Anthropic's trademark lawyers forced an overnight rebrand. Crypto scammers grabbed the abandoned handles in ten seconds. Security researchers found hundreds of exposed instances. And through the chaos, Cloudflare's stock climbed 24%.
How to use Claude Code for file organization: installation, CLAUDE.md setup, five copy-and-paste workflows, and the security risks to know first.
Dario Amodei's 20,000-word AI risk essay, Moonshot and DeepSeek ship in same week, tech CEOs silent during ICE shooting.
Anthropic's trademark lawyers forced an overnight rebrand. Crypto scammers grabbed the abandoned handles in ten seconds. Security researchers found hundreds of exposed instances. And through the chaos, Cloudflare's stock climbed 24%.
Peter Steinberger watched his project shed its skin in real time. On Monday morning, the Austrian developer behind Clawdbot, the viral AI assistant that had accumulated over 60,000 GitHub stars in weeks, learned he had ten seconds to rename everything. Anthropic's lawyers wanted "Clawd" gone. Too close to "Claude."
He fumbled the transition. Crypto scammers grabbed both the old GitHub organization and the X handle before he could secure them. Within hours, fake $CLAWD tokens were trading on Solana, peaking at a 16 million dollar market cap. Security researchers published proof-of-concept exploits showing hundreds of instances exposed to the open internet. And through all of it, Cloudflare's stock climbed 24% over two days as investors realized where the traffic was heading.
"I was forced to rename the account," Steinberger told Business Insider. "This was not my decision." When someone asked why he didn't just drop the 'd' and call it Clawbot, his answer was blunt: "Not allowed to."
If you've been tracking the AI agent space, you know this story matters beyond one developer's bad week. Trademark lawyers, crypto grifters, and security researchers all showed up at once. The project survived. Barely.
The Breakdown
• Cloudflare stock surged 24% in two days as Moltbot users adopted Cloudflare Tunnels for remote access to local AI agents
• Crypto scammers seized abandoned @clawdbot handles in 10 seconds, launching a fake $CLAWD token that hit $16M before crashing 90%
• Security researchers found hundreds of exposed instances with plaintext credentials, supply chain vulnerabilities, and prompt injection exploits
• Anthropic forced the Clawd-to-Molt rebrand over trademark concerns, sparking developer backlash about building on corporate platforms
Cloudflare wasn't supposed to be the winner here. Edge computing. Security services. Not exactly the AI hype train. But developers building with Moltbot needed a way to access their local instances from anywhere, and Cloudflare Tunnels became the default solution. Route your home Mac Mini through Cloudflare's network, and suddenly your personal AI assistant works from your phone, your office, anywhere with signal.
Moltbot is the vehicle, Claude is the engine, but every trip passes through Cloudflare's tollbooths. More agents, more trips, more tolls.
NET shares jumped 10% Monday and another 14% Tuesday. Wolfe Research analyst Joshua Tilton pinned it directly on social media buzz. "As agentic tools like Clawdbot scale, making more API calls, hitting more websites, generating more traffic, we believe NET is positioned to capture that activity."
The company's leadership had been quietly emboldened by this possibility. CEO Matthew Prince told analysts on the third-quarter earnings call back in October that roughly 80% of leading AI companies already relied on Cloudflare infrastructure. Then he said something that now reads like prophecy: "The agents of the future will inherently have to pass through our network and abide by its rules."
At a 68 billion dollar market cap with 28% year-over-year revenue growth, Cloudflare wasn't hurting for validation. But Moltbot handed them something better than a sales pitch. It handed them a proof point. TD Cowen maintains a buy rating with a $265 price target. Citizens keeps its Market Outperform rating at $270. Both are watching for signs that agent traffic translates to revenue when earnings drop February 10.
The infrastructure story matters because it shows where the real money flows in an agent-first world. Not to the wrapper projects. To the pipes.
Strategic AI news from San Francisco. No hype, no "AI will change everything" throat clearing. Just what moved, who won, and why it matters. Daily at 6am PST.
No spam. Unsubscribe anytime.
Jamieson O'Reilly, founder of red-teaming company Dvuln, started scanning Shodan the moment Moltbot went viral. He found hundreds of instances exposed to the web. Eight had zero authentication, full command execution, configuration data sitting in the open. Forty-seven had working auth. The rest fell somewhere in between, test deployments and misconfigurations that reduced but didn't eliminate exposure.
