Moltbot (formerly Clawdbot) exploded almost overnight. This open-source AI agent promises full autonomy: managing email, calendars, files, APIs, and even running shell commands, often controlled through WhatsApp or Telegram. Tens of thousands of GitHub stars later, itโs being pitched as the next leap in โhands-off productivity.โ
But hereโs the short, uncomfortable reality ๐
This isnโt just a Moltbot problem. Itโs an agentic AI problem.
- Every input becomes an attack vector.Emails, calendar invites, documents, chatsโanything the agent can read is effectively a prompt. You donโt need access to the agent to influence its behavior.
- Real access, minimal guardrails.File read/write, command execution, API tokens, posting privileges. One malicious or injected task can lead to data exfiltration, account abuse, or worse.
- Attribution breaks completely.If something goes wrong, was it you, the agent, a bug, or a poisoned skill? From a legal, compliance, or incident-response standpoint, thatโs a mess.
- Costs can spiral silently. One bad loop = millions of tokens burned. Agentic systems donโt have natural spending ceilings unless you enforce them.
- Open source โ safe by default.Most deployments lack isolation, audits, monitoring, or proper OPSEC. Production-level access operated with hobby-level security.
Bottom line:
AI agents arenโt assistants yet. Theyโre junior operators with broad access and zero common sense.
Until we have proper sandboxing, per-action authorization, hard spend caps, and verifiable audit trails, running tools like this on personal or business systems is closer to live-fire testing than productivity.
So where do you draw the line?
Read-only agents? Local-only? Or full autonomy?