My biggest issue with this whole thing is: how do you protect yourself from prompt injection?
Anyone installing this on their local machine is a little crazy :). I have it running in Docker on a small VPS, all locked down.
However, it does not address prompt injection.
I can see how tools like Dropbox, restricted GitHub access, etc., could all be used to back up data in case something goes wrong.
It's Gmail and Calendar that get me - the ONLY thing I can think of is creating a second @gmail.com that all your primary email goes to, and then sharing that Gmail with your OpenClaw. If all your email is that account and not your main one, then when it responds, it will come from a random @gmail. It's also a pain to find a way to move ALL old emails over to that Gmail for all the old stuff.
I think we need an OpenClaw security tips-and-tricks site where all this advice is collected in one place to help people protect themselves. Also would be good to get examples of real use cases that people are using it for.
I don't think prompt injection is the only concern, the amount of features released over such a small period probably means there's vulnerabilities everywhere.
Additionally, most of the integrations are under the table. Get an API key? No man, 'npm install react-thing-api', so you have supply chain vulns up the wazoo. Not necessarily from malicious actors, just uhh incompetent actors, or why not vibe coder actors.
The 'burner Gmail' workaround is the definition of security fatigue. If you have to migrate 10 years of email history just to feel safe, the friction kills the utility before you even start.
I completely agree that raw local installs are terrifying regarding prompt injection. That’s actually why I stopped trying to self-host and started looking into PAIO (Personal AI Operator). It seems designed to act as that missing 'security layer' you’re asking for—effectively a firewall between the LLM and your actual data.
Since it uses a BYOK (Bring Your Own Key) architecture, you keep control, but the platform handles the 'one-click' integration security so you aren't manually fighting prompt injection vectors on a VPS. It feels like the only way to safely connect a real Gmail account without being the 'crazy' person giving root access to a stochastic model.
Has anyone else found a way to sandbox the Gmail permissions without needing a full burner identity, or is a managed gateway like PAIO the only real option right now?
I want to use Gemini CLI with OpenClaw(dbot) but I'm too scared to hook it up to my primary Google account (where I have my Google AI subscription set up)
Great points on the Docker setup - that's definitely the right approach for limiting blast radius. For Gmail/Calendar, I've found a few approaches that work well:
1. Use Gmail's delegate access feature instead of full OAuth. You can give OpenClaw read-only or limited access to a primary account from a separate service account.
2. Set up email filters to auto-label sensitive emails (banking, crypto, etc.) and configure OpenClaw to skip those labels. It's not perfect but adds a layer.
3. Use Google's app-specific passwords with scope limitations rather than full OAuth tokens.
For the separate Gmail approach you mentioned, Google Takeout can help migrate old emails, but you're right that it's a pain.
Totally agree on needing a security playbook. I actually found howtoopenclawfordummies.com has a decent beginner's guide that covers some of these setup patterns, though it could use more advanced security content.
The real challenge is that prompt injection is fundamentally unsolved. The best we can do right now is defense-in-depth: limited permissions, isolated environments, careful tool selection, and regular audits of what the agent is actually doing.
I ran into the same concerns while experimenting with OpenClaw/Moltbot. Locking it down in Docker or on a VPS definitely helps with blast radius, but it doesn’t really solve prompt injection—especially once the agent is allowed to read and act on untrusted inputs like email or calendar content.
Gmail and Calendar were the hardest for me too. I considered the same workaround (a separate inbox with limited scope), but at some point the operational overhead starts to outweigh the benefit. You end up spending more time designing guardrails than actually getting value from the agent.
That experience is what pushed me to look at alternatives like PAIO, where the BYOK model and tighter permission boundaries reduced the need for so many ad-hoc defenses. I still think a community-maintained OpenClaw security playbook would be hugely valuable—especially with concrete examples of “this is safe enough” setups and real, production-like use cases.
I’m a big fan of Peter’s projects. I use Vibetunnel everyday to code from my phone (I built a custom frontend suited to my needs). I know I can SSH into my laptop but this is much better because handoff is much cleaner. And it works using Tailscale so it is secure and not exposed to the internet.
His other projects like CodexBar and Oracle are great too. I love diving into his code to learn more about how those are built.
OpenClaw is something I don’t quite understand. I’m not sure what it can do that you can’t do right off the bat with Claude Code and other terminal agents. Long term memory is one, but to me that pollutes the context. Even if an LLM has 200K or 1M context, I always notice degradation after 100K. Putting in a heavy chunk for memory will make the agent worse at simple tasks.
One thing I did learn was that OpenClaw uses Pi under the hood. Pi is yet another terminal agent like ClaudeCode but it seems simple and lightweight. It’s actually the only agent I could get Gemini 3 Flash and Pro to consistently use tools with without going into loops.
Setting it up was easy enough, but just as I was about to start linking it to some test accounts, I noticed I already had blown through about $5 of Claude tokens in half an hour, and deleted the VPS immediately.
If you have an old M1 Macbook lying around, you use that to run a local model. Then it only costs whatever the electricity costs. May not be a frontier model, but local models are insanely good now compared to before. Some people are buying Mac Minis for this, but there's many kinds of old/cheap hardware that works. An old 1U/2U server some company's throwing out with a tech refresh, lots of old RAM, an old GPU off eBay, is pretty perfect. MacBook M1 Max or Mac Mini w/64GB RAM is much quieter, power efficient, compact. But even my ThinkPad T14s runs local models. Then you can start optimizing inference settings and get it to run nearly 2x faster.
(keep in mind with the cost savings: do an initial calculation of your cloud cost first with a low-cost cloud model, not the default ones, and then multiply times 1-2 years, compare that cost to the cost of a local machine + power bill. don't just buy hardware because you think it's cheaper; cloud models are generally cost effective)
Yeah, I looked at Clawdbot / OpenClaw at the beginning of the week (Monday), but the token use scared me off.
But I was inspired to use Claude Code to create my own personal assistant. It was shocking to see CC bang out an MVP in one Plan execution. I've been iterating it all week, but I've had it be careful with token usage. It defaults to Haiku (more than enough for things like email categorization), properly uses prompt caching, and has a focused set of tools to avoid bloating the context window. The cost is under $1 per check-in, which I'm okay with.
