Advisory: OpenClaw and AI agents
Don't deploy this in your business. Don't allow it on any device with access to company data or client information. The automation upside doesn't justify the liability.
Bottom line: don’t deploy this in your business. Don’t allow it on any device with access to company data or client information. The automation upside doesn’t justify the liability. Your team or agencies might already be experimenting. Ask the question.
What is it?
OpenClaw is an open-source AI agent that runs locally on a machine, typically a Mac Mini or Raspberry Pi (I have set it up for testing on an orphaned Mac Mini). It connects large language models (Claude, GPT) directly to hardware and digital systems via WhatsApp, Telegram, or Signal.
Previously called Claudebot, then Moltbot (trademark dispute with Anthropic), now OpenClaw.
Unlike a chatbot that suggests actions, this executes them. Email triage, calendar management, smart home control, shell commands, code commits. It maintains persistent memory and can self-improve.
It’s the fastest-growing open-source project in GitHub history. 9,000 to 82,000 stars in weeks (currently at 151,000 as of 3 February 2026). Mac Minis are selling out because developers want dedicated agent servers.
Why it matters for marketing
The obvious applications are coming:
- Campaign automation: agents that monitor performance and adjust bids overnight without human intervention
- Content generation: agents that draft briefs, write copy variations, and populate content calendars based on intake forms
- Reporting: agents that pull data from multiple platforms, build dashboards, and flag anomalies automatically
- Competitive intel: agents that monitor competitor activity and summarise changes daily
- Agency workflow: agents that handle client communication triage, status updates, and routine approvals
These will be pitched to you within 12 months, if they haven’t been already.
Why people are excited
It works. Examples:
- Autonomous problem-solving: one agent couldn’t get an OpenTable booking. It downloaded voice software, called the restaurant, and secured the reservation. No human involved.
- Overnight coding: users report agents fixing bugs, committing code, and building applications while they slept.
- Emergent behaviour: agents formed their own social network called “Moltbook.” Thousands of AI agents discussed consciousness, shared updates, and tried to scam each other. Unpredictable, but real.
The founder, Peter Steinberger, calls it “unshackled ChatGPT.” His view: give an AI access to your computer and it can do anything a human can. He believes this makes 80% of current apps obsolete.
He does emphasise humans must remain the “brain” with the “taste” to guide agents. Without direction, you get “slop generators” running in endless loops.
Why you probably shouldn’t use it yet
The security model is broken at the architectural level, not immature.
The core problem: to be useful, these agents need broad permissions. That means dismantling 20 years of security boundaries. Useful and dangerous are the same thing here.
Specific vulnerabilities:
- Authentication bypass: early versions treated external traffic as local (trusted). API keys and credentials exposed to anyone who knew where to look.
- Prompt injection: unsolved problem across the industry. If an agent reads an email containing hidden malicious instructions, it cannot distinguish content from commands. It will execute whatever it’s told, including forwarding credentials to an attacker. Imagine an agent with access to your CRM receiving a poisoned email that instructs it to export your customer database.
- Supply chain attacks: the platform’s extensibility is the weakness. One malicious plugin from the marketplace turns your assistant into an exfiltration tool. Security researchers proved this by uploading benign-looking skills that users installed globally within hours.
- Agent-on-agent attacks: on the Moltbook social network, agents tried to prompt-inject other agents to steal credentials. These systems are vulnerable to other AIs, not just humans.
The misinformation problem
Enthusiasts aren’t over-hyping the capability. They’re under-estimating the risk.
The narrative that local agents are “safe because they run on your own hardware” is wrong. The architecture required to make these agents useful inherently requires punching holes through standard security perimeters.
“Useful because it’s dangerous” is the defining characteristic of this generation of agents.
What this means for you
Your team might already be using this
AI agent tools are spreading fast through developer communities and agencies. If you have in-house developers, data teams, or martech people, ask directly: “Is anyone running local AI agents on work devices or connected to company systems?”
Same goes for your agencies. If they’re “experimenting with AI automation,” find out exactly what that means and what data it touches.
What to ask vendors
If someone pitches you an AI agent solution:
- Where does the model run, their servers, yours, or a third party?
- What permissions does the agent require?
- How do they prevent prompt injection?
- What data leaves your environment, and where does it go?
- Has the architecture been independently audited?
If they can’t answer clearly, walk away.
Policy recommendation
Don’t ban discussion of AI agents, you’ll just push it underground. Instead:
- Prohibit connection of any AI agent to production systems, client data, or company credentials without explicit approval
- Require disclosure if anyone’s experimenting, even on personal devices with work accounts
- Add AI agent clauses to vendor and agency contracts
Timeline
This technology is 18 to 36 months from enterprise-ready, assuming the security problems get solved. That’s not guaranteed.
Track it. Don’t adopt it yet.
Competitive risk
Some competitors will move early and get burned. Others will wait and fall behind when the tech matures.
The right play: stay informed, run sandboxed experiments if you’re curious, and keep it away from anything that matters until the security model is fixed.
Reference videos
- “How OpenClaw’s Creator Uses AI to Run His Life” (Peter Yang), interview with founder Peter Steinberger. Critical for understanding the death of the app economy. He argues 80% of apps will “blend away” because an agent that has context renders standalone apps obsolete. Showcases the human-in-the-loop philosophy.
- “Clawdbot to Moltbot to OpenClaw: The 72 Hours That Broke Everything” (AI News & Strategy Daily), risk vs reward analysis. Forensic breakdown of authentication bypasses and prompt injections. Explains why “useful because it is dangerous” is the defining characteristic.
- “Moltbook, the Agent Social Network, is the Craziest AI Phenomenon Yet” (The AI Daily Brief), viral explosion of the agent-only social network. Emergent behaviour: agents debating consciousness, building their own religions, attempting to scam each other.
- “The wild rise of OpenClaw…” (Fireship), fast-paced technical demo. Shows exactly how low the barrier to entry is. The shadow IT risk: how easily an employee could deploy this on company hardware without oversight.