For Moltbot is an open-source AI agent that is becoming very popular in the tech world. Users are showing off how it can handle client messages through WhatsApp, Telegram, and iMessage, as well as manage reminders. But there is a big problem with the trend going viral: security researchers just found major holes in the system that let hackers read private messages, credentials, and API keys. The tool works locally on your devices and connects to OpenAI, Anthropic, or Google’s models. However, giving it administrative rights to your computer opens up new attack vectors that experts say haven’t been fully fixed yet.
Moltbot is now the AI agent that everyone is talking about and being scared of. People on X, Discord, and tech forums are going crazy over the open-source tool because it finally lets them get an AI assistant that “actually does things” without having to rely on the cloud or pay a monthly fee. Alarms are already going off among security experts about holes that could turn this dream of increased productivity into a nightmare.
The tool makes requests go through any AI provider you pick, like OpenAI, Anthropic, or Google. It runs locally on Macs, PCs, or servers. You can talk to it on iMessage, WhatsApp, Telegram, Signal, or Discord, and it can do things in your browser and apps. Federico Viticci of MacStories put it on his M4 Mac Mini and set it up to make daily audio briefings from his calendar, Notion workspace, and Todoist tasks. Other people on X use it to keep track of health metrics, manage reminders, and even talk to clients on their own.
ALSO READ: Apple launches new AirTag with longer range and louder speaker
One thing that sets Moltbot apart from Siri or Alexa is how deeply it can access your system. It can read and write files, run shell commands and scripts, and control your browser as precisely as a person. One developer told us that it gave itself an animated face and added sleep animations on its own, without being told to. Users say it does better at complex, multi-step workflows than any other mainstream AI agent they’ve tried.
But that power comes with some very bad things. Found that private messages, account information, and API keys related to Moltbot installations were available to everyone on the web by Jamieson O’Reilly, founder of the cybersecurity company Dvuln. The Register says that O’Reilly told developers about the flaw, and they have since fixed it. However, this shows how quickly popular open-source tools can become less secure.
In an interview with The Verge, Rachel Tobac, CEO of SocialProof Security, talked about the bigger architectural risk. “If your autonomous AI Agent like MoltBot has admin access to your computer and I can interact with it by DMing you on social media, well now I can attempt to hijack your computer in a simple direct message.” She’s talking about prompt injection attacks, in which bad people put commands in files, emails, or messages so that AI models think they are real instructions. IBM says that prompt injection is a way to change text that takes advantage of how large language models understand it. This is still an AI industry vulnerability that hasn’t been fixed.
In a post on X, one of Moltbot’s developers talked about these risks. They called the software “powerful with a lot of sharp edges” and told people to “read the security docs carefully before you run it anywhere near the public internet.” That caveat hasn’t stopped people from using the tool; every day, new integrations and use cases are being added to its GitHub repository and community forums.
Bad people are also drawn to the project’s fast growth. Peter Steinberger, the creator of the tool, said on X that he changed the name from Clawdbot to Moltbot because Anthropic was worried about trademark issues because the names of the two tools sound similar. Within hours, con artists took advantage of the chaos by releasing a fake cryptocurrency token called “Clawdbot.” This shows how quickly fake AI projects go viral and become targets for scams.
What Moltbot stands for is more than just a tool.
This is the first open-source AI agent that has gone viral outside of the developer community. This shows that a lot of people want AI automation that doesn’t go through corporate servers. Running models locally while keeping messaging app interfaces is how the tool is built, which solves privacy issues that have been a problem with cloud-based assistants. But it also puts all the security responsibility on end users, who might not know what happens when they give admin access to software that runs itself.
The conflict between ability and safety is changing the way we think about putting AI to use. Apple and Google carefully sandbox their AI features with limited permissions. Moltbot, on the other hand, gives users root-level control in exchange for taking on all the risks that come with it. That’s great for power users who are making their own workflows, but it could be disastrous for regular people who just want an assistant that works.
Moltbot’s famous moment shows the real direction of consumer AI: away from walled gardens and towards local-first automation that users fully control. But the security holes that were found in its first week of public attention show that the AI agent safety industry still hasn’t solved some of the most important problems. As more tools follow Moltbot’s open-source, locally-run model, the choice between AI power and security will no longer be based on the platform. It will be up to each person. There’s no doubt that these tools will become more popular. The question is whether security measures can change quickly enough to make them safe for non-technical users who just want a personal assistant that gets things done.