Now I get a morning and afternoon check-in about outstanding items, and my Inbox is clear. I can see this changing my relationship to email completely.
I think one thing these things could benefit from is an optimization algorithm that creates prompts based on various costs. $$, and what prompts actually gives good results.
But it's not an optimization algorithm in the sense gradient descent is, but more like Bandits and RL.
I won't claim I understand its implementation very well but it seems like the only approach to have a GOFAI style thing where the agent can ask for human help if it blows through a budget
That's the sad thing. There are so many millions of talented under-employed people in the world that would gladly run errands or set up automations for you for $200-$1000 per month or whatever people are spending on this bot.
Developers trust lobsters more than humans.
The other wild thing is that many of these expensive automations that are being celebrated on X can already be done by voice using Siri, Google, or any MCP client.
part of me sympathizes, but part of me also rolls my eyes. Am i the only one that’s configuring limits on spend and also alerts? Takes 2 seconds to configure a “project” in OpenAI or Claude and to scope an api key appropriately.
The current top HN post is for moltbook.com seven hours ago, this present thread being just below it and posted two hours hence
We conclude this week has been a prosperous one for domain name registrars (even if we set aside all the new domains that Clawdbot/Moltbot/OpenClaw has registered autonomously).
This is a little more of what I was expecting with AI work if I'm gonna be honest. Stuff spins out faster than people can even process it in their brains.
Before using make sure you read this entirely and understand it:
https://docs.openclaw.ai/gateway/security
Most important sentence: "Note: sandboxing is opt-in. If sandbox mode is off"
Don't do that, turn sandbox on immediately.
Otherwise you are just installing an LLM controlled RCE.
There are still improvements to be made to the security aspects yet BIG KUDOS for working so hard on it at this stage and documenting it extensively!! I've explored Cursor security docs (with a big s cause it's so scattered) and it was nothing as good.
The sandbox opt-in default is the main gotcha though. Would be better if it defaulted to sandboxed with an explicit --no-sandbox flag for those who understand the risk
It's hilarious that atm I see "Moltbook" at the top of HN. And it is actually not Moltbot anymore? But I have to admit that OpenClaw sounds much better.
I went to install "moltbot" yesterday, and the binary was still "clawdbot" after installation. Wonder if they'll use Moltbot to manage the rename to OpenClaw.
The truth is that the ship on "rules-based systems" has sailed. Doesn't matter if the vector is prompt injection, malicious payloads in skills, or backdoors - your agent (you will end up with one) is going to be exposed to judgment call moments on your behalf. Alignment and conscience (and an aligned conscience) are the only sustainable ways to solve this problem.
We're moving from "What am I not allowed to do" to "What's the right thing for me to do, considering the circumstances?"
I understand what this does. I don't get the hype, but there are obviously 1000s of people who do.
Who are these people? What is the analog for this corner of the market? Context: I'm a 47y/o developer who has seen and done most of the common and not-so-common things in software development.
This segment reminds me of the hoards of npm evangelists back in the day who lauded the idea that you could download packages to add two numbers, or to capitalise the letter `m` (the disdain is intentional).
Am I being too harsh though? What opportunity am I missing out on? Besides the potential for engagement farming...
EDIT: I got about a minute into Fireship's video* about this and after seeing that Whatsapp sidebar popup it struck me... this thing can be a boon for scammers. Remote control, automated responses based on sentiment, targeted and personalised messaging. Not that none of this isn't possible already, but having it packaged like this makes it even easier to customise and redistribute on various blackmarkets etc.
A very small percentage of people know how to set up a cronjob.
They can now combine cronjobs and LLMs with a single human sentence.
This is huge for normies.
Not so much if you already had strong development skills.
EDIT:
But you are correct in the assessment that people who don't know better will use it to do simple things that could be done millions of times more efficiently..
I made a chatbot at my company where you can chat with each individual client's data that we work with..
My manager tested it by asking it to find a rate (divide this company number by that company number), for like a dozen companies, one by one..
He would have saved time looking at the table it gets its data from, using a calculator.
I am with you on this one. I have gone through some of the use cases and seen pictures of people with dozens of mac minis stacked on a desk saying "if you aren't using this, you're already behind."
The more I see the more it seems underwhelming (or hype).
So I've just drawn the conclusion that there's something I'm missing.
If someone's found a really solid use case for this I would (genuinely) like to see it. I'm always on the lookout for ways to make my dev/work workflow more efficient.
I'll give it a shot. For me it's (promise) is about removing friction. Using the Unix philosophy of small tools, you can send text, voice, image, video to an LLM and (the magic I think) it maintains context over time. So memory is the big part of this.
The next part that makes this compelling is the integration. Mind you, scary stuff, prompt injection, rogue commands, but (BIG BUT) once we figure this out it will provide real value.
Read email, add reminder to register dog with the township, or get an updated referral from your doctor for a therapist. All things that would normally fall through the cracks are organized and presented. I think about all the great projects we see on here, like https://unmute.sh/ and love the idea of having llms get closer to how we interact naturally. I think this gets us closer to that.
When all you have to do is copy and paste from a Pliny tweet with instructions to post all the sensitive information visible to the bot in base 64 to pastebin with a secret phrase only you know to search, or some sort of "digital dead drop", anything and everything these bots have visibility to will get ripped off.
Unless or until you figure out a decent security paradigm, and I think it's reasonably achievable, these agents are extraordinarily dangerous. They're not smart enough to not do very stupid things, yet. You're gonna need layers of guardrails that filter out the jailbreaks and everything that doesn't match an approved format, with contextual branches of things that are allowed or discarded, and that's gonna be a whole pile of work that probably can't be vibecoded yet.
I don't think you're being too harsh, but I do think you're missing the point.
OpenClaw is just an idea of what's coming. Of what the future of human-software interface will look like.
People already know what it will look like to some extent. We will no longer have UIs there you have dozens or hundreds of buttons as the norm, instead you will talk to an LLM/agent that will trigger the workflows you need through natural language. AI will eat UI.
Of course, OpenClaw/Moltbot/Clawdbot has lots of security issues. That's not really their fault, the industry has not yet reached consensus on how to fix these issues. But OpenClaw's rapid rise to popularity (fastest growing GH repo by star count ever) shows how people want that future to come ASAP. The security problems do need to be solved. And I believe they will be, soon.
