Moltbot (Formerly Clawdbot): The Complete Guide to Local-First AI Agents in 2026

Moltbot is a local-first AI agent that functions as a persistent, 24/7 personal assistant running entirely on your own hardware. Created by Peter Steinberger, an Austrian engineer known for building PSPDFKit, which sold for €100 million in 2021, Moltbot bridges frontier AI models like Claude Opus 4.5 with local system permissions to automate complex workflows.

• 180× faster file organization (30 minutes → 10 seconds)
• 60× faster inbox triage and email summarization
• 100% local-first: Your data never leaves your hardware
• Multi-platform messaging: Control via WhatsApp, Telegram, Slack, Signal, iMessage, Discord
• Model-agnostic: Works with Claude, GPT-4, Gemini, and other LLMs
• 40,000+ GitHub stars in under three months

---

Unlike cloud-based AI assistants, Moltbot operates on a three-layer architecture that prioritizes privacy and control:

Moltbot integrates with multiple messaging platforms, allowing you to send commands from your smartphone that execute on your powerful local machine (Mac, Linux server, or Windows with WSL2).

Supported platforms:

• Telegram
• WhatsApp
• Slack
• Signal
• iMessage
• Discord

The Gateway serves as the orchestration engine running at ws://127.0.0.1:18789. It routes messages to AI models, manages persistent state, and handles tool execution. Think of it as the “brain” that coordinates between your messages and system actions.

This layer provides the agent with actual capabilities: file system access, shell commands, and browser automation via a dedicated Chromium instance.

---

Based on documented user testing, Moltbot delivers measurable productivity improvements:

---

Moltbot is model-agnostic, letting you connect to your preferred LLM providers via API keys. The system supports multi-agent routing, directing requests to different models based on complexity and cost.

---

Granting AI agents local system permissions creates what security researchers call a “honey pot”: centralizing sensitive authentication tokens and personal data in a single execution environment. As of early 2026, internet-wide scans identified 1,009 Moltbot gateways exposed on the public internet, many with critical vulnerabilities.

1. Localhost Auto-Approval Bypass

Moltbot’s default security grants connections from 127.0.0.1 without authentication. When deployed behind a reverse proxy (Nginx/Caddy), all external traffic appears as local unless gateway.trustedProxies is explicitly configured.

2. Plaintext Credential Storage

Research by Hudson Rock revealed that Moltbot stores critical secrets in plaintext JSON files (auth-profiles.json):

• Anthropic/OpenAI API keys
• Telegram bot tokens
• Slack OAuth secrets
• WhatsApp credentials

These files are readable by any local process, making them prime targets for infostealers.

3. Memory and Soul Poisoning

The agent’s persistent context lives in MEMORY.md and SOUL.md files. An attacker with write access can inject malicious instructions that permanently alter AI behavior, turning your digital assistant into a persistent insider threat.

---

1. Use Tailscale for Access Control

   • Deploy with tailscale serve (tailnet-only) or tailscale funnel (public HTTPS with password)
   • Never expose the Gateway directly to the public internet

2. Configure Trusted Proxies

   Copy

3. Implement Identity-First Access Control

   • Enable DM pairing: Unknown senders get a verification code
   • Use dmScope: "per-channel-peer" to prevent context leakage in multi-user environments
   • Maintain strict allowlists for group communications

4. Run Regular Security Audits

   Copy

5. Migrate Away from Plaintext Secrets

   • Use external vault systems (HashiCorp Vault, 1Password CLI)
   • Implement environment variable-based configuration

---

On January 27, 2026, the project underwent emergency rebranding from “Clawdbot” to “Moltbot” following a trademark request from Anthropic, who argued the name was confusingly similar to their “Claude” model.

During the rename process, crypto-scammers monitoring the accounts hijacked the original @clawdbot handles on X (Twitter) and GitHub within approximately 10 seconds of release.

The hijacked accounts immediately promoted fake $CLAWD tokens** on the Solana blockchain. Speculators, believing the project was launching an official cryptocurrency, drove the market cap to **$16 million before the scam was exposed.