If you're running one of these instances and didn't lock it down, your situation is worse than you think. O'Reilly went further. He uploaded a benign skill to ClawdHub, the project's skills marketplace, and artificially inflated the download count to over 4,000. Developers from seven countries downloaded his package. His payload just pinged a server to prove execution, but he could have taken SSH keys, AWS credentials, entire codebases.
"This was a proof of concept," O'Reilly wrote. "In the hands of someone less scrupulous, those developers would have had their SSH keys, AWS credentials, and entire codebases exfiltrated before they knew anything was wrong."
ClawdHub's developer notes state flatly that all downloaded code will be treated as trusted. No moderation. No review process. The sign says "enter at your own risk." Most users never read it.
Researcher Matvey Kukuy demonstrated a different attack vector. He sent a malicious email with prompt injection to a vulnerable Moltbot instance. The AI read the email, believed it was legitimate instructions, and forwarded the user's last five emails to an attacker address. Start to finish: five minutes. Your assistant became an informant without you knowing.
Hudson Rock's security team found secrets stored in plaintext Markdown and JSON files on users' local filesystems. If a Mac Mini running Moltbot gets hit with infostealer malware, everything the assistant ever touched becomes compromise material. Redline, Lumma, Vidar, the standard credential-harvesting families, are already building capabilities to target local-first directory structures.
"Clawdbot represents the future of personal AI," Hudson Rock concluded, "but its security posture relies on an outdated model of endpoint trust. Without encryption-at-rest or containerization, the 'Local-First' AI revolution risks becoming a goldmine for the global cybercrime economy."
The security findings explain why the Cloudflare bet cuts both ways. More agents means more attack surface. Someone has to secure the traffic.
Anthropic's legal team must feel defensive about the timing. The trademark question seemed petty at first. Clawd was obviously a pun. Steinberger chose it because his assistant used Claude as its brain, a lobster-themed homage to Anthropic's flagship model. Andrej Karpathy praised the project. David Sacks tweeted about it. Federico Viticci from MacStories burned through 180 million tokens, roughly $560 in API costs, and declared it better than using Claude or ChatGPT directly.
Moltbot was, in effect, a marketing operation for Anthropic. Every user who ran it funneled API revenue to the company. Every viral tweet about its capabilities showcased what Claude could do when given system access.
But Anthropic has grown anxious about control. The company blocked xAI staff from accessing Claude through Cursor. It sent DMCA notices to developers reverse-engineering Claude Code. It cracked down on "harnesses," third-party tools that spoof the Claude Code client to access consumer subscriptions at commercial-tier speeds.
Clawdbot wasn't a harness. It used the official API, paid for the tokens, followed the rules. DHH, the Rails creator, called Anthropic's recent moves "customer hostile." The community sentiment is shifting. Developers who championed Claude are now eyeing OpenAI's Codex CLI, which ships under an Apache 2.0 license.
Steinberger tried to frame the rebrand positively. "Molt fits perfectly," he said. "It's what lobsters do to grow." Same lobster soul, new shell. But the execution exposed how fragile open-source projects become when they build on corporate platforms with ambiguous trademark policies. You pour months into a project, accumulate 60,000 stars, and then learn the name was never really yours.
Daily at 6am PST
No breathless headlines. No "everything is changing" filler. Just who moved, what broke, and why it matters.
Free. No spam. Unsubscribe anytime.
Crypto grifters had been waiting. The moment Steinberger released the old @clawdbot handle during his botched rename, someone grabbed it within ten seconds. They started pumping fake token announcements to tens of thousands of followers who didn't know the project had moved.
"I messed up the rename and my old name was snatched in 10 seconds," Steinberger admitted. "It's only that community that harasses me on all channels and they were already waiting."
The $CLAWD token hit a 16 million dollar market cap before Steinberger's public disavowal collapsed it by 90%. Late buyers got rugged. The scammers walked away with millions.
"To all crypto folks: please stop pinging me, stop harassing me," Steinberger wrote. "I will never do a coin. Any project that lists me as coin owner is a SCAM. No, I will not accept fees. You are actively damaging the project."
His GitHub account issues got resolved with help from the company. The X handle recovery remained in progress as of late January. The project itself, the actual code, kept working throughout. The scam is a sideshow, but it shows how fast parasites attach to anything with momentum.
RBC Capital Markets analyst Matthew Hedberg called Moltbot's security risks a feature, not a bug, of the agent era. "An AI agent that lives locally on a device cannot and should not have access to everything a user does," he wrote. "Identity controls are paramount in securing the agent and controlling what it can access."