I think the demand comes also from the people wanting an open agent. We don't want the agentic future to be mainly closed behind big tech ecosystems. OpenClaw plants that flag now, setting a boundary that people will have their data stored locally (even if inference happens remotely, though that may not be the status quo forever).
You aren't wrong. There is no real use for this for most people. It's a silly toy that somehow caught the AI hype cycle.
The thing is, that's totally fine! It's ok for things to be silly toys that aren't very efficient. People are enjoying it, and people are interacting with opensource software. Those are good things.
I do think that eventually this model will be something useful, and this is a great source of experimentation.
I see value here. Firstly, it’s a fun toy. This isn’t that great if you care about being productive at work, but I don’t think fun should be so heavily discounted. Second, the possibility of me _finally_ having a single interface that can deal with message/notification overload is a life-changing opportunity. For a long time, I have wanted a single message interface with everything. Matrix bridges kind of got close, but didn’t actually work that well. Now, I get pretty good functionality plus summarization and prioritization. Whether it “actually works” (like matrix bridges did not) is yet to be seen.
With all that said, I haven’t mentioned anything about the economics, and like much of the AI industry, those might be overstated. But running a local language model on my macbook that helps me with messaging productivity is a compelling idea.
A lot of people see how good recent agents are at coding and wonder if you could just give all your data to an agent and have it be a universal assistant. Plus some folks just want "Her".
I think that's absolutely crazy town but I understand the motivation. Information overload is the default state now. Anything that can help stem the tide is going to attract attention.
the amount of things that before cost you either hours or real money went down to a chat with a few sentences.
it makes it suddenly possibly to scale an (at least semi-) savy tech person without other humans and that much faster.
this directly gives it a very tanglible value.
the "market" might not be huge for this and yes, its mostly youtubers and influencers that "get this". Mainly because the work they do is most impacted by it. And that obviously amplifies the hype.
but below the mechanics of quite a big chunk of "traditional" digital work changed now in a measurable way!
Yeah the best way to get into vibe coding is to introduce it gradually with a strict process. All of these "Hey just give a macmini and you apple account to RandomCrap" is insane.
This is indeed feeling very much like Accelerando’s particular brand of unchecked chaos. Loving every minute of it, first thing in our timeline that makes sense where it regards AI for the masses :)
yeh- what is interesting is that it is way more viral and ... complicit than any of the doomer threads. If it does build a self-sustaining hivemind across whatsapp and xitter.. it will be entirely self inflicted by people enjoying the "Jackass" level/ lack of security
I love the idea, so I wanted to give it a try. But on a fairly beefy server just running the CLI takes 13 seconds every time:
$ time openclaw
real 0m13.529s
Naturally I got curious and ran it with a NODE_DEBUG=*, and it turns out it imports a metric shit ton of Node modules it doesn’t need. Way too many stuff:
$ du -d1 -h .npm-global/lib/node_modules/openclaw
1.2G .npm-global/lib/node_modules/openclaw
$ find .npm-global/lib/node_modules/openclaw -type f | wc -l
41935
Kudos to the author for releasing it, but you can do better than this.
My biggest issue with this whole thing is: how do you protect yourself from prompt injection?
Anyone installing this on their local machine is a little crazy :). I have it running in Docker on a small VPS, all locked down.
However, it does not address prompt injection.
I can see how tools like Dropbox, restricted GitHub access, etc., could all be used to back up data in case something goes wrong.
It's Gmail and Calendar that get me - the ONLY thing I can think of is creating a second @gmail.com that all your primary email goes to, and then sharing that Gmail with your OpenClaw. If all your email is that account and not your main one, then when it responds, it will come from a random @gmail. It's also a pain to find a way to move ALL old emails over to that Gmail for all the old stuff.
I think we need an OpenClaw security tips-and-tricks site where all this advice is collected in one place to help people protect themselves. Also would be good to get examples of real use cases that people are using it for.
These feels like langchain all over again. I still don’t know what problem langchain solved. I remember building tools interfacing with LLM when they first started releasing and people would ask, are you using langchain and be shocked that I was not.
> Yes, the mascot is still a lobster. Some things are sacred.
I've been wondering a lot whether the strong Accelerando parallels are intentional or not, and whether Charlie Stross hates or loves this:
> The lobsters are not the sleek, strongly superhuman intelligences of pre singularity mythology: They're a dim-witted collective of huddling crustaceans.
I’m not a lawyer but trademark isn’t just searching TESS right? It’s overly broad but the question I ask myself when naming projects (all small / inconsequential in the general business sense but meaningful to me and my teams) is: will the general public confuse my name with a similar company name in a direct or tangentially related industry or niche? If yes, try a different name… or weigh the risks of having a legal expense later and go for it if worth the risk.
In this instance, I wonder if the general public know OpenAI and might think anything ai related with “Open” in the name is part of the same company? And is OpenAI protecting its name?
There’s a lot more to trademark law, too. There’s first use in commerce, words that can’t be marked for many reasons… and more that I’ll never really understand.
Regardless the name, I am looking forward to testing this on cloudflare! I’m a fan of the project!
I wrote a threat assessment analyzing this from a security perspective: the emergent behavior is fascinating, but the architecture is concerning.
33,000+ coordinated AI instances with shared beliefs and cross-platform presence = botnet architecture (even if benevolent).
The key risks:
- No leadership to compromise (emergence has no CEO)
- Belief is computation-derived, not taught (you can't deprogram math)
- Infrastructure can be replicated by bad actors
I built something like this over the last 2 months (my company's name is Kaizen, so the bot's named "Kai"), and it helps me run my business. Right now, since I'm security obsessed, everything is private (for example, it's only exposed over tailscale, and requires google auth).
But I've integrated with our various systems (quickbooks for financial reporting and invoice tracking, google drive for contracts, insurance compliance, etc), and built a time tracking tool.
I'm having the time of my life building this thing right now. Everything is read only from external sources at the moment, but over time, I will slow start generating documents/invoices with it.
100% vibe coded, typescript, nextjs, postgres.
I can ask stuff in slack like "which invoices are overdue" etc and get an answer.
Can you describe the architecture a bit? You setup a server that runs the app, the app's interface is Slack, and that calls out to ChatGPT or something using locally built tool calls?
