Fast-Growing Open-Source AI Assistant Is Testing the Limits of Automation—and Safety

• The tool can autonomously browse the web, execute commands, manage files and place phone calls across common messaging apps.
• Security researchers say some users have deployed it with internet-exposed gateways and no authentication, creating risks of remote takeover and credential theft.
• Heavy token consumption has surprised early adopters, with some developers reporting hundreds of dollars in costs within days of routine use.

An open-source AI assistant has exploded across developer communities in recent weeks, racking up over 10,200 GitHub stars and 8,900 Discord members since its January release.

Clawdbot promises what Siri never delivered: an AI that actually does things. Alex Finn, CEO of CreatorBuddy, texted his Clawdbot, Henry, to make a restaurant reservation.

“When the OpenTable res didnt work, it used its ElevenLabs skill to call the restaurant and complete the reservation,” Finn wrote on X. “AGI is here, and 99% of people have no clue.”

Clawdbot stands out for keeping user context on-device, being open source and shipping at an unusually fast pace, developer Dan Peguine wrote on X on Saturday.

It also works across major messaging platforms and offers persistent memory with proactive background tasks that go well beyond a typical personal assistant, he added. Plus, its pretty easy for everyday users to install.

Clawdbot uses the Model Context Protocol to connect AI models like Claude or GPT with real-world actions without human intervention.

The system can run locally on just about any hardware and connects through messaging apps you already use—WhatsApp, Telegram, Discord, Slack, Signal, iMessage. It can execute terminal commands, control browsers, manage files, and make phone calls.

From investment advice to OnlyFans account management, anything seems to be possible as long as you have the creativity to build it, the resources to pay for the tokens, and the balls to afford the consequences when things go sideways.

Unfettered access

Still, Clawdbot is raising concerns among those in the security community who have discovered a problem.

AI researcher Luis Catacora ran a Shodan scan and found an issue: “Clawdbot gateways are exposed right now with zero auth (they just connect to your IP and are in)… That means shell access, browser automation, API keys. All wide open for someone to have full control of your device.”

In effect, powerful systems placed in inexperienced hands have left many machines exposed.

The remedy is relatively straightforward: change a gateway binding from a public setting to a local one, then restart. The step is not intuitive, and the default configuration has left many users vulnerable to remote attacks.

The recommended response is to immediately restrict network access, add proper authentication and encryption, rotate potentially compromised keys, and implement rate limits, logging, and alerting to reduce the risk of abuse.

The systems heavy token usage has surprised users, prompting developers to recommend lower-cost models or local deployments to manage consumption.

Federico Viticci at MacStories burned through 180 million tokens in his first week. On Hacker News, one developer reported spending $300 in two days on what they considered “basic tasks.”

Clawdbot is the creation of Peter Steinberger, founder of PSPDFKit (now called Nutrient), who came out of retirement to build what he calls a “24/7 personal assistant.”

For now, given the costs, it is recommended to be careful about what you ask your assistant to do.

The project documentation includes a security guide and diagnostic commands to check for misconfigurations. The community is shipping fixes at a rapid pace at roughly 30 pull requests daily, but adoption of security safeguards still lags behind installation rates.