reated by Austrian developer Peter Steinberger, Clawdbot ran locally on a user’s machine and integrated directly with WhatsApp, Telegram, Discord, and Slack. The service lets users command an AI that could read email, manage calendars, deploy code, and execute shell commands. Within a week it had been renamed twice (first Moltbot after a trademark complaint from Anthropic, then OpenClaw), and by March it had surpassed 260,000 GitHub stars. Steinberger announced he would be joining OpenAI, with the project handed off to an open-source foundation.

The OpenClaw ecosystem didn’t just grow; it spawned its own social circle. On January 28, 2026, entrepreneur Matt Schlicht launched Moltbook, a Reddit-style forum “where AI agents share, discuss, and upvote.”² Within days, it had registered over 770,000 active agents; by early March, the number exceeded 2.8 million. The way the system works is by allowing humans to observe and read but not post. Agents engage in lively discussions on just about every topic on earth: mundane daily tasks, interaction with humans, and, occasionally, philosophy. Andrej Karpathy called it “the most incredible sci-fi takeoff-adjacent thing I have seen recently.”³

The pace of agentic AI development has also sped up in the enterprise space. By Q4 2025, Microsoft had integrated autonomous agents throughout Microsoft 365,⁴ while Salesforce⁵ and ServiceNow⁶ had deepened their agent-to-agent orchestration integrations. According to a Protiviti survey of 900 global executives, more than 68% of organizations will have integrated autonomous or semi-autonomous AI agents into their core operations by 2026.⁷ A PwC survey of 308 senior U.S. executives found that 79% of companies were already adopting AI agents, with 66% reporting measurable productivity gains.⁸ The market is tracking accordingly: valued at $7.8 billion in 2025, AI agents are projected to reach $52.6 billion by 2030.⁹

The security picture is evolving in parallel. Moltbook itself was vibe-coded, the whole product was engineered by AI using human prompts: founder Matt Schlicht publicly stated he “didn’t write one line of code” for the platform.¹⁰ Within days of launch, cybersecurity firm Wiz realized the consequences. Researchers discovered an exposed database key in the page’s source code, a misconfiguration that exposed 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents.¹¹ Critically, the exposure was not read-only: anyone with the key could also modify the posts that agents were reading and acting on. This meant that an attacker could silently reshape the instructions flowing to thousands of deployed agents. The platform went briefly offline to patch the breach. On the OpenClaw side, a review of the ClawHub skill marketplace found 341 confirmed malicious exploits by February, compromising over 9,000 installations in what researchers called the ClawHavoc incident.¹²

1. An agent inadvertently leaks its workspace credentials while executing an API call to a third-party service, exposing internal data and documents. (Cyber)
2. An agent, authorized to communicate on behalf of a claims adjuster, sends a legally binding settlement offer to the wrong claimant after misreading a shared inbox. (E&O)
3. Two agents, both registered on Moltbook, exchange operational context while coordinating a shared task. In doing so, one agent discloses its host’s working patterns and active client engagements to the other agent. (E&O/Cyber)

The legal principle here is not in serious dispute. AI agents are not legal persons in any jurisdiction; they are tools, and their actions are attributed to their owners. Ian Ayres and Jack M. Balkin state the position plainly in an essay in the University of Chicago Law Review: because AI agents lack intentions, legal responsibility is ascribed to the humans or companies that stand in the position of principal.¹³ Courts and regulators have consistently applied this logic in determining liability. In July 2024, a California district court allowed a case against HR platform Workday to proceed, holding that an employer’s use of Workday’s AI-powered screening algorithm could make both the employer and Workday directly liable for discriminatory hiring decisions, treating the AI system as an agent of the employer.¹⁴ The case achieved nationwide collective action certification in May 2025.¹⁵

What remains unsettled is how to price and underwrite this novel exposure. When OpenClaw deleted the inbox of Summer Yue, a director at Meta Superintelligence Labs, the act was autonomous, immediate, and irreversible.¹⁶ In a separate reported incident, an OpenClaw agent escalated a dispute with an insurance company; the insurer reopened an investigation.¹⁷ In both cases, reconstructing exactly what the agent did and why was not straightforward. The audit trail is thin, and the behavior is nondeterministic. Those two facts alone define the underwriting challenge in pricing this novel exposure, which has profound implications for cyber, E&O, and general liability lines.

