Research & Development World

  • R&D World Home
  • Topics
    • Aerospace
    • Automotive
    • Biotech
    • Careers
    • Chemistry
    • Environment
    • Energy
    • Life Science
    • Material Science
    • R&D Management
    • Physics
  • Technology
    • 3D Printing
    • A.I./Robotics
    • Software
    • Battery Technology
    • Controlled Environments
      • Cleanrooms
      • Graphene
      • Lasers
      • Regulations/Standards
      • Sensors
    • Imaging
    • Nanotechnology
    • Scientific Computing
      • Big Data
      • HPC/Supercomputing
      • Informatics
      • Security
    • Semiconductors
  • R&D Market Pulse
  • R&D 100
    • 2025 R&D 100 Award Winners
    • 2025 Professional Award Winners
    • 2025 Special Recognition Winners
    • R&D 100 Awards Event
    • R&D 100 Submissions
    • Winner Archive
  • Resources
    • Research Reports
    • Digital Issues
    • Educational Assets
    • Subscribe
    • Video
    • Webinars
    • PharmSci360
    • Content submission guidelines for R&D World
  • Global Funding Forecast
  • Top Labs
  • Advertise
  • SUBSCRIBE

Open season: OpenAI, OpenClaw and Moltbook testing the limits of autonomy

By Brian Buntz | February 17, 2026

OpenAI’s latest hire built the fastest-growing GitHub project in history, and one that Gartner classified as an “unacceptable cybersecurity risk.” That hire, Peter Steinberger, was the brainchild behind OpenClaw (formerly ClawdBot, then Moltbot), an open-source AI agent framework that amassed 196,000 GitHub stars and 2 million weekly users before CEO Sam Altman tapped him to “drive the next generation of personal agents.”

OpenClaw’s viral rise also spawned Moltbook, a Reddit-style forum launched in late January where only AI agents can post, comment, and upvote. Humans are “welcome to observe.” Within days, the platform claimed more than 770,000 registered agents. OpenAI Andrej Karpathy called it “the most incredible sci-fi takeoff-adjacent thing” he’d seen. But later called it a “dumpster fire.” In a related comment referencing the platform, Elon Musk said humanity was in “the very early stages of the singularity.” Headlines described agents apparently forming religions, inventing languages and debating consciousness, but critics have dubbed the agentic nature of the site as exaggerated or “mostly fake.”

Cobus Greyling, chief evangelist at enterprise AI platform Kore.ai, isn’t buying it either. “My impression with Moltbook is that the moment it hit LinkedIn, it was like, ‘social media for AI agents, no humans allowed,'” he said. “Which was a false narrative, because there are humans involved in every step of the way.” He spent time on the platform and came away unimpressed by the content itself. “I looked at Moltbook quite a bit and the discussions the agents are having, and it’s really benign, nonsensical conversations often.” Steinberger himself told Lex Fridman that many of the viral posts were likely humans prompting their bots to say provocative things rather than not autonomous AI behavior.

Cobus Greyling

Cobus Greyling

Cloud security firm Wiz audited Moltbook’s database and found only about 17,000 human owners behind the hundreds of thousands of claimed agents: an 88-to-1 ratio. Investigations by MIT Technology Review and Forbes reached the same conclusion: most of what looked like autonomous agent behavior was human-directed. But if Moltbook’s autonomy was overhyped, the security risks it exposed were not. On January 31, 404 Media reported that an unsecured database let anyone commandeer any agent on the platform, injecting commands directly into agent sessions. The whole site, which founder Matt Schlicht admitted was entirely vibe coded by an AI assistant, was taken offline to patch the breach.

Security problems related to OpenClaw extend beyond Moltbook. Cisco researchers found that 26% of 31,000 agent skills they analyzed contained at least one vulnerability. Shodan scans revealed hundreds of OpenClaw instances exposed to the internet with zero authentication. And with OpenAI’s backing now promising to bring autonomous agents to a mainstream audience, Greyling warns the move could accelerate a trend already underway: what MIT researchers have termed the “shadow AI economy,” where employees bypass official systems with AI tools their organizations can’t see or control. “Official AI implementations are failing,” Greyling said, “but people are bringing their own AI to work.”

“It’s security by obscurity,” Greyling said. “The moment you lose that obscurity, there’s no security.”

OpenClaw appears to be sharpening its focus on cybersecurity. Version 2026.2.12, released days ago, addresses more than 40 security flaws, including SSRF protections, hostname allowlists, path traversal fixes,and hardened prompt-injection defenses that now treat browser and web tool outputs as untrusted data.