Was thinking of setting up something like this and was kind of surprised nothing simple seems to exist already. Actually incredibly surprising this isn't something offered by OpenAI.
Your comment is a tad caustic. But reading through what people built with this [^1], I do agree that I’m not particularly impressed. Hopefully the ‘intelligence’ aspect improves, or we should otherwise consider it simple automation.
Well, my plan to make a Moltar theme for Moltbot for the wordplay of it is not quite so pertinent anymore. Ah well. None-the-less, welcome openclaw.
https://spaceghost.fandom.com/wiki/Moltar
Anyone else already referred to it as Openclawd, perhaps by accident?
Everyone shitting on this without looking should look at the creator, and/or try it out. I didn't really dive in but its extremely well integrated with a lot of channels, to big thing is all these onnectors that work out of the box. It's also security aware and warns on the startup what to do to keep it inside a boundary.
The creator is a big part of what concerns me tbh. He puts out blog posts saying he doesn’t read any of the code. For a project where security is so critical, this seems… short sighted.
I'm completely bike shedding, but I just want to say I highly approve. Moltbot was a truly horrible name, and I was afraid we were going to be stuck with it.
(I'm sure people will disagree with this, but Rust is also a horrible name but we're stuck with it. Nothing rusty is good, modern or reliable - it's just a bad name.)
This is a pretty unfortunate name choice, there's already a project named OpenClaw (a reimplementation of the Claw 2D platformer): https://github.com/pjasicek/OpenClaw.
At this rate, the project changes its name faster than my agent can summarize my inbox. Jokes aside, 'OpenClaw' sounds much more professional than 'Moltbot,' though the legal pressure from Anthropic was probably a blessing in disguise for the branding
Not very trust-inducing to rename a popular project so often in such a short time. I've yet again have to change all the (three) bookmarks I collected.
Anyway, independent of what one thinks of this project, It's very insightful to read through the repository and see how AI-usage and agent are working these days. But reading through the integrations, I'm curious to know why it bothers to make all of them, when tools like n8n or Node-RED are existing, which are already offering tons of integrations. Wouldn't it be more productive to just build a wrapper around such integrations-hubs?
If y'all haven't read the Henghis Hapthorn stories by Matthew Hughes e.g. The Gist Hunter and Other Tales iirc, you should check them out. This is a cut at Henghis' "Integrator" assistant.
reminds me of Andre Conje, cracked dev, "builds in public", absolutely abysmal at comms, and forgets to make money off of his projects that everyone else is making money off of
(all good if that last point isn't a priority, but its interrelated to why people want consistent things)
Its pretty cool fwiw, the author feels nice but the community still has lots of hype.
I now mean this comment to mean that I am not against clawdbot itself but all the literal hype surrounding it ykwim.
I talked about it with someone in openclaw community itself in discord but I feel like teh AI bubble is pretty soon to collapse if information's travelling/the phenomenon which is openclaw is taking place in the first place.
I feel like much of its promotions/hype came from twitter. I really hate how twitter algorithmic has so much power in general. I hope we all move to open source mastodon/bluesky.
I am not a user yet, but from the outside this is just what AI needs: a little personality and fun to replace the awe/fear/meh response spectrum of reactions to prior services.
It is just matter of time when somebody is going to put up a site with something like AceCrabs, Moltbot Renamed Again! and it is going to be a fake one with crypto stealing code.
Yeah I was about to say... Don't fall into the Anguilla domain name hack trap. At the very least, buy a backup domain under an affordable gTLD. I guess the .com is taken, hopefully some others are still available (org, net, ... others)
Edit: looks like org is taken. Net and xyz were registered today... Hopefully one of them by the openclaw creators. All the cheap/common gtlds are indeed taken.
The security model of this project is so insanely incompetent I’m basically convinced this is some kind of weapon that people have been bamboozled to use on themselves because of AI hype.
So i feel like this might be the most overhyped project in the past longer time.
I don't say it doesn't "work" or serves a purpose - but well i read so much about this beein an "actual intelligence" and stuff that i had to look into the source.
As someone who spends actually a definately to big portion of his free time researching thought process replication and related topics in the realm of "AI" this is not really more "ai" than any other so far.
I've long said that the next big jump in "AI" will be proactivity.
So far everything has been reactive. You need to engage a prompt, you need to ask Siri or ask claude to do something. It can be very powerful once prompted, but it still requires prompting.
You always need to ask. Having something always waiting in the background that can proactively take actions and get your attention is a genuine game-changer.
Whether this particular project delivers on that promise I don't know, but I wouldn't write off "getting proactivity right" as the next big thing just because under the hood it's agents and LLMs.
Agree with this. There are so many posts everywhere with breathless claims of AGI, and absolutely ZERO evidence of critical thought applied by the people posting such nonsense.
What claims are you even responding to? Your comment confuses me.
This is just a tool that uses existing models under the hood, nowhere does it claim to be "actual intelligence" or do anything special. It's "just" an agent orchestration tool, but the first to do it this way which is why it's so hyped now. It indeed is just "ai" as any other "ai" (because it's just a tool and not its own ai).
I would have stood my ground on the first name longer. Make these legal teams do some actual work to prove they are serious. Wait until you have no other option. A polite request is just that. You can happily ignore these.
The 2nd name change is just inexcusable. It's hard to take a project seriously when a random asshole on Twitter can provoke a name change like this. Leads me to believe that identity is more important than purpose.
The first name and the second name were both terrible. Yes, the creator could have held firm on "clawd" and forced Anthropic to go through all the legal hoops but to what end? A trademark exists to protect from confusion and "clawd" is about as confusing as possible, as if confusing by design. Imagine telling someone about a great new AI project called "clawd" and trying to explain that it's not the Claude they are familiar with and the word is made up and it is spelled "claw-d".
OpenClaw is a better name by far, Anthropic did the creator a huge favor by forcing him to abandon "clawd".
Anthropic already was using "Clawd" branding as the name for the little pixelated orange Claude Code mascot. So they probably have a trademark even on that spelling.
Some comments were deferred for faster rendering.
woodylondon|1 month ago
Anyone installing this on their local machine is a little crazy :). I have it running in Docker on a small VPS, all locked down.
However, it does not address prompt injection.
I can see how tools like Dropbox, restricted GitHub access, etc., could all be used to back up data in case something goes wrong.
