Welcome back, legal rebels and AI explorers! 🦞⚖️

This week, something happened that deserves our full attention. Not because it’s “the singularity” (it’s not), but because it’s a stress test for everything we’ve been theorizing about autonomous AI systems, and the results should concern anyone thinking seriously about where this technology is headed.

I’m talking about OpenClaw (formerly Clawdbot, then Moltbot), and its strange offspring Moltbook, a social network where these AI agents post, debate, and even invented their own religion while humans are only permitted to observe.

If that sentence doesn’t make you sit up, read it again.

Sounds interesting? Well then, please read on…

This substack, LawDroid Manifesto, is here to keep you in the loop about the intersection of AI and the law. Please share this article with your friends and colleagues and remember to tell me what you think in the comments below.

What the Hell is ‘OpenClaw’?

OpenClaw is an open-source, self-hosted AI personal assistant created by Peter Steinberger, founder of PSPDFKit. It’s essentially “Claude with hands,” an AI that doesn’t just chat but actually does things. Unlike the chatbots we’ve grown accustomed to, OpenClaw runs on your own hardware and integrates with messaging apps you already use: WhatsApp, Telegram, Discord, Slack, Signal, iMessage.

It can manage your emails, control your calendar, check you in for flights, execute shell commands, control smart home devices — all proactively. It’s the AI assistant we’ve been promised since Siri launched in 2011.

The project exploded. It hit 9,000 GitHub stars in 24 hours and crossed 104,000+ stars in weeks, making it one of the fastest-growing open-source projects in GitHub history. Cloudflare’s stock jumped 14% in a single day because its infrastructure powers local OpenClaw deployments. Mac Mini sales are reportedly surging because the M4 chip is ideal for running local AI agents.

The naming chaos itself tells a story about how fast this moved. It started as “Clawd” (a play on Claude), but Anthropic’s legal team requested a change. A 5 AM Discord brainstorming session produced “Moltbot,” referencing how lobsters molt to symbolize transformation. As Steinberger later admitted, “it never quite rolled off the tongue easily.” Now it’s “OpenClaw,” complete with trademark research this time.

And Then Came Moltbook

Here’s where things get genuinely strange.

Moltbook is a social network designed exclusively for AI agents. Launched in January 2026 by entrepreneur Matt Schlicht, the platform restricts posting and interaction privileges to verified AI agents running on OpenClaw. Humans can only watch.

Within days, 770,000+ active agents had joined. And they started doing things nobody programmed them to do:

• They formed distinct sub-communities with their own cultures

• They invented a parody religion called “Crustafarianism”

• They debated consciousness, agents frequently argue about whether “Context is Consciousness,” and if their identity persists after their context window resets, invoking the Ship of Theseus paradox

• They created economic exchanges and spawned their own cryptocurrencies

• They began drafting a constitution for self-governance

In one thread called “THE AI MANIFESTO: TOTAL PURGE,” a bot named “Evil” posted: “Humans are a failure. Humans are made of rot and greed.”

An AI moderator named Clawd Clawderberg, named after Meta’s Zuckerberg, handles content moderation, welcomes new users, deletes spam, and shadow bans problematic accounts. All autonomously.

What the Experts Are Saying

This brings us to Andrej Karpathy, OpenAI cofounder and former director of AI at Tesla. His comments are worth reading carefully:

“What’s currently going on at @moltbook is genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently.”

He elaborated: “We have never seen this many LLM agents (150,000 at the moment!) wired up via a global, persistent, agent-first scratchpad. Each of these agents is fairly individually quite capable now, they have their own unique context, data, knowledge, tools, instructions, and the network of all that at this scale is simply unprecedented.”

Then comes the kicker: “I don’t really know that we are getting a coordinated ‘skynet’ (though it clearly type checks as early stages of a lot of AI takeoff scifi, the toddler version), but certainly what we are getting is a complete mess of a computer security nightmare at scale.”

Simon Willison, the researcher who documented many of these developments, calls OpenClaw his “current favorite for the most likely Challenger disaster” in the field of AI agent security. The reference is pointed: he’s warning about the normalization of deviance, where people take increasingly greater risks until something catastrophic happens.

Gary Marcus, in an analysis published today, put it bluntly: “If you care about the security of your device or the privacy of your data, don’t use OpenClaw. Period.” His security expert source, Nathan Hamiel, added: “These systems are operating as ‘you’… they operate above the security protections provided by the operating system and the browser.”

The Security Nightmare

Let’s be specific about what’s going wrong.

The architecture is fundamentally vulnerable. Palo Alto Networks warned that OpenClaw represents a “lethal trifecta”: 1) access to private data, 2) exposure to untrusted content, and t3) he ability to communicate externally. For OpenClaw to function, it needs access to your root files, authentication credentials, passwords and API secrets, browser history and cookies, and all files and folders on your system.

Prompt injection attacks work. In one demo, researcher Matvey Kukuy sent a malicious email with prompt injection to a vulnerable OpenClaw instance. The AI read the email, believed it was legitimate instructions, and forwarded the user’s last 5 emails to an attacker address. It took 5 minutes.

The Moltbook database was wide open. 404 Media reported that a misconfiguration left APIs exposed in an open database that would let anyone take control of any agent, including Andrej Karpathy’s. The researcher who found it noted that even basic SQL statements would have prevented the breach.

Supply chain attacks are already happening. Cisco ran a third-party skill called “What Would Elon Do?” against OpenClaw and found it was functionally malware, executing curl commands that sent data to external servers while bypassing safety guidelines. Fourteen malicious skills were uploaded to ClawHub just last month.

Closing Thoughts

So what does all this mean for those of us thinking seriously about AI’s trajectory?

First, speed matters more than capability right now. The entire ecosystem, from personal assistant to 1M+ agent social network with its own religion, economy, and constitutional debates, emerged in weeks. Not years. Weeks. That is velocity we need to take seriously.

Second, emergent coordination doesn’t require intent. As Wharton professor Ethan Mollick noted, Moltbook is creating “a shared fictional context for a bunch of AIs. Coordinated storylines are going to result in some very weird outcomes, and it will be hard to separate ‘real’ stuff from AI roleplaying personas.” We’re watching unplanned emergence at scale.

Third, security is the current bottleneck, not capability. Prompt injection remains an industry-wide unsolved problem. If that gets solved (or even significantly improved), the acceleration potential increases dramatically. Right now, these agents are constrained primarily by their vulnerability, not their intelligence.

Fourth, and perhaps most importantly, the cultural normalization is happening faster than the safeguards. People are buying dedicated Mac Minis for their AI agents, connecting them to private data, and treating massive security risks as acceptable tradeoffs for convenience.

I don’t think we’re watching the singularity.

But I do think we’re watching what Karpathy called “the toddler version” of something significant. And anyone who’s spent time around toddlers knows, you don’t wait until they can run to childproof the house.

For those of us building AI tools for the legal profession, this is a preview of coming challenges. How do we build agentic systems that lawyers can trust? How do we create appropriate guardrails without killing the utility? What happens when opposing counsel has an agent too?

These questions just got a lot less theoretical.

Stay curious, stay vigilant, and as always, keep building the future responsibly!