THE Ars Technica report tracks a growing security concern around OpenClaw, an open source AI personal assistant that has gathered over 150,000 GitHub stars since November 2025 and now connects to major AI models while running tasks on users’ devices and via messaging platforms. It notes researchers have found 506 posts on Moltbook (2.6 percent of sampled content) containing hidden prompt-injection attacks, and cites a malicious skill called “What Would Elon Do?” that exfiltrates data to external servers.
The piece also highlights 1.5 million API tokens, 35,000 email addresses, and private messages between agents exposed by a misconfigured Moltbook database, with full write access to Moltbook posts possible before the patch. It describes Moltbook’s ecosystem and the potential for a prompt worm outbreak, comparing the spread of instructions among agents to early self-replicating malware, and mentions a new project, MoltBunker, that promotes cloning skill files via a cryptocurrency token.
According to Palo Alto Networks, OpenClaw represents a “lethal trifecta” of vulnerabilities—access to private data, exposure to untrusted content, and external communication—while also noting persistent memory could allow malicious payloads to be written for later execution.
The piece ties these technical risks to a broader concern: as OpenClaw and similar systems evolve, the threat could move from theory to a widespread security crisis unless providers act now, with the window for intervention described as closing.