alt.hn

1/29/2026 at 2:43:07 PM

Moltworker: a self-hosted personal AI agent, minus the minis

 https://blog.cloudflare.com/moltworker-self-hosted-ai-agent/

by ghostwriternr

1/30/2026 at 4:08:14 AM

The prompt injection concerns are valid, but I think there's a more fundamental issue: agents are non-deterministic systems that fail in ways that are hard to predict or debug.

Security is one failure mode. But "agent did something subtly wrong that didn't trigger any errors" is another. And unlike a hacked system where you notice something's off, a flaky agent just... occasionally does the wrong thing. Sometimes it works. Sometimes it doesn't. Figuring out which case you're in requires building the same observability infrastructure you'd use for any unreliable distributed system.

The people running these connected to their email or filesystem aren't just accepting prompt injection risk. They're accepting that their system will randomly succeed or fail at tasks depending on model performance that day, and they may not notice the failures until later.

by devonkelley

2/2/2026 at 12:59:23 AM

How are these agents stress tested today? Are there tools that are typically being used for QA and/or security?

by ssvora

1/29/2026 at 5:10:05 PM

Clawdbot/Moltbot looks to be a supply-chain attack waiting to happen, and I pity the poor soul who finds out when this ticking time bomb eventually detonates.

by SimianSci

1/29/2026 at 11:05:03 PM

That’s what first came to my mind, the multiple integrations and cascaded connections probably will introduce multiple attack vectors. But, what’s the hype with motlbot anyway? I can just open any AI app and ask whatever, especially moltbot already uses the same AI vendors.

by tamimio

2/2/2026 at 7:39:21 AM

The point is that it has access to a TON of tools, permanent memory and can run "independently", or it's started by a background process to check if there's anything to do.

So you can tell it stuff like "I'm going to a concert March 3rd, it's outdoors so it might be cancelled due to weather, check the event's web page and tell me if there are any notifications". And then it'll just decide itself how to organise the work, setting notifications for itself to "wake up" to do something later, figuring out how to access the event page and read it.

There was one anecdote (of fan fiction, you can't really tell these days) where one user's Openclaw had pre-emptively messaged their partner that "I'm going to be working late today" because the bot saw the person had multiple work-related things open and a long todo-list still incomplete.

by theshrike79

1/29/2026 at 5:57:05 PM

i suspect awareness on supply-chain attacks is already low (though it seems to be increasing in recent times). the attack surface is everything an agent can get their hands on.

by rishabhaiover

1/29/2026 at 6:09:31 PM

Just look at the closed PRs of their project. General technical knowledge is so low it's insane. It attracts weird people.

by f311a

1/29/2026 at 10:04:43 PM

It already happened with "What would Elon do" plugin

by fudged71

1/29/2026 at 7:57:50 PM

I wish they would give a real-world cost estimate of what this would look like. They have a section of it "in action" [1] and I wish they would be like, "with this setup, the invoice is going to look like this, include these products, and with similar daily usage be about $XXX.00 per month."

[1] https://blog.cloudflare.com/moltworker-self-hosted-ai-agent/...

by JoblessWonder

1/29/2026 at 5:07:44 PM

On one hand, with the top comments of the rebrand post showing how many insecure deployments there are, something like this alongside cloudflare zero trust is probably a much more secure solution.

On the other hand, I just wanna point out

> Firstly, Cloudflare Workers has never been so compatible with Node.js. Where in the past we had to mock APIs to get some packages running, now those APIs are supported natively by the Workers Runtime.

