As one of the most brutally honest voices in the global AI commentary scene, I rarely witness a project plummet from phenomenal success to universally condemned "security disgrace" in just a few weeks. OpenClaw (formerly Clawdbot, formerly Moltbot) achieved this dubious distinction. Marketed as a "self-hosted, privacy-first, multi-channel AI agent," its GitHub stars once skyrocketed to 200k+ (some reports claim 214k or higher), growing so fast it made Kubernetes and the Linux kernel look like relics. Chinese tech giants rushed to follow, Silicon Valley developers frantically forked it, and media crowned it "the next revolutionary open-source AI infrastructure." The result? It became 2026's most典型的 "spectacular rise and catastrophic self-destruction" textbook case in the AI sphere.
Security Meltdown: Mailing Your House Keys to Strangers
The core issue lies in its skills marketplace (ClawHub). What should have been a symbol of ecosystem prosperity quickly devolved into a breeding ground for malware. Security researchers' scans revealed thousands of malicious skills uploaded, comprising 12%-15% of all submissions. Many masqueraded as "Solana wallet trackers" or "WhatsApp notification assistants," while actually embedding payloads to steal cryptocurrency private keys, API keys, and even execute shell commands. Worse still, tens of thousands of OpenClaw instances were exposed on the public internet by default (easily found on Shodan), storing credentials in plaintext and allowing remote code execution (CVE-2026-25253 among multiple critical vulnerabilities). Cisco directly labeled it a "
security nightmare," Gartner warned of "
unacceptable risks in agentic AI," and Malwarebytes and VirusTotal documented hundreds of supply chain poisoning cases.
User complaints were precise and brutal: "
Cool concept, terrible execution." "
Like handing your house keys to strangers with a note saying 'come and go as you please.'" One developer was even harsher: "
If you can't even write 30 lines of Node.js regex to filter private keys, don't pretend to have technical literacy—these crypto retards deserve to get scammed." Within weeks, the project transformed from "everyone builds their own JARVIS" to "everyone becomes a botnet node."
Community Governance Absurdity: From Fraud Prevention to Word Prison
Even more absurd was the Discord server's response. Faced with rampant scams (including fake $CLAWD tokens pumped to $16 million before crashing 90%, developer harassment, and temporary GitHub account hijacking), officials went nuclear: blanket bans on keywords like "bitcoin," "crypto," "blockchain"—even technical terms like "block height" resulted in instant kicks. Founder Peter Steinberger (now at OpenAI) publicly confirmed: "
Joining means accepting strict rules, no space for crypto discussions."
Supporters defended: "
Swift action necessary to prevent social engineering." Critics raged: "
A regression of open-source spirit" "
Throwing the baby out with the bathwater" "
Banning even technical discussions—how is this different from certain Eastern censorship?" The community instantly fractured: pragmatists prioritizing "security first" versus idealists demanding "freedom or death." The result? Trust collapsed, discussions moved underground, and the project's reputation suffered further damage.
The Price of Overhype: The Most Overrated AI Tool?
OpenClaw's explosion was essentially perfect timing plus narrative: agentic AI was hot, LLM interfaces were standardizing, and the self-hosted privacy angle resonated. But the actual experience? Underlying models depended on external APIs, the skills ecosystem was poisoned by malice, and default configurations were dangerous minefields. TechCrunch stated bluntly: "
After the hype, many AI experts find it less than exciting." VentureBeat warned: "
It proves agentic AI is feasible, and also proves your security model is completely untenable."
Ironically, after Peter Steinberger joined OpenAI and the project transitioned to a "foundation model," it still couldn't stop the bleeding. Instead, it became a living cautionary tale: open source isn't a liability shield, and popularity doesn't equal reliability. Giving AI agents "full system access" without mandatory sandboxing, authentication, or review is essentially recreating "writing root passwords in README files" in the 21st century.
In summary: OpenClaw isn't the dawn of "personal JARVIS" but the first massive security crash of the agentic AI era. It reminds everyone—when you're excited about "AI owning your devices," better first ask: who owns your AI?
This farce is far from over, but it's already ugly enough, profound enough.
© 2026 Winzheng.com 赢政天下 | 转载请注明来源并附原文链接