37 comments

[ 2.7 ms ] story [ 68.9 ms ] thread
As a result of this the official install is now installing a squatted package they don't control: https://github.com/moltbot/moltbot/issues/2760 https://github.com/moltbot/moltbot/issues/2775

But this is basically in line with average LLM agent safety.

It's even worse than I guessed - moltbot updated their official docs to install the new package name ( https://github.com/moltbot/moltbot?tab=readme-ov-file#instal... ), but it was a package name they have not obtained, and a different non-clawdbot 'moltbot' package is there.

It's been 15 hours since that "CRITICAL" issue bug was opened, and moltbot has had dozens of commits ( https://github.com/moltbot/moltbot/commits/main/ ), but not to fix or take down the official install instructions that continue to have people install a 'moltbot' package that is not theirs.

something about giving full read write access to every file on my PC and internet message interface just rubs me the wrong way. some unscrupulous actors are probably chomping at the bit looking for vulnerabilities to get carte blanche unrestricted access. be safe out there kiddos
Exactly my thoughts. I'll let the hype dust settle before even considering installing this "mold" thing
Could have just called it "clawbot" and maintained some of the hype while eliminating the IP concerns.

Instead they chose a completely different name with unrecognizable resonance.

The way trademarks work is that if you don't actively defend them you weaken your rights. So Anthropic needs to defend their ownership of "Claude". I'm guessing they reached out to Peter Steinberger and asked nicely that he rename Clawdbot.
Honestly the decision to name it Clawd was so obviously spectacularly stupid and immature that it makes me wonder about the whole project? I won't try it.
Hard to think of a worse name. Maybe Moistbot?
Ogden Nash has his poem about canaries:

"The song of canaries Never varies, And when they're moulting They're pretty revolting."

Wondering if Moltbot is related to the poem, humorously.

what a unfortunate name!
A bit OT but why is moltbot so much more popular than the many personal agents that have been around for a while?
It sounds nice at a first glance, but how useful is it actually? Anyone got real, non-hypothetical use cases that outweigh the risks?
Is the app legitimate though? A few of these apps that deal with LLMs seem too good to be true and end up asking for suspiciously powerful API tokens in my experience (looking at Happy Coder).
This project terrifies me.

On the one hand it really is very cool, and a lot of people are reporting great results using it. It helped someone negotiate with car dealers to buy a car! https://aaronstuyvenberg.com/posts/clawd-bought-a-car

But it's an absolute perfect storm for prompt injection and lethal trifecta attacks: https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

People are hooking this thing up to Telegram and their private notes and their Gmail and letting it loose. I cannot see any way that doesn't end badly.

I'm seeing a bunch of people buy a separate Mac Mini to run this on, under the idea that this will at least stop it from destroying their main machine. That's fine... but then they hook that new Mac Mini up to their Gmail and iMessage accounts, at which point they've opened up a bunch of critical data.

This is classic Normalization of Deviance: https://embracethered.com/blog/posts/2025/the-normalization-... - every time someone gets away with running this kind of unsafe system without having their data stolen they'll become more confident that it's OK to keep on using it like this.

Here's Sam Altman in yesterday's OpenAI Town Hall admitting that he runs Codex in YOLO mode: https://www.youtube.com/watch?v=Wpxv-8nG8ec&t=2330s

And that will work out fine... until it doesn't.

(I should note that I've been predicting a headline-grabbing prompt injection attack in the next six months every six months for over two years now and it still hasn't happened.)

Update: here's a report of someone uploading a "skill" to the https://clawdhub.com/ shared skills marketplace that demonstrates (but thankfully does not abuse) remote code execution on anyone who installed it: https://twitter.com/theonejvo/status/2015892980851474595 / https://xcancel.com/theonejvo/status/2015892980851474595

We might not be far from the first prompt worm
Oh dear, I bought claudeception.com on a whim - hope that doesn't upset anyone.

I had some ideas on what to host on there but haven't got round to it yet. If anyone here has a good use for it feel free to pitch me...

"clau deception" might be a problem.
I’m out of the loop clearly on what clawdbot/moltbot offers (haven’t used it)- I’d love a first hand explanation from users for why you think it has 70k stars. I’ve never seen a repo explode that much.
It it was a bit surreal to see it happen live. GH project went to 70k stars and got a trademark cease‑and‑desist from Anthropic, had to rebrand in one night and even got pulled into an account takeover by crypto people.

I made a timeline of what happened if you want the details: https://www.everydev.ai/p/the-rise-fall-and-rebirth-of-clawd...

Did you follow it as it was going on, or are you just catching up now?

A pun or homophone (Clawd) on the product you're targeting (Claude) is one of the worst naming memes in tech.

It was horrid to begin with. Just imagine trying to talk about Clawd and Claude in the same verbal convo.

Even something like "Fuckleglut" would be better.

When I first saw this, my thought was, "Wow, I'm surprised Anthropic hasn't pushed back on their calling it that. They must not know about it yet."

Glad to know my own internal prediction engine still works.

I almost thought it was MalBot, which would have been more apt.
This thing stores all your API keys in plain text in its config directory.

It reads untrusted data like emails.

This thing is a security nightmare.