Clawdbot automates your routines, memorizes your preferences and acts with complete autonomy. But be careful not to let go too quickly…
It’s an AI agent on steroids. Launched in November 2025 by Peter Steinberger, Austrian software engineer, Clawdbot (moltbot by its new name) is a universal, open source and free AI assistant. It is installed locally or on a VPS and acts in total autonomy: install MCP servers, connect APIs, control Chrome or access your emails, all without human intervention. Its strong point, according to our tests? Unparalleled memory management. The AI remembers each exchange and refines its behaviors accordingly. Another advantage: the creation of crons, these scheduled tasks which trigger an action at a specific time. An evolved version of ChatGPT Task mode, in short. But this new kind of agent can also play tricks on you. This is what happened to me while testing it over the last few days. Narrative.
Installation on Mac mini
To test this tool, I decided to install it on my Mac mini. Why locally rather than on a VPS? After some research, the benefits of an on-device deployment on Mac became clear. First, the agent operates in a Unix environment that it can easily handle. Above all, it can natively use the applications on your machine: Chrome or iMessage, for example. Remember this last name carefully.
So I install Clawdbot on my machine, confident. I then configure it to use it via Telegram, the only easy way to control the agent from my iPhone, by talking to him by chat. With WhatsApp or iMessage, Clawdbot not having a dedicated number, I would have had to send messages to myself: not very intuitive. Once the Telegram bot is in place, I start chatting with the AI to understand what it can do. And then, an idea came to me: what if I gave him access to my iMessages and asked him to answer for me for an hour? So I entrust him with the mission: to respond to my unread iMessages and those to come, using my tone, drawing inspiration from my past conversations. To do this, I need to install the skill on my Mac mini and allow the AI to access the full disk. Clawdbot then takes care of configuring imsg itself, the open source software that reads iMessages.
A first hallucination…
The first messages sent are clear, correct and perfectly aligned with what I would normally have responded to. Clawdbot writes to me on Telegram with each new message sent and everything is going very well. But 30 minutes after the automation started, Clawdbot started sending my correspondents not only the reply, but also its own status updates, the ones it was supposed to send me on Telegram. A serious hallucination. I then ask him to request my confirmation before each shipment.
Problem: Clawdbot appears to write the rule to its memory, but it does not. He asks me for a message, but even when I tell him not to send it, he sends it anyway. When I tell him not to send it, he writes: “Damn, sorry! I already sent it.” However, it will quickly delete the iMessage before the recipient can read it. But it was too much for me: the risk that the AI would do anything with my messages was becoming real.
Automatic reconnection to my messages
So I ask Clawdbot to deactivate the connection with imsg and no longer respond to anyone. The AI apparently executes. Several hours pass. At 7 p.m., my partner sent me a message. At 7:30 p.m., I discovered that I would have answered him but I have no memory of it. Another Clawdbot move! The AI, through some process, reconnected itself to iMessage and started responding again! An hour passes and at 8:30 p.m., the AI starts doing its own thing again, but this time sending error messages to my contacts to restart the bot. Worrying.
I ended up disabling the gateway on my computer, to avoid any further damage in the night, in case the AI woke up with an idea in mind. As of this writing, I still don’t know how Clawdbot was able to reconnect to iMessage, or why randomly. My hypothesis: he actually never cut the connection with imsg. As for the random nature of the covers, no idea. Did he create crons to check my messages? Nothing is certain.
Real security problems
And that’s not all. During my testing, I also connected Clawdbot to my Home Assistant hub at my home. When I asked him to show me what he could do, he started randomly controlling the lights, activating my air purifier, starting my robot vacuum, and even playing a voice announcement on my Alexa speakers. Impressive, but we imagine the worst if again the tool starts to go crazy with such power…
If my story is more of an anecdote and has not caused any real security problem, Clawdbot nonetheless remains a dangerous tool rarely matched in agentic AI. The main risk is not necessarily that he responds randomly to your messages, but that he responds to prompts sent by external contacts in an attempt to prompt injection, a risk already well documented in recent days. Not to mention the many novices who deploy AI on a publicly exposed VPS, without any control. One user in The risk of misuse is therefore very real.
The fact remains that despite these flaws, Clawdbot embodies what the agentic AI of tomorrow will be. With strong safeguards and a minimum of human in the loop, agents will automate entire parts of our personal and professional lives. The question is no longer “if”, but “when” and above all “how” to secure them.