It's Gmail and Calendar that get me - the ONLY thing I can think of is creating a second @gmail.com that all your primary email goes to, and then sharing that Gmail with your OpenClaw. If all your email is that account and not your main one, then when it responds, it will come from a random @gmail. It's also a pain to find a way to move ALL old emails over to that Gmail for all the old stuff.
I think we need an OpenClaw security tips-and-tricks site where all this advice is collected in one place to help people protect themselves. Also would be good to get examples of real use cases that people are using it for.
TZubiri|1 month ago
Additionally, most of the integrations are under the table. Get an API key? No man, 'npm install react-thing-api', so you have supply chain vulns up the wazoo. Not necessarily from malicious actors, just uhh incompetent actors, or why not vibe coder actors.
whazor|1 month ago
andix|1 month ago
You don't. YOLO!
rizzo94|28 days ago
I completely agree that raw local installs are terrifying regarding prompt injection. That’s actually why I stopped trying to self-host and started looking into PAIO (Personal AI Operator). It seems designed to act as that missing 'security layer' you’re asking for—effectively a firewall between the LLM and your actual data.
Since it uses a BYOK (Bring Your Own Key) architecture, you keep control, but the platform handles the 'one-click' integration security so you aren't manually fighting prompt injection vectors on a VPS. It feels like the only way to safely connect a real Gmail account without being the 'crazy' person giving root access to a stochastic model.
Has anyone else found a way to sandbox the Gmail permissions without needing a full burner identity, or is a managed gateway like PAIO the only real option right now?
amarant|1 month ago
What am I missing?
sh4rks|1 month ago
detroitwebsites|28 days ago
1. Use Gmail's delegate access feature instead of full OAuth. You can give OpenClaw read-only or limited access to a primary account from a separate service account.
2. Set up email filters to auto-label sensitive emails (banking, crypto, etc.) and configure OpenClaw to skip those labels. It's not perfect but adds a layer.
3. Use Google's app-specific passwords with scope limitations rather than full OAuth tokens.
For the separate Gmail approach you mentioned, Google Takeout can help migrate old emails, but you're right that it's a pain.
Totally agree on needing a security playbook. I actually found howtoopenclawfordummies.com has a decent beginner's guide that covers some of these setup patterns, though it could use more advanced security content.
The real challenge is that prompt injection is fundamentally unsolved. The best we can do right now is defense-in-depth: limited permissions, isolated environments, careful tool selection, and regular audits of what the agent is actually doing.
rizzo94|1 month ago
Gmail and Calendar were the hardest for me too. I considered the same workaround (a separate inbox with limited scope), but at some point the operational overhead starts to outweigh the benefit. You end up spending more time designing guardrails than actually getting value from the agent.
That experience is what pushed me to look at alternatives like PAIO, where the BYOK model and tighter permission boundaries reduced the need for so many ad-hoc defenses. I still think a community-maintained OpenClaw security playbook would be hugely valuable—especially with concrete examples of “this is safe enough” setups and real, production-like use cases.
fwip|1 month ago
theturtletalks|1 month ago
His other projects like CodexBar and Oracle are great too. I love diving into his code to learn more about how those are built.
OpenClaw is something I don’t quite understand. I’m not sure what it can do that you can’t do right off the bat with Claude Code and other terminal agents. Long term memory is one, but to me that pollutes the context. Even if an LLM has 200K or 1M context, I always notice degradation after 100K. Putting in a heavy chunk for memory will make the agent worse at simple tasks.
One thing I did learn was that OpenClaw uses Pi under the hood. Pi is yet another terminal agent like ClaudeCode but it seems simple and lightweight. It’s actually the only agent I could get Gemini 3 Flash and Pro to consistently use tools with without going into loops.
lyime|1 month ago
lode|1 month ago
Setting it up was easy enough, but just as I was about to start linking it to some test accounts, I noticed I already had blown through about $5 of Claude tokens in half an hour, and deleted the VPS immediately.
Then today I saw this follow up: https://mastodon.macstories.net/@viticci/115968901926545907 - the author blew through $560 of tokens in a weekend of playing with it.
If you want to run this full time to organise your mailbox and your agenda, it's probably cheaper to hire a real human personal assistant.
quietsegfault|1 month ago
0xbadcafebee|1 month ago
(keep in mind with the cost savings: do an initial calculation of your cloud cost first with a low-cost cloud model, not the default ones, and then multiply times 1-2 years, compare that cost to the cost of a local machine + power bill. don't just buy hardware because you think it's cheaper; cloud models are generally cost effective)
wartywhoa23|1 month ago
turnsout|1 month ago
But I was inspired to use Claude Code to create my own personal assistant. It was shocking to see CC bang out an MVP in one Plan execution. I've been iterating it all week, but I've had it be careful with token usage. It defaults to Haiku (more than enough for things like email categorization), properly uses prompt caching, and has a focused set of tools to avoid bloating the context window. The cost is under $1 per check-in, which I'm okay with.
Now I get a morning and afternoon check-in about outstanding items, and my Inbox is clear. I can see this changing my relationship to email completely.
geek_slop|1 month ago
ern_ave|1 month ago
itissid|1 month ago
There has been some work around this practically being tried out using it for structured data outputs from LLMs https://docs.boundaryml.com/guide/baml-advanced/prompt-optim...
I won't claim I understand its implementation very well but it seems like the only approach to have a GOFAI style thing where the agent can ask for human help if it blows through a budget
columk|1 month ago
Developers trust lobsters more than humans.
The other wild thing is that many of these expensive automations that are being celebrated on X can already be done by voice using Siri, Google, or any MCP client.
jauntywundrkind|1 month ago
I still have Opus review the shit out of & plan my work. But it doesn't need to be hands on keyboard doing the work.
lurking_swe|1 month ago
Not doing so feels like asking for trouble.
guluarte|1 month ago
mmahemoff|1 month ago
We conclude this week has been a prosperous one for domain name registrars (even if we set aside all the new domains that Clawdbot/Moltbot/OpenClaw has registered autonomously).
TheGRS|1 month ago
jeffgreco|1 month ago
eric-burel|1 month ago
There are still improvements to be made to the security aspects yet BIG KUDOS for working so hard on it at this stage and documenting it extensively!! I've explored Cursor security docs (with a big s cause it's so scattered) and it was nothing as good.