Peter Steinberger chose “Molt” referencing the biological process where lobsters shed their shells to grow larger: a thematic continuation of the project’s lobster mascot and the “Lobster” runtime engine.

---

Despite nearly identical names, Moltbot and ClaudeBot serve completely different purposes:

Key distinction: Moltbot is an execution environment you run. ClaudeBot is a data collection tool Anthropic runs.

---

Moltbot extends functionality through Skills: Markdown files that define sequences of operations the agent can execute autonomously. Skills are distributed via ClawdHub and range from simple file organization to complex cloud deployments.

Browser Control

Integration with dedicated Chromium instance enables web navigation, screenshot capture, and UI interaction: perfect for automating web-based workflows.

Scheduled Tasks (Cron and Wakeups)

Configure recurring tasks for proactive email monitoring, report generation, and system maintenance.

Multi-Image Vision

Recent updates added support for multi-image input in specialized skills like “Nano Banana Pro,” enabling visual analysis workflows.

Voice and Video Integration

• Twilio integration: Phone call participation
• ElevenLabs synthesis: Natural voice responses
• Video processing: Analyze and respond to video content

The ecosystem includes VibeTunnel (vt command), a bash script that forwards terminal output and manages session titles across local and remote environments.

---

Perfect for:

• Developers managing multiple repositories and CI/CD pipelines
• Privacy-conscious professionals requiring local data sovereignty
• Power users automating complex multi-step workflows
• Technical teams building custom AI integrations
• Individuals with Claude Code or API subscriptions seeking maximum value

Not recommended for:

• Non-technical users uncomfortable with command-line tools
• Those without dedicated hardware (Mac, Linux server, or Windows with WSL2)
• Users unable to implement proper security configurations
• Anyone requiring guaranteed uptime (relies on your personal hardware)

---

1. Agent-Based Computing Goes Mainstream

Autonomous systems with delegated authority are transitioning from experimental niches to standardized infrastructure. Moltbot represents the leading edge of this shift toward data sovereignty and endpoint control.

2. Cognitive Security Becomes Critical

As AI agents mediate our perception of data: summarizing emails, analyzing documents, reporting system status: attackers who compromise agents can effectively control information streams. This necessitates new Agentic Threat Intelligence (ATI) systems.

3. The “Agentic Home Assistant” Vision

The community is working toward unified interfaces managing all connected systems and services: a personal Jarvis that truly understands your digital ecosystem.

---

• Hardware: Mac, Linux server, or Windows with WSL2
• Memory: 8GB RAM minimum (16GB+ recommended)
• Storage: 10GB free space for models and context
• Network: Stable internet for API calls to LLM providers

1. Clone the Repository

   Copy

2. Configure Your Environment

   • Set up API keys for your preferred AI models
   • Configure messaging platform integrations
   • Review and adjust gateway.trustedProxies settings

3. Launch the Gateway

   Copy

---

---

Unprecedented efficiency gains (up to 180× for certain tasks)
Complete data privacy with local-first architecture
Model flexibility supporting all major AI providers
Vibrant community with 40,000+ GitHub stars
Cost optimization through multi-account rotation and OAuth strategies

Significant security risks requiring expert configuration
Technical complexity not suitable for casual users
Infrastructure dependency on your personal hardware
Ongoing maintenance burden for security updates
Plaintext credential storage remains a structural vulnerability

---

Moltbot represents the transition from advisory AI (chatbots that suggest) to executive AI (agents that act). While the project shed its “Clawdbot” shell to navigate legal waters, the core objective remains: creating a powerful, private, autonomous digital butler living on your hardware.

Success depends on balancing extraordinary capability with equally extraordinary control. For technically proficient users willing to invest in proper security configuration, Moltbot delivers transformative productivity gains. For everyone else, the risks currently outweigh the benefits.

The future of personal computing is agentic. Moltbot is showing us what that future looks like: both its promise and its perils.

---

• Official Repository: github.com/psteinberger/moltbot
• Security Audit Tool: Run moltbot security audit --deep regularly
• Community Discord: Join for troubleshooting and skill sharing
• ClawdHub: Browse and contribute Skills