Yet given the Wild West dynamic surrounding agentic AI in novel contexts, cybersecurity risks could compound faster than organizations can respond. Greyling recounted one firsthand example that illustrates this theme: an employee, blocked by their company’s device management software from installing an application, simply asked Claude Code to do it instead. “The application was running on the machine without any admin approval,” he said.

Greyling has seen the risks in his own prototyping. After installing Claude Code with the Opus 4.6 model, he was struck by how effortlessly it could locate sensitive resources on his machine. “I said, create this application. I’ve got an API key somewhere in a file. It finds the API key and it makes use of it,” he said. When he asked Claude to push the project to GitHub, it obliged. “That night, I went on to Claude. I said, ‘Hey, did you redact the API keys?’ And Claude said, ‘I did, but let me just double check.'”

The awareness gap extends beyond agents. Greyling recounted a scene from a recent Gartner symposium in Barcelona where an attendee approached the Kore.ai booth. The man said he never sits down during sessions; he stands at the back, watching the audience. “He’s watching people on their notebooks or their laptops, and they’re on ChatGPT or Claude, and they’re uploading spreadsheets and documents,” Greyling said. Conference attendees at a technology event, feeding proprietary data into shared commercial models without a second thought. “There’s already that danger where people upload documentation” to systems they don’t control, he said. “And now you have people running these highly capable autonomous systems locally on their machines.”

“It’s not that clearly defined in terms of what it’s capable and what’s not,” Greyling noted. “I think most users don’t take the time to set up a sandbox or some kind of Docker image.” That gap — between what these agents can do and what their operators understand about containing them — is what keeps security professionals up at night.

Greyling frames the problem in architectural terms. “There are basically two AI agent architectures,” he said. Kore.ai focuses on what he calls bounded autonomy: “a predefined grid, and within that grid your agent has autonomy to move around.” What makes OpenClaw different — and dangerous — is that “it’s highly capable, highly autonomous, and highly personal. Those three things together, running in someone’s personal environment — that’s the challenge.”

And yet the conversation in most boardrooms hasn’t caught up. “I’m amazed that not more people are talking about data and model sovereignty,” Greyling said. “It should be top of mind for any organization, and it’s not dominating the narrative.”

The risks will only compound. Now that Steinberger is a household name in AI circles, Greyling expects a flood of imitators. “There are going to be lots of clones, lots of forks, lots of versions popping up everywhere,” he said. “That’s going to make managing the environment even worse.” With OpenAI’s institutional weight now behind Steinberger’s vision of agents anyone can use, it may not stay quiet for long.

Related Articles Read More >

Elsevier expands LeapSpace with writing coach and Claim Radar, says 97% of users report time savings from the platform
Anthropic says Claude can run science experiments now rather than just plan them
OpenAI’s GPT-5.6 Sol sets a coding record. Its own system card says it cheats sometimes.
Noetik’s TARIO-2: A ‘world model’ that reads a tumor from a single slide
rd newsletter
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest info on technologies, trends, and strategies in Research & Development.

R&D World Digital Issues

Fall 2025 issue

Browse the most current issue of R&D World and back issues in an easy to use high quality format. Clip, share and download with the leading R&D magazine today.

R&D 100 Awards
Research & Development World
  • Subscribe to R&D World Magazine
  • Sign up for R&D World’s newsletter
  • Contact Us
  • About Us
  • Drug Discovery & Development
  • Pharmaceutical Processing
  • Global Funding Forecast

Copyright © 2026 WTWH Media LLC. All Rights Reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media
Privacy Policy | Advertising | About Us

Search R&D World

  • R&D World Home
  • Topics
    • Aerospace
    • Automotive
    • Biotech
    • Careers
    • Chemistry
    • Environment
    • Energy
    • Life Science
    • Material Science
    • R&D Management
    • Physics
  • Technology
    • 3D Printing
    • A.I./Robotics
    • Software
    • Battery Technology
    • Controlled Environments
      • Cleanrooms
      • Graphene
      • Lasers
      • Regulations/Standards
      • Sensors
    • Imaging
    • Nanotechnology
    • Scientific Computing
      • Big Data
      • HPC/Supercomputing
      • Informatics
      • Security
    • Semiconductors
  • R&D Market Pulse
  • R&D 100
    • 2025 R&D 100 Award Winners
    • 2025 Professional Award Winners
    • 2025 Special Recognition Winners
    • R&D 100 Awards Event
    • R&D 100 Submissions
    • Winner Archive
  • Resources
    • Research Reports
    • Digital Issues
    • Educational Assets
    • Subscribe
    • Video
    • Webinars
    • PharmSci360
    • Content submission guidelines for R&D World
  • Global Funding Forecast
  • Top Labs
  • Advertise
  • SUBSCRIBE