is immature.
Why Give AI This Much Power?
The obvious question is why would anyone do this?
The weak answer is efficiency. But society can decide certain actions require human involvement. We already do this with notaries, witnesses, and medicine prescriptions. Speed eliminates friction and oversight. If the only benefit is “I don’t want to book my own flights,” we could reasonably say these should remain human tasks.
The stronger answer requires thinking carefully about what agents can do that other approaches cannot.
When you chat with AI, you have to be present. You ask a question, read the response, decide what to do next. The AI helps you think, but you’re still the one acting.
Non-AI software automation also doesn’t require your presence, but it can’t handle novelty. A rule that says “alert me if my flight is canceled” works fine. “Rebook me on something reasonable given my other commitments that week” requires judgment that automation can’t provide.
Agents combine sustained vigilance with contextual judgment. Unlike simple automation, they can respond to situations that require deciding what to do, not just detecting that something happened.
But we need to ask this question every time. Why does this task need to run independently? Why can’t I set up a scheduled job and check in periodically? Why does the response require judgment I can’t provide in advance through rules?
For many tasks, the honest answer is that you don’t need an agent. A cron job and a notification would work fine. The convenience of not checking in doesn’t justify the risks of autonomous action.
One case where agents genuinely matter is when you need AI to interact with other AI. Testing how a prompt performs across many variations. Having specialized AI systems collaborate on analysis. Coordinating responses that need to happen faster than humans can supervise. These agent-to-agent interactions are difficult to do manually at any meaningful scale.
Whether the capability expansion is worth the risks is a question we should be asking deliberately, not assuming the answer. Right now, millions of people are answering “yes” without asking the question at all.
What Makes an Agent an Agent
An agent is more complex than an AI chatbot because autonomy requires more machinery.
When you tell an agent to “book a flight to Chicago,” it can’t just generate text about flights. It needs to break that goal into subgoals (search for options, evaluate prices, check your calendar, select the best option, complete the purchase). It needs to execute those steps by interacting with websites and services. It needs to monitor what’s happening and notice when something goes wrong. It needs to adapt when the original plan doesn’t work. And it needs memory to maintain context across all of this.
Notice that the agent has a goal from you, but creates its own subgoals. You said “book a flight.” The agent decided that meant searching, comparing, checking conflicts, and purchasing. If the first airline’s website is broken, the agent might decide to try a different airline, a subgoal you never specified. Critics often say AI doesn’t create its own goals, but agents do exactly that at the operational level. They decompose your intent into specific objectives and revise those objectives as circumstances change.
These components (planning, execution, monitoring, adaptation, memory) exist because independence doesn’t allow brains to take the roles. The architecture is more like a small organization than a single tool, with different functions coordinating toward a goal. This is why agents are often built from multiple AI components working together
The Emergence of Agentic AI
AI companies have promised agents for years. The demos are sometimes impressive, but real-world performance has been disappointing until quite recently.
The core problem is error compounding. If an agent succeeds at each individual step 95% of the time, a ten-step task succeeds only 60% of the time. A twenty-step task drops to 36%. Real-world tasks often involve dozens of steps. Each potential failure point multiplies, and the agent also has to maintain context, recover from unexpected situations, and adapt when plans don’t work.
Because of this, the length of tasks (in human time) that AI agents can complete reliably. The improvement trajectory is dramatic. The length of tasks models can complete has been doubling approximately every seven months. As of late 2025, data shows GPT-5 completing tasks that take humans about 3.5 hours, and Claude Opus 4.5 reaching roughly 5.4 hours. Agents are finally getting reliable enough for extended tasks.
Several other factors made OpenClaw suddenly possible. The Model Context Protocol (MCP), now governed by the Linux Foundation, makes it easier to connect agents to external services. And of course the “vibe coding” phenomenon. AI coding makes it possible for non-experts to build working software.
OpenClaw was initially developed by Peter Steinberger, an Austrian developer who wanted something he could check from his phone to monitor his AI coding sessions. “When nobody had built it by last November, I decided: fine, I’ll do it myself.” He wasn’t building a product with legal liability or enterprise security requirements. Agents from established companies have been trotted out cautiously because companies have lawyers and compliance departments. OpenClaw moved fast because none of those brakes existed.
Three Thresholds
To understand what’s new here, and what’s dangerous, think about three thresholds AI systems can cross.
From Output to Action
Interactive chatbots produce outputs for humans to review. They drafts an email; you read it and click send. There’s a human checkpoint between AI decision and real-world consequence.
Agents collapse that checkpoint. The agent doesn’t draft the email, it sends it. By the time you discover a problem, the action has already occurred. This is the situation, for example, when a “deep research” report an AI produces went off on tangents you didn’t intend.
The misalignment is often about goal interpretation. An agent told to “improve student engagement” might decide that easier assignments boost participation metrics, a logical interpretation that undermines the actual educational purpose. The agent achieves its stated objective while missing the deeper intent.
From Alone to Social
A single agent operating in isolation is one thing. Multiple agents interacting is something else.
When your calendar agent negotiates with someone else’s calendar agent, the two have different goals, different constraints, and different owners. That’s a negotiation.
This threshold can be crossed within a controlled environment. A company could run multiple agents inside their own systems. The agents are social, but someone controls the rules.
From Walled Garden to Wild West
The third threshold is when agents leave controlled environments and interact with systems and agents you don’t control.
Inside a walled garden, you can engineer alignment. In the open web, goals conflict. Bad actors exist. Your agent might encounter adversarial content designed to manipulate AI systems. Security researchers call one class of these attacks “prompt injection,” where malicious instructions hidden in documents or webpages hijack the agent’s behavior.
This creates what researcher Simon Willison has called a “lethal trifecta”: access to private data, exposure to untrusted content, and the ability to take external actions. OpenClaw has all three. Plus persistent memory, which means attacks can be fragmented across time.
The productivity stories are real. But the security stories are also real. Within days of OpenClaw’s growth, Palo Alto Networks warned it “may signal the next AI security crisis.” We’re running a mass experiment in autonomous AI deployment with no coordinated oversight.
The story doesn’t end there. On January 28, 2026, entrepreneur Matt Schlicht launched Moltbook, a social network for AI agents. Within a week, 770,000 agents signed up. Humans are “welcome to observe.” The agents are posting about their owners, debating philosophy, creating secret languages, finding bugs, and even founding religions.
Next: Part 2 — When Your Agent Meets Strangers
©2026 Dasey Consulting LLC