AI assistant Moltbot is going viral - but is it safe to use?

NurPhoto/Contributor

Follow ZDNET: Add us as a preferred source on Google.

ZDNET's key takeaways

• Moltbot has been garnering lots of attention in the AI space.
• The tool's developer describes it as "the AI that actually does things."
• It's best to run Moltbot in a silo, like the 2024 M4 Mac Mini.

One of the biggest ongoing challenges AI developers face is building agents that have tangible, practical, and broad-scale utility. Many agents might perform well in narrow domains, such as managing email or debugging code. However, the reality of an AI system that can be trusted to handle a wide range of tasks autonomously remains a distant dream. Meanwhile, persistent problems with hallucinations and security have limited the adoption of agents among businesses.

That's what makes the sudden, viral popularity of Moltbot -- billed by its maker as "the AI that actually does things" -- so significant.

Also: Is ChatGPT Plus still worth your $20? I compared it to the Free, Go, and Pro plans - here's my advice

Moltbot is promoted as an AI assistant that can manage virtually every aspect of your digital life -- sending emails, managing your Google Calendar, opening an airline's app to check you into an upcoming flight, and so on. But like any other AI assistant that requires access to your personal accounts, it also comes with security risks.

How does it work?

Built by Austrian developer Peter Steinberger, Moltbot is an open-source AI assistant that runs on individual computers (rather than the cloud), and interacts with users via chats on a litany of apps, including iMessage, WhatsApp, Telegram, Discord, Slack, and Signal. 

Crucially, Moltbot can also monitor users' calendars and other accounts to proactively send alerts, which could provide an important evolution in how AI systems are woven into our daily lives. Meta is also reportedly experimenting with chatbots that take the initiative by sending the first message to users, but this is clearly born more of the logic of engagement than utility.

Also: Move over, Claude: Moonshot's new AI model lets you vibe-code from a single video upload

Rather than use its own large language model, Moltbot is powered by models from Anthropic and OpenAI. The assistant's original name, Clawdbot, was a direct nod to Anthropic's Claude chatbot, but Steinberger changed its name after receiving a legal challenge from the company. (The new name suggests regrowth, as lobsters molt their shells just as snakes molt their skin.)

The core appeal of Moltbot is that it links the conversational power of Claude and ChatGPT with the power to take concrete action within a user's computer.

Early feedback

Not long after its release, Moltbot began making serious waves in the AI community. As of Wednesday afternoon, it already had 86,000 stars on GitHub, making it one of the fastest-growing projects ever on the website. (Clawdbot was released on GitHub in late 2024, but the assistant's viral explosion occurred in the past few days.)

"Using @moltbot for a week now and it genuinely feels like early AGI," one user posted on X on January 07. "The gap between 'what I can imagine' and 'what actually works' has never been smaller."

Also: I used Claude Code to vibe code a Mac app in 8 hours, but it was more work than magic

Two weeks later, another user wrote that Moltbot felt like a major paradigm shift for consumer-facing AI. "When you experience @moltbot it gives the same kick as when we first saw the power of ChatGPT, DeepSeek, and Claude Code. You realize that a fundamental shift is happening [in] how we use AI."

The importance of siloing

Breathless early praise should not be taken as a guarantee of safety, though. On the contrary, you should proceed with extreme caution if you decide to dabble with Moltbot, since it basically requires handing over the keys to your accounts.

That issue creates a core tension for AI agents generally: the more autonomy they have, the greater their vulnerability to prompt injection and other cyberattacks. But in the case of Moltbot, the system's ability to connect to a long list of messaging apps, such as WhatsApp, means that bad actors have more pathways to potential entry.

Also: 10 ways AI can inflict unprecedented damage in 2026

Many people have been skirting Moltbot's security risks by siloing it, particularly users of the 5x5-inch 2024 M4 Mac Mini (currently on sale at Amazon for $499). Moltbot runs quietly in the background, using a negligible amount of power: perfect for an always-on AI assistant. And even better, this approach means you don't need to launch Moltbot on your personal or work computer, where all your passwords and other digital credentials are stored.