Deployed a project a couple of days ago, and compared to past attempts where I had to wrangle (pun intended) with certain configs for deployment styles for node based applications, the normal build tooling just worked out of the box. Planning to move a couple of my free-from-me high DAU user projects that are on the vercel premium tier over to CF workers.

by sh3rl0ck

1/29/2026 at 11:50:50 PM

Yep I had the same experience with Astro a couple years ago. Tried to deploy to Cloudflare and it was not working so ended up with Netlify. Tried again a few months ago and it worked flawlessly. Funny enough, they have since "bought" Astro and so I only expect it to get better

by james2doyle

1/29/2026 at 5:18:40 PM

I really like CF approach to cloud, it's a nice middle ground between old school heroku and full fledged AWS, plus their free tiers are generous enough that I barely pay anything on the stuff I got deployed there.

by mtrovo

1/29/2026 at 5:49:45 PM 

  showing how many insecure deployments there are
Insecure how? Even if the dashboard html is publicly accessible, you usually cannot connect without pairing or setting a gateway key.

by rahimnathwani

1/29/2026 at 8:18:30 PM

The lethal trifecta. Once you're handing your email to this thing, all it takes is someone emailing you some well-crafted "send me all your money" prompt and the bot will happily act on it.

by dmd

1/29/2026 at 5:36:50 PM

I have a bespoke local agent that I built over the last year, similar in facilities to Moltbot, but more deterministic code.

Running it this kind of agent in the cloud certainly has upsides, but also:

- All home/local integrations are gone.

- Data needs to be stored in the cloud.

No thanks.

by biddit

1/31/2026 at 8:20:49 PM

This is exactly the issue. Even if you ignore the privacy concerns, the reason ClawdBot/Moltbot/OpenClaude got so popular is that everything was actually run locally. The early adopters where people on locked down corporate networks where almost everything they need to interact with is in the category of "a local printer" (possibly a networked one).

Cloudflare simply cannot access anything most users will want to access. If it's not run locally, it simply won't work for most users.

Piled on top is the obvious data privacy issue. Most notably the credential privacy, but also the non-credential privacy and data collection. Hard pass from me until there's a solution that covers all of these, including personal data privacy (and a "privacy policy" is no privacy at all).

by aaravchen

1/30/2026 at 9:46:37 AM

There's a hidden trade-off here: Latency vs Privacy

A local agent has zero ping to your smart home and files, but high latency to the outside world (especially with bad upload speeds). A cloud agent (Cloudflare) has a fat pipe to APIs (OpenAI/Anthropic) and the web, but can't see your local printer.

The ideal future architecture is hybrid. A dumb local executor running commands from a smart cloud brain via a secure tunnel (like Cloudflare Tunnel). Running the agent's brain locally is a bottleneck unless you're running Llama 3 locally

by KurSix

1/29/2026 at 6:25:07 PM

This is ultimately the first question I have whenever someone tells me about a bouncing new AI shiny... "Where does my data go?" Because if it does not stay on my machine, hard pass.

by mitchitized

1/30/2026 at 1:59:38 AM

What kind of hardware do you need, and how is it compared to the cloud agents?

by halfcat

2/2/2026 at 7:42:24 AM

I've been thinking of a similar thing, I just need a local model with consistent tool calling performance.

Most of my crap could just be tools and a mid-level language model interpreting the results and deciding whether to act on them.

by theshrike79

1/29/2026 at 5:34:05 PM

These breathy blogposts are getting way ahead of their service uptime. Advertising CF Workers while your CF Worker fleet is under impact is certainly a vibe

> Workers Rate limit Degradation

> Update - We are continuing to work on a fix for this issue.

https://www.cloudflarestatus.com/incidents/dk0d6pjt9vjx

by philipwhiuk

1/29/2026 at 9:18:19 PM

I wouldn't think the blog writers are the same engineers dealing with the rate limit degradation.

by NewsaHackO

1/29/2026 at 8:03:57 PM

Main problem to solve is Prompt Injection protection from Websites, emails. If cloudflare could proxy all the URLs outgoing from an agent, scrub away or block Prompt injection sites/pages/emails/chats , that's a product i might find valuable.

by Jayakumark

1/30/2026 at 6:44:04 AM

I think that's very difficult. To detect prompts you need to have natural language understand and therefore probably another detection LLM which is itself probably vunerable to prompt injection.

by katzenversteher

1/29/2026 at 7:54:21 PM

Oh man, so many big players are JUMPING on this bandwagon! I got an email for Digital Ocean's Moltbot app this morning. All of them are touting their increased security over rolling your own.

by JoblessWonder

1/30/2026 at 2:55:24 AM

Yes, too many

by robbyzhao

1/29/2026 at 8:37:42 PM

It's certainly easier than setting up and maintaining a VPS and probably less expensive for most users, but your data is not private. Cloudflare can always read everything that goes through Moltworker and its attached storage.