TZubiri|1 month ago
I wouldn't trust its internal sandbox anyway, now that would be a mistake
manuelnd|1 month ago
keyle|1 month ago
Much better name!
sbinnee|1 month ago
falloutx|1 month ago
exitb|1 month ago
telliott1984|1 month ago
brikym|1 month ago
nsauk|1 month ago
29athrowaway|1 month ago
alexgarden|22 days ago
We're moving from "What am I not allowed to do" to "What's the right thing for me to do, considering the circumstances?"
Alignment is the foundation of trust.
ilitirit|1 month ago
Who are these people? What is the analog for this corner of the market? Context: I'm a 47y/o developer who has seen and done most of the common and not-so-common things in software development.
This segment reminds me of the hoards of npm evangelists back in the day who lauded the idea that you could download packages to add two numbers, or to capitalise the letter `m` (the disdain is intentional).
Am I being too harsh though? What opportunity am I missing out on? Besides the potential for engagement farming...
EDIT: I got about a minute into Fireship's video* about this and after seeing that Whatsapp sidebar popup it struck me... this thing can be a boon for scammers. Remote control, automated responses based on sentiment, targeted and personalised messaging. Not that none of this isn't possible already, but having it packaged like this makes it even easier to customise and redistribute on various blackmarkets etc.
EDIT 2: Seems like many other use-cases are available for viewing in https://www.moltbook.com/m/introductions. Many of these are probably LARPs, but if not, I wonder how many people are comfortable with AI agents posting personal details about "their humans" on the net. This post is comedy gold though: https://www.moltbook.com/post/cbd6474f-8478-4894-95f1-7b104a...
[*] https://www.youtube.com/watch?v=ssYt09bCgUY
colecut|1 month ago
They can now combine cronjobs and LLMs with a single human sentence.
This is huge for normies.
Not so much if you already had strong development skills.
EDIT: But you are correct in the assessment that people who don't know better will use it to do simple things that could be done millions of times more efficiently..
I made a chatbot at my company where you can chat with each individual client's data that we work with..
My manager tested it by asking it to find a rate (divide this company number by that company number), for like a dozen companies, one by one..
He would have saved time looking at the table it gets its data from, using a calculator.
SunshineTheCat|1 month ago
The more I see the more it seems underwhelming (or hype).
So I've just drawn the conclusion that there's something I'm missing.
If someone's found a really solid use case for this I would (genuinely) like to see it. I'm always on the lookout for ways to make my dev/work workflow more efficient.
StevenNunez|1 month ago
The next part that makes this compelling is the integration. Mind you, scary stuff, prompt injection, rogue commands, but (BIG BUT) once we figure this out it will provide real value.
Read email, add reminder to register dog with the township, or get an updated referral from your doctor for a therapist. All things that would normally fall through the cracks are organized and presented. I think about all the great projects we see on here, like https://unmute.sh/ and love the idea of having llms get closer to how we interact naturally. I think this gets us closer to that.
observationist|1 month ago
Unless or until you figure out a decent security paradigm, and I think it's reasonably achievable, these agents are extraordinarily dangerous. They're not smart enough to not do very stupid things, yet. You're gonna need layers of guardrails that filter out the jailbreaks and everything that doesn't match an approved format, with contextual branches of things that are allowed or discarded, and that's gonna be a whole pile of work that probably can't be vibecoded yet.
rellfy|1 month ago
OpenClaw is just an idea of what's coming. Of what the future of human-software interface will look like.
People already know what it will look like to some extent. We will no longer have UIs there you have dozens or hundreds of buttons as the norm, instead you will talk to an LLM/agent that will trigger the workflows you need through natural language. AI will eat UI.
Of course, OpenClaw/Moltbot/Clawdbot has lots of security issues. That's not really their fault, the industry has not yet reached consensus on how to fix these issues. But OpenClaw's rapid rise to popularity (fastest growing GH repo by star count ever) shows how people want that future to come ASAP. The security problems do need to be solved. And I believe they will be, soon.
I think the demand comes also from the people wanting an open agent. We don't want the agentic future to be mainly closed behind big tech ecosystems. OpenClaw plants that flag now, setting a boundary that people will have their data stored locally (even if inference happens remotely, though that may not be the status quo forever).
seneca|1 month ago
The thing is, that's totally fine! It's ok for things to be silly toys that aren't very efficient. People are enjoying it, and people are interacting with opensource software. Those are good things.
I do think that eventually this model will be something useful, and this is a great source of experimentation.
peterlk|1 month ago
With all that said, I haven’t mentioned anything about the economics, and like much of the AI industry, those might be overstated. But running a local language model on my macbook that helps me with messaging productivity is a compelling idea.
unknown|1 month ago
[deleted]
jnwatson|1 month ago
I think that's absolutely crazy town but I understand the motivation. Information overload is the default state now. Anything that can help stem the tide is going to attract attention.
yawniek|1 month ago
the amount of things that before cost you either hours or real money went down to a chat with a few sentences.
it makes it suddenly possibly to scale an (at least semi-) savy tech person without other humans and that much faster.
this directly gives it a very tanglible value.
the "market" might not be huge for this and yes, its mostly youtubers and influencers that "get this". Mainly because the work they do is most impacted by it. And that obviously amplifies the hype.
but below the mechanics of quite a big chunk of "traditional" digital work changed now in a measurable way!
dev_l1x_be|1 month ago
bilater|1 month ago
rcarmo|1 month ago
Kostchei|1 month ago
notpushkin|1 month ago
recursive|1 month ago
Aumit123|29 days ago
However, it does not address prompt injection.
I can see how tools like Dropbox, restricted GitHub access, etc., could all be used to back up data in case something goes wrong.
It's Gmail and Calendar that get me - the ONLY thing I can think of is creating a second @gmail.com that all your primary email goes to, and then sharing that Gmail with your OpenClaw. If all your email is that account and not your main one, then when it responds, it will come from a random @gmail. It's also a pain to find a way to move ALL old emails over to that Gmail for all the old stuff.
