Software engineer says OpenClaw spammed hundreds of messages

Chris Boyd was trapped in his house in North Carolina after a snowstorm when he decided to try out an AI tool called OpenClaw.He thought it could help organize his mornings. He set it up to send a news summary to his inbox at 5:30 a.m. every day. That part worked. Then he let it into iMessage.

Right after that, everything fell apart. OpenClaw started firing off messages like a maniac. It sent over 500 messages to him, his wife, and even random people on their contact list. Boyd didn’t laugh.

He shut it down, changed the code, and said, “It wasn’t buggy. It was dangerous.”

Software engineer says OpenClaw spammed hundreds of messages

Boyd called the software “half-baked” and said it looked like something slapped together without much thought. He patched the code himself to stop it from doing more damage. He wasn’t the only one raising flags about this tool.

The AI agent, which used to be called Clawdbot and later Moltbot, started gaining fans back in November. It could do simple tasks like clearing inboxes, booking dinner reservations, and checking in for flights. It didn’t need much human input. It just ran. That’s what made it interesting. That’s also what made it dangerous.

Kasimir Schulz works at a company called HiddenLayer that focuses on AI security. Kasimir said OpenClaw is a perfect example of what he calls the “lethal trifecta.”

It has access to private data, it can talk to the outside world, and it can read unknown content. That’s the full recipe for a disaster, and OpenClaw has all of it.

Yue Xiao, a computer science professor at William & Mary, said you can steal someone’s data through OpenClaw by tricking it with what’s called prompt injection. That’s when a hacker hides commands inside what looks like a normal message. Yue said this kind of tech opens the door to new types of attacks that most people aren’t ready for.

Creator admits OpenClaw is not ready for mainstream use

Peter Steinberger, who created OpenClaw, said the project isn’t finished. He told Bloomberg in an email, “It’s simply not done yet, but we’re getting there.”

Peter said that because it’s open source, anyone can see the code and work on it. He said progress is being made, but it’s not ready for everyday users yet.

Peter didn’t think the release came too early. He said he builds everything out in the open and doesn’t believe in holding back until it’s perfect. He also said that a lot of the problems come from users not reading the setup instructions.

Peter made it clear that there’s no such thing as 100 percent security when using large language models. He said OpenClaw is meant for people who know what they’re doing and understand the risks.

He also said prompt injection isn’t just a problem with his tool. He called it a problem that exists everywhere in the AI world. Peter said he brought in a security expert to help fix things and make OpenClaw safer.

Experts say AI agents are growing faster than security can catch up

While Peter defends the way he built OpenClaw, other experts say the whole AI agent trend is getting out of hand. Justin Cappos, a cybersecurity expert and professor at NYU, said it’s hard to control these tools once they’re running.

Justin said, “We don’t understand why they do what they do.” He compared giving an AI agent access to your system to handing a toddler a butcher knife.

The tech world is rushing to launch new tools. Anthropic’s Claude Code reached a $1 billion revenue pace in just six months.

Meanwhile, the people trying to keep these tools secure are still figuring out the basics. Justin said companies are dropping updates nonstop, and security teams can’t keep up.

Michael Freeman at Armis, a cybersecurity firm, said OpenClaw was thrown together without any real security plan. He said some of Armis’ clients have already been hit by OpenClaw breaches, but didn’t share the details. Michael said companies are going to have to give up some control if they want to keep using AI tools like OpenClaw.

For now, the question is whether people will still use OpenClaw after this disaster. The tool has fans, but even those people are realizing that freedom without safety is a problem. And unless changes are made fast, OpenClaw might become the latest example of tech that got too far ahead of itself.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.