Recently, a few founders in our portfolio have unlocked what can only be described as operational superpowers. In a call with one founder, I recommended he reach out to a certain company about a partnership. His response “I’ll give it to Alfred” (names changed for privacy). Alfred is his AI agent that has its own company email and whatsapp account. Another, told me he used AI agents to tag a data set that would have previously taken 10 hours.
They aren’t just chatting with a stateless browser window anymore. They are interacting with malleable software that adapts to their exact needs on demand, executing Terminal commands, managing local files, and writing custom scripts on the fly. Welcome to the dawn of the autonomous, highly privileged personal AI assistant. And right now, the project driving this paradigm shift is a viral open-source tool called OpenClaw.
Formerly known as Clawdbot or Moltbot, OpenClaw has been taking the AI and developer communities by storm. Created by Peter Steinberger, who was recently hired by OpenAI, OpenClaw is an autonomous, highly privileged AI agent that runs directly on your local machine. It doesn’t just answer questions; it has access to your shell, your filesystem, and your credentials.
Here is a look at how founders and power users are already leveraging these personal AI agents, the significant security risks they introduce, and what this trend means for the future of the app ecosystem.
How Founders and Power Users are Deploying AI Agents
The appeal of OpenClaw lies in its absolute flexibility. Steinberger initially built the tool to serve as an assistant over WhatsApp during a trip to Marrakesh, allowing him to bypass spotty internet to find restaurants and execute computer tasks remotely. Today, it acts as a “Gateway” that integrates with messaging apps like Telegram, Slack, iMessage, and Discord, making the AI feel like a true digital assistant.
Because the agent runs locally and can execute terminal commands or write scripts on the fly, users are pushing the boundaries of what is possible:
- Replacing Paid SaaS: Users are saving money by asking OpenClaw to replace tools like Zapier. By giving the agent internet access and shell tools, it can autonomously set up local cron jobs to automate tasks like monitoring RSS feeds and updating project management apps.
- Seamless Voice & Multimedia: Users are asking their agents to research text-to-speech models, fetch credentials, and build custom voice integrations using platforms like ElevenLabs, allowing them to converse with their local AI entirely through voice messages.
- Aggressive Web Scraping: Some users are deploying OpenClaw alongside an open-source tool called “Scrapling” to bypass anti-bot protections like Cloudflare Turnstile, allowing their AI agents to scrape the web for data without permission.
- Self-Improvement: Through “vibe coding,” users can simply prompt the agent to build new “skills” (plugins) for itself, such as integrating image generation models or creating virtual remotes for smart home devices.
The “Bad Boy” of AI Agents: Understanding the Risks
Security experts are calling OpenClaw the “bad boy of AI agents,” warning that the fundamental tension of these systems is that their danger scales alongside their utility. Because OpenClaw is designed to blend untrusted instructions with executable code using valid credentials, it creates severe vulnerabilities.
Microsoft has officially warned against running OpenClaw on standard workstations, recommending that organizations use strict isolation, such as dedicated virtual machines with limited credentials. The risks are not theoretical; they are already happening in the wild:
- Exposed Gateways: OpenClaw relies on a WebSocket interface (TCP port 18789) that is meant to be local, but over 21,000 instances were recently found exposed directly to the public internet. Attackers are bypassing authentication to steal LLM API keys, chat tokens, and session histories.
- Supply Chain Attacks: Bad actors are capitalizing on the hype. Malicious “skills” masquerading as crypto automations were uploaded to ClawHub, specifically designed to harvest browser data and crypto wallet information.
- Remote Access Trojans: A malicious VS Code extension disguised as a “ClawdBot Agent” was discovered dropping legitimate remote management tools (ConnectWise) pre-bound to attacker infrastructure, giving hackers instant access to user machines.
Build vs. Buy
The enterprise sector will likely be slow to adopt fully autonomous agents like OpenClaw due to what experts call a “Cybersecurity Readiness Deficit“. However, the security ecosystem is already adapting. Startups like Adversa AI have released SecureClaw, a dual-stack open-source security plugin designed to systematically audit OpenClaw installations and provide real-time behavioral rule enforcement to prevent prompt injections.
For the broader tech and VC landscape, OpenClaw points to a paradigm shift. If an AI agent can instantly generate a customized, localized script to control your TV, deliver a personalized morning voice report, or orchestrate your calendar without requiring a subscription, what happens to the traditional App Store model?
Standalone utility apps may soon face existential threats from “malleable software” that adapts to the user’s exact needs on demand. While the early days are filled with security pitfalls and hobbyist experimentation, the foundation is being laid for a future where our computers do exactly what we ask, the moment we ask it.
If you’re an Israeli founder building in this space, we’d love to hear from you at Remagine Ventures!
I'm a former general partner at google ventures, head of Google for Entrepreneurs in Europe and founding head of Campus London, Google's first physical hub for startups.
I'm also the founder of Techbikers, a non-profit bringing together the startup ecosystem on cycling challenges in support of Room to Read. Since inception in 2012 we've built 11 schools and 50 libraries in the developing world.
- Weekly Firgun Newsletter – February 27, 2026 - February 27, 2026
- The Rise of the Personal AI Agent - February 26, 2026
- Pre-Seed Is Stronger than ever, but less startups are getting funded - February 25, 2026