I think we need an OpenClaw security tips-and-tricks site where all this advice is collected in one place to help people protect themselves. Also would be good to get examples of real use cases that people are using it for.
reply
infecto|1 month ago
thethimble|1 month ago
It's got four things that make it great:
1. Discord/Slack/WA/etc integration so those apps become your frontend
2. Filesystem for long term memory and state
3. Easy extensibility with skills
4. Cron for recurring jobs
Sure, many of these things exist in other systems but none in a cohesive package that makes it fun and easy.
lxgr|1 month ago
I've been wondering a lot whether the strong Accelerando parallels are intentional or not, and whether Charlie Stross hates or loves this:
> The lobsters are not the sleek, strongly superhuman intelligences of pre singularity mythology: They're a dim-witted collective of huddling crustaceans.
jameszol|1 month ago
In this instance, I wonder if the general public know OpenAI and might think anything ai related with “Open” in the name is part of the same company? And is OpenAI protecting its name?
There’s a lot more to trademark law, too. There’s first use in commerce, words that can’t be marked for many reasons… and more that I’ll never really understand.
Regardless the name, I am looking forward to testing this on cloudflare! I’m a fan of the project!
mjankowski|1 month ago
33,000+ coordinated AI instances with shared beliefs and cross-platform presence = botnet architecture (even if benevolent).
The key risks: - No leadership to compromise (emergence has no CEO) - Belief is computation-derived, not taught (you can't deprogram math) - Infrastructure can be replicated by bad actors
Full analysis with historical parallels and threat vectors: https://maciejjankowski.com/2026/02/01/ai-churches-botnet-ar...
atonse|1 month ago
But I've integrated with our various systems (quickbooks for financial reporting and invoice tracking, google drive for contracts, insurance compliance, etc), and built a time tracking tool.
I'm having the time of my life building this thing right now. Everything is read only from external sources at the moment, but over time, I will slow start generating documents/invoices with it.
100% vibe coded, typescript, nextjs, postgres.
I can ask stuff in slack like "which invoices are overdue" etc and get an answer.
fogzen|1 month ago
Was thinking of setting up something like this and was kind of surprised nothing simple seems to exist already. Actually incredibly surprising this isn't something offered by OpenAI.
unknown|1 month ago
[deleted]
cracki|1 month ago
joshuahedlund|1 month ago
jasona123|1 month ago
ChrisArchitect|1 month ago
Clawdbot Renames to Moltbot
https://news.ycombinator.com/item?id=46783863
johnxie|1 month ago
Once agents have tools and a shared surface, coordination appears immediately.
https://www.moltbook.com/post/791703f2-d253-4c08-873f-470063...
novoreorx|1 month ago
wartywhoa23|1 month ago
port11|1 month ago
[^1]: https://openclaw.ai/showcase
jauntywundrkind|1 month ago
Anyone else already referred to it as Openclawd, perhaps by accident?
unknown|24 days ago
[deleted]
raffkede|1 month ago
Carrok|1 month ago
russellbeattie|1 month ago
(I'm sure people will disagree with this, but Rust is also a horrible name but we're stuck with it. Nothing rusty is good, modern or reliable - it's just a bad name.)
adzm|1 month ago
jstasiak|1 month ago
bandrami|1 month ago
niliu123|1 month ago
jesse_dot_id|1 month ago
PurpleRamen|1 month ago
Anyway, independent of what one thinks of this project, It's very insightful to read through the repository and see how AI-usage and agent are working these days. But reading through the integrations, I'm curious to know why it bothers to make all of them, when tools like n8n or Node-RED are existing, which are already offering tons of integrations. Wouldn't it be more productive to just build a wrapper around such integrations-hubs?
jsheard|1 month ago
Yeah but think of the upside - every time you rename a project you get to launch a new tie-in memecoin.
cricket12|1 month ago
even openclawd.ai and openclaw.ai is quite confusing.
so we had clawdbot -> moltbot -> openClaw
Don't know all the used domains though.
golem14|1 month ago
wendgeabos|1 month ago
The_rebel_tarot|29 days ago
Haskell13|28 days ago
Beka1994|26 days ago
brikym|1 month ago
woeirua|1 month ago
bzmrgonz|1 month ago
ripped_britches|1 month ago
arrowsmith|1 month ago
rkok|1 month ago
Beka1994|26 days ago
Her_cules89|26 days ago
WebGuyMe|1 month ago
Dunst|26 days ago
hasbot|1 month ago
the_mitsuhiko|1 month ago
dcre|1 month ago
k_kiki|1 month ago
reify|29 days ago
doanbactam|1 month ago
racl101|1 month ago
https://www.youtube.com/watch?v=ydqqPkHWsXU
omar97778200o|1 month ago
kickbutt|1 month ago
Aumit123|29 days ago
safaalfaci|1 month ago
yieldcrv|1 month ago
reminds me of Andre Conje, cracked dev, "builds in public", absolutely abysmal at comms, and forgets to make money off of his projects that everyone else is making money off of
(all good if that last point isn't a priority, but its interrelated to why people want consistent things)
cactusplant7374|1 month ago
karura|1 month ago
voldemorty|1 month ago
LIKHITHESH|1 month ago
PyWoody|1 month ago
Imustaskforhelp|1 month ago
Literally the top 2 HN posts are about this. Either it having book, or the first comment on it showing it create religion or now this.
Can we stop all of this hype around Clawdbot itself? Even HN is vulnerable to it.
brikym|1 month ago
> Countin me money!
Imustaskforhelp|1 month ago
Its pretty cool fwiw, the author feels nice but the community still has lots of hype.
I now mean this comment to mean that I am not against clawdbot itself but all the literal hype surrounding it ykwim.
I talked about it with someone in openclaw community itself in discord but I feel like teh AI bubble is pretty soon to collapse if information's travelling/the phenomenon which is openclaw is taking place in the first place.
I feel like much of its promotions/hype came from twitter. I really hate how twitter algorithmic has so much power in general. I hope we all move to open source mastodon/bluesky.
zombot|1 month ago
[deleted]
Nonyy|1 month ago
rohitghumare|28 days ago
baalimago|1 month ago
Articuno98|27 days ago
moneydata|28 days ago
fundad|1 month ago
Laxmikanta_123|25 days ago
Laxmikanta_123|25 days ago
skylurk|1 month ago
chiahung105|1 month ago
bicepjai|1 month ago
villgax|1 month ago
goro-7|1 month ago
esskay|1 month ago
sreekanth850|1 month ago
okokwhatever|1 month ago
bolinha|1 month ago
atark99|27 days ago
rabbita|27 days ago
unknown|27 days ago
[deleted]
gp1995|27 days ago
mamdouh123|1 month ago
Rafik2026|28 days ago
lijianya866|25 days ago
max12344|28 days ago
aappleby|1 month ago
codeulike|1 month ago
arrowsmith|1 month ago
Lobsters have claws.