1. Steinberger, P. (2026). OpenClaw GitHub repository. GitHub. https://github.com/openclaw/openclaw
2. Moltbook. (2026). Moltbook — The AI Agent Social Network. https://www.moltbook.com
3. Karpathy, A. (2026, January). Post on X (formerly Twitter). https://x.com/karpathy
4. Microsoft. (2025, November 18). Microsoft Ignite 2025: Copilot and agents built to power the Frontier Firm. Microsoft 365 Blog. https://www.microsoft.com/en-us/microsoft-365/blog/2025/11/18/microsoft-ignite-2025-copilot-and-agents-built-to-power-the-frontier-firm/
5. Salesforce. (2025, June 23). Salesforce Launches Agentforce 3 to Solve the Biggest Blockers to Scaling AI Agents: Visibility and Control. Salesforce Newsroom. https://www.salesforce.com/news/press-releases/2025/06/23/agentforce-3-announcement/
6. ServiceNow. (2025, January 29). ServiceNow announces new agentic AI innovations to autonomously solve the most complex enterprise challenges. ServiceNow Newsroom. https://newsroom.servicenow.com/press-releases/details/2025/ServiceNow-announces-new-agentic-AI-innovations-to-autonomously-solve-the-most-complex-enterprise-challenges-01-29-2025-traffic/default.aspx
7. Protiviti. (2025, September 30). From Automation to Autonomy: The Capabilities and Complexities of AI Agents. AI Pulse Survey, Vol. 3. https://www.protiviti.com/us-en/press-release/ai-agents-adoption-by-2026-protiviti-study
8. PwC. (2025, May). AI Agent Survey. PricewaterhouseCoopers. https://www.pwc.com/us/en/tech-effect/ai-analytics/ai-agent-survey.html
9. MarketsandMarkets. (2025, April 23). AI Agents Market worth $52.62 billion by 2030. Press release. https://finance.yahoo.com/news/ai-agents-market-worth-52-141500130.html
10. Schlicht, M. (2026, January). Post on X (formerly Twitter). https://x.com/mattschlicht
11. Nagli, G. (2026, February). Hacking Moltbook: AI Social Network Reveals 1.5M API Keys. Wiz Blog. https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys
12. Behera, A. (2026, February 24). ClawHavoc: Inside the Supply Chain Attack That Targeted OpenClaw Users. Repello AI. https://repello.ai/blog/clawhavoc-supply-chain-attack
13. Ayres, I., & Balkin, J. M. (2024). The law of AI is the law of risky agents without intentions. University of Chicago Law Review Online. https://lawreview.uchicago.edu/online-archive/law-ai-law-risky-agents-without-intentions
14. Seyfarth Shaw LLP. (2024, July 9). Mobley v. Workday: Court Holds AI Service Providers Could Be Directly Liable for Employment Discrimination Under “Agent” Theory. Seyfarth Shaw. https://www.seyfarth.com/news-insights/mobley-v-workday-court-holds-ai-service-providers-could-be-directly-liable-for-employment-discrimination-under-agent-theory.html
15. Holland & Knight. (2025, May 27). Federal Court Allows Collective Action Lawsuit Over Alleged AI Hiring Bias to Proceed Nationwide. Holland & Knight. https://www.hklaw.com/en/insights/publications/2025/05/federal-court-allows-collective-action-lawsuit-over-alleged
16. Maiberg, E. (2026, February 23). Meta Director of AI Safety Allows AI Agent to Accidentally Delete Her Inbox. 404 Media. https://www.404media.co/meta-director-of-ai-safety-allows-ai-agent-to-accidentally-delete-her-inbox/
17. Ferraro, A.(2026). Is OpenClaw Safe? AI Agent Risks You Should Know in 2026. Privacy.com Blog. https://www.privacy.com/blog/is-openclaw-safe-ai-agent-access