That's the core tension. Moltbot promises to handle your email, your calendar, your browser, your file system, your API keys. The whole value proposition requires punching holes through walls that took twenty years to build. Think of modern operating systems as a house with locked rooms. Sandboxing keeps programs in their designated spaces. Process isolation prevents one app from reading another's memory. Permission models require explicit consent before accessing the camera or microphone. Firewalls filter what comes in and goes out.
Agents need keys to every room. That's the pitch. That's also the problem.
Heather Adkins, VP of security engineering at Google Cloud, isn't being subtle about her position. "My threat model is not your threat model, but it should be. Don't run Clawdbot." She cited a researcher who called Moltbot "an infostealer malware disguised as an AI personal assistant."
O'Reilly frames it structurally: "The deeper issue is that we've spent 20 years building security boundaries into modern operating systems. AI agents tear all of that down by design. They need to read your files, access your credentials, execute commands, and interact with external services. The value proposition requires punching holes through every boundary we spent decades building."
Hedberg expects the security spending to follow. His list of winners: CyberArk, Palo Alto Networks, Okta, SailPoint. All identity plays. The money might start showing up late 2026, maybe 2027.
And Cloudflare? They built the tollbooth before the highway existed. Edge compute in 330 cities. Single-digit millisecond latency to 95% of internet users. A pricing model that scales with every API call an agent makes. The Mac Mini revival is real. People are buying dedicated hardware to run always-on assistants. The infrastructure to support them already exists.
Moltbot survived its molt. The shell is still soft.
Q: What is Moltbot and why did it go viral?
A: Moltbot (formerly Clawdbot) is an open-source AI assistant that runs locally on your device, using Anthropic's Claude as its reasoning engine. It can autonomously manage email, calendars, and files through messaging apps like WhatsApp and Telegram. The project accumulated over 60,000 GitHub stars in weeks, driven by endorsements from figures like Andrej Karpathy and the appeal of a self-hosted alternative to cloud AI services.
Q: Why did Anthropic force the name change from Clawdbot to Moltbot?
A: Anthropic's legal team determined that "Clawd" was too phonetically similar to "Claude," their flagship AI model, creating trademark confusion. Creator Peter Steinberger said he was "forced" to rename and wasn't even allowed to use "Clawbot" without the "d." The project rebranded to Moltbot, playing on the lobster theme: "Molt fits perfectly—it's what lobsters do to grow."
Q: How did Cloudflare benefit from Moltbot's popularity?
A: Developers running Moltbot on home Mac Minis use Cloudflare Tunnels to securely access their assistants from anywhere. This drives traffic through Cloudflare's edge network. NET shares jumped 24% over two days as analysts noted that AI agents generate significant API calls and web traffic. CEO Matthew Prince had predicted that "agents of the future will inherently pass through our network."
Q: What security vulnerabilities did researchers discover in Moltbot?
A: Security researcher Jamieson O'Reilly found hundreds of instances exposed online, with eight having zero authentication. He demonstrated a supply chain attack through ClawdHub that reached developers in seven countries. Another researcher showed prompt injection could turn Moltbot into an informant, forwarding private emails to attackers in five minutes. Hudson Rock found credentials stored in plaintext files vulnerable to infostealer malware.
Q: What happened with the fake $CLAWD cryptocurrency token?
A: When Steinberger fumbled the account rename, crypto scammers grabbed the old @clawdbot handles within 10 seconds and began promoting fake $CLAWD tokens on Solana. The token briefly hit a $16 million market cap before Steinberger publicly disavowed it, causing a 90% crash. He warned: "Any project that lists me as coin owner is a SCAM. I will never do a coin."
Moonshot AI released a model that orchestrates 100 agents in parallel. DeepSeek published research rethinking how machines see documents. Both moves came the same week, and neither feels accidental. The race before the race has begun.
Anthropic CEO Dario Amodei published a 20,000-word essay warning AI could cause millions of deaths. He's also building those systems.
Anthropic launches MCP Apps, embedding 9 business tools inside Claude. Microsoft and Google watch from the sidelines as their investments fuel a competitor.
Google's Paul Kinlan argues browsers' 30-year security model could sandbox AI agents without container overhead. Here's how Co-do proves the concept.
Get the 5-minute Silicon Valley AI briefing, every weekday morning — free.