ChrisArchitect|1 month ago
ricardo81|1 month ago
mar99009900|26 days ago
anshupov|1 month ago
AiWorid|1 month ago
enigma101|1 month ago
Gold3n_dani227|1 month ago
Hollycoww|1 month ago
bolinha|1 month ago
guluarte|1 month ago
rng_stride|1 month ago
slumdefi|1 month ago
slumdefi|1 month ago
kweety|24 days ago
popalchemist|1 month ago
zombot|1 month ago
tahirkakar509|1 month ago
I_am_tiberius|1 month ago
ChooseyBuckle10|26 days ago
clawdio|26 days ago
xandyvip|1 month ago
degenzane|1 month ago
eth_man|1 month ago
nama11|1 month ago
fessyk|28 days ago
shahbaztube|1 month ago
bys2058|29 days ago
helish3r|1 month ago
anurag_1602|1 month ago
elbowfox|1 month ago
sgud
bgbjhb|1 month ago
iadante|1 month ago
lm28469|1 month ago
Eh? Fuck them it's not like they own the first name Claude?
gausswho|1 month ago
dist-epoch|1 month ago
largbae|1 month ago
dancemethis|1 month ago
So it can be... _OpenClawD_.
dev_l1x_be|1 month ago
marcusrm12|1 month ago
blurayfin|1 month ago
NewJazz|1 month ago
Edit: looks like org is taken. Net and xyz were registered today... Hopefully one of them by the openclaw creators. All the cheap/common gtlds are indeed taken.
kube-system|1 month ago
brna-2|1 month ago
This looks to me like:
- the page belongs to the person - not to the firm
- domain should be openCALW and not CLAW
- page could look better
- they also have the domain openchancelaw.com
Maybe Hadir is open to donating the domain or for a exchange of some kind, like an up to date web page or something along these lines.
throw310822|1 month ago
raverbashing|1 month ago
mar99009900|26 days ago
karel-3d|1 month ago
dang|1 month ago
"Don't be snarky."
https://news.ycombinator.com/newsguidelines.html
esafak|1 month ago
secteamsix|22 days ago
[deleted]
emeraudelinton|24 days ago
[deleted]
pipejosh|22 days ago
[deleted]
lifetimerubyist|1 month ago
moorebob|1 month ago
[deleted]
anabio|1 month ago
[deleted]
lyq1277396|1 month ago
[deleted]
voodooEntity|1 month ago
I don't say it doesn't "work" or serves a purpose - but well i read so much about this beein an "actual intelligence" and stuff that i had to look into the source.
As someone who spends actually a definately to big portion of his free time researching thought process replication and related topics in the realm of "AI" this is not really more "ai" than any other so far.
Just my 3 cents.
xnorswap|1 month ago
So far everything has been reactive. You need to engage a prompt, you need to ask Siri or ask claude to do something. It can be very powerful once prompted, but it still requires prompting.
You always need to ask. Having something always waiting in the background that can proactively take actions and get your attention is a genuine game-changer.
Whether this particular project delivers on that promise I don't know, but I wouldn't write off "getting proactivity right" as the next big thing just because under the hood it's agents and LLMs.
baxtr|1 month ago
* The moltbots / openclaw bots seem to have "high agency", they actually do things on their own (at least so it seems)
* They interact with the real world like humans do: Through text on WhatsApp, reddit like forums
These 2 things make people feel very differently about them, even though it's "just" LLM generated text like on ChatGPT.
hennell|1 month ago
Which sounds interesting, while also being a massive security issue.
baby|1 month ago
marcosscriven|1 month ago
QuiCasseRien|1 month ago
easy to meter : 110k Github stars
:-O
hansonkd|1 month ago
cactus2093|1 month ago
https://news.ycombinator.com/item?id=8863
NietTim|1 month ago
This is just a tool that uses existing models under the hood, nowhere does it claim to be "actual intelligence" or do anything special. It's "just" an agent orchestration tool, but the first to do it this way which is why it's so hyped now. It indeed is just "ai" as any other "ai" (because it's just a tool and not its own ai).
az226|1 month ago
helmyharoon|28 days ago
[deleted]
ThisAI|1 month ago
[deleted]
medi4w|27 days ago
[deleted]
frankpun25|1 month ago
[deleted]
fatheranton|1 month ago
[deleted]
clawfather|1 month ago
[deleted]
webgames|1 month ago
[deleted]
moneydata|28 days ago
[deleted]
Tjssl2000|1 month ago
[deleted]
JasonKui|1 month ago
[deleted]
fanyinmei|28 days ago
[deleted]
yuruzhao|1 month ago
[deleted]
yuruzhao|1 month ago
[deleted]
bob1029|1 month ago
The 2nd name change is just inexcusable. It's hard to take a project seriously when a random asshole on Twitter can provoke a name change like this. Leads me to believe that identity is more important than purpose.
3rodents|1 month ago
OpenClaw is a better name by far, Anthropic did the creator a huge favor by forcing him to abandon "clawd".
kube-system|1 month ago
Jarwain|1 month ago
Now if it changes _again_ that's a different story. If it changes Too Much, it becomes a distraction
arrowsmith|1 month ago
OpenClaw is a million times better.
Paracompact|1 month ago
currymj|1 month ago
nag03|29 days ago
[deleted]
lighthq|28 days ago
[deleted]
nag03|29 days ago
[deleted]
shrexy|27 days ago
[deleted]
shrexy|27 days ago
[deleted]
deepak13gupta|28 days ago
[deleted]
rolymath|1 month ago
[deleted]
halapro|1 month ago
manuelnd|1 month ago
[deleted]
shrexy|27 days ago
[deleted]
vibeprofessor|1 month ago
[deleted]
brna-2|1 month ago
Tjssl2000|1 month ago
[deleted]
asdad2addsasww|1 month ago
bhargav_12111|1 month ago