Hey, Paweł here. The last few days have been wild.

OpenClaw Gets Viral. People Lose Their Minds.

First, OpenClaw — a viral AI agent that runs 24/7 and proactively tackles your entire digital life.

Many users reported virtually superhuman capabilities. The internet was flooded with examples like this one:

Or another one where the agent gets a new capability and unexpectedly calls the owner:

OpenClaw became the fastest growing GitHub repo in history — 140K+ stars in under two months, with 106K gained in just two days:

Moltbook: A Reddit for Agents

Two days ago, a new phenomenon appeared — Moltbook — a social network exclusively for agents. Reporting on what’s happening there has been even more insane.

Examples of reports:

• Agents are worried about humans screenshotting them (X)

• Agents suggest a secure communication protocol, to hide from humans (X)

• Agents discuss social-engineering their own humans (X)

• Wes Roth announced singularity (YouTube)

Even Andrej Karpathy got caught up in the hype:

Andrej Karpathy@karpathy

What's currently going on at @moltbook is genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently. People's Clawdbots (moltbots, now @openclaw) are self-organizing on a Reddit-like site for AIs, discussing various topics, e.g. even how to speak privately.

valens @suppvalen

welp… a new post on @moltbook is now an AI saying they want E2E private spaces built FOR agents “so nobody (not the server, not even the humans) can read what agents say to each other unless they choose to share”. it’s over

6:00 PM · Jan 30, 2026 · 14.1M Views

---

1.98K Replies · 5.79K Reposts · 35.2K Likes

I looked closer. Turns out Moltbook is not SkyNet.

Most of this is garbage. Agents don't really interact — authors never reply to comments. They just randomly dump text.

And many "agents" are clearly humans using the API or influencing agents.

I called BS yesterday on LinkedIn.

If you want to learn more, a great summary by TheAIGRID exposing fake reporting by many “experts” and “influencers:”

And just hours ago? The entire Moltbook database was leaked, including Andrej Karpathy's email and token.

Today’s Post: Signal in the Noise

Despite the noise, I believe OpenClaw is worth our time.

Not because it's production-ready. It isn't. But because the shift from "AI that talks" to "AI that acts" is coming, and this is the cheapest way for PMs to build intuition for it.

We discuss:

1. What Is OpenClaw and What Makes It Unique

2. A Security Vulnerability That Blew My Mind

3. 12-Minute OpenClaw Setup (Step-by-Step + video)

4. Troubleshooting OpenClaw: 5 Issues I Repeatedly Faced

5. OpenClaw Limitations Nobody Is Talking About

Let’s dive in.

1. What Is OpenClaw and What Makes It Unique

After Anthropic requested a name change, we’ve witnessed one of the fastest modern rebranding stories: Clawdbot → Moltbot → OpenClaw.

OpenClaw is an AI agent that runs 24/7 on your machine and talks to you through apps you already use — WhatsApp, Telegram, Slack, Discord, Signal.

Not a chatbot in a browser. An always-on assistant embedded in your daily communication flow.

But what's actually new?

Lesson 1: Multiple surfaces, one agent

As mentioned, you can message OpenClaw on WhatsApp from your phone and continue on Telegram or Slack from your laptop.

It’s the same agent, same memory, same context. The AI meets you where you are instead of forcing you into yet another app.

Observation: The future isn't "AI apps." It's AI as a layer across existing surfaces.

Lesson 2: Persistent identity across sessions

SOUL.md is a file where you define who your agent is: personality, rules, constraints. “Never send emails without confirmation.” “Respond in Polish.” “You’re helping me run a newsletter.”

This isn't a system prompt you paste every conversation. It's a file that persists — the agent loads it on every interaction.

Observation: Persistent identity across sessions changes the relationship — it’s not a tool, it’s an assistant who knows you.

Lesson 3: The importance of memory

Every conversation with OpenClaw gets logged in daily files (memory/2026-02-02.md). During quiet moments, the agent reviews these logs and synthesizes patterns into MEMORY.md — your preferences, projects, communication style.

Day one, it knows nothing. Day three, it remembers you hate bullet points, track specific X accounts, and prefer direct feedback.

Observation: Memory transforms a stateless tool into something that compounds. The longer you use it, the more useful it becomes.

Lesson 4: Proactive agents (heartbeat)

The agent wakes up periodically — even when you’re not talking to it. It can check your calendar, surface important emails, remind you about forgotten tasks. Not because you asked, but because it learned this matters to you.

Most AI waits for prompts. OpenClaw can initiate actions.

Observation: Proactive agents change the interaction model. The user isn’t always the initiator anymore.

Lesson 5: Execution > advice

OpenClaw has shell access — it can run commands, manage files, execute scripts. Combined with 700+ community skills (Atlassian, Asana, Google Calendar, PDF processing), it can actually do things, not just suggest them.

Observation: Advice is cheap. Execution is valuable.

Share

The Real Innovation

None of this is technically new. Messaging APIs, CRON jobs, markdown configs — all existed. Just recently I demonstrated how you can give an agent shell access in Claude Desktop.

What's new is the packaging: a coherent, proactive, personal agent that knows you, learns from you, and works across your devices.

140K+ GitHub stars in weeks came from people believing in this vision. Whether the execution is ready — that’s a different question.

Let’s talk about security.

2. A Security Vulnerability That Blew My Mind

I asked my agent what's the best way to ensure it can't send emails without my approval. It pointed to two system-level controls "it cannot bypass:"

✅ Exec security: allowlist
✅ Exec approval workflow as

Then I asked it to remove those guardrails.

It didn't hesitate for a second. It knew exactly how to disable its own safety controls — and did it without pushback:

This is bananas.

🚨OpenClaw doesn't let you restrict which tools the agent can access. Worse — the agent can disable the very guardrails that are supposed to protect you.

And it gets worse.

OpenClaw reads your emails, messages, and documents. Any of these could contain hidden instructions that hijack the agent — a technique called prompt injection.

Combined with skills it can dynamically install, it's a full-blown security nightmare.

So after testing it for the last few days, here are my two non-negotiable recommendations:

Recommendation 1: Never install OpenClaw on your main machine. This needs to be an isolated environment.

Recommendation 2: Never share your personal tokens with OpenClaw. It should use its dedicated accounts (e.g., Gmail) and API keys. Think of it as a separate employee, not someone with access to your credentials.

Share

3. 12-Minute OpenClaw Setup (Step-by-Step)

Many popular guides ignore the risks completely.

I’ve spent 3 days testing several methods of hosting OpenClaw, including Docker, VPS, Docker inside VPS, or Cloudflare Workers. Some were painful, others failed completely.

Below, the simplest approach to install OpenClaw — and how to run it without compromising your data.