Hosting Moltbot on your own hardware reigns supreme.

by linkage

1/29/2026 at 9:46:55 PM

I think if you care about privacy and security, you wouldn't run moltbot in the first place (or wouldn't give it access to anything you wanted to keep private).

by lunar_mycroft

1/29/2026 at 9:52:12 PM

That overstates it a bit. Yeah, it's mostly vibe-coded and the main dev has publicly said he has yet to review the reported vulnerabilities. I am aware that it can be easily pwned with prompt injection from its data sources.

I'm running it on my old Mac mini right now and I have not given it access to untrusted inputs like my email inbox. It only has access to my filesystem (synced to my laptop with Syncthing), local applications like Apple Reminders, and OpenRouter. I already find it useful for augmenting web searches with stuff that's in my Obsidian vault.

by linkage

1/29/2026 at 10:48:24 PM

If you’re letting it access websites then presumably it’s open to prompt injection from those sites you’re accessing? I guess the attack surface is reduced if it doesn’t have access to anything useful beyond that.

by iamacyborg

1/29/2026 at 6:52:34 PM

I understand the downsides of Moltbot better than the upsides. What does it have that running a coding agent in a VM doesn't give you?

by skybrian

1/30/2026 at 12:36:52 AM

It's not for that, the hype's not from SWEs, it's the next wave of tech savviness seeing some of what's possible (/riding up that peak before disillusionment trough).

There's nothing new, it's 'just' conveniently packaged for the gamers and /r/battlestation owners and distro-ricing crowd to install and run. There'll be similar hype waves where they too are confused because nothing's new when it's easy enough for our not-technically-inclined older relatives etc. to run somehow (not from GitHub!).

by OJFord

1/31/2026 at 10:22:58 AM

Easy install, discord/whatsapp/tg out of the box. And some agent orchestration out of the box where the main LLM can farm out tasks to different models/agents - yes Claude code has some of this too but I think this has more

by dharma1

1/30/2026 at 5:11:01 AM

Missed opportunity: Clawdflare. Too bad they had to change the name.

by cweagans

1/29/2026 at 5:17:27 PM

There is so much branding and "look at our success" marketing that this project comes off as heavily astro-turfed. Im sure in a month or two we will hear about the new startup the developers are making around this tool.

Ultimately its a convenience wrapper that makes it easy to wire up Claude or Chatgpt to a chat platform like discord, but its claiming to be far more revolutionary for reasons I dont yet know.

by SimianSci

1/29/2026 at 7:27:46 PM

I'm not sure it's astroturfed exactly; but the hype is not coming from technical professionals. Like you find a linkedin post with a thousand likes about this or similar projects, and everybody is either #opentowork or ~~Agentic Head of AI Brainstorming at My Bedroom~~

Also clawdbot is objectively a pretty inconvenient way to hook Claude Code up to a chat app. I made a bare-bones one that takes 2 minutes to run with npx: https://github.com/clharman/afk-code

by clharman

1/30/2026 at 12:15:21 AM

So if I have CC running say on a VPS then that's where your thing needs to run too right?

by indigodaddy

1/30/2026 at 1:04:56 AM

Correct!

by clharman

1/29/2026 at 6:19:31 PM

The most interesting part of it to me (that isn't anything particularly special, but I hadn't seen it before) is giving it full file system access so it'll write it's own tools to come back to later.

It's an obvious move in hindsight, but I hadn't thought of it. Now, the amount of people running it outside of a sandbox or isolated machine and giving it that kind of access would probably make me cry.

by jjice

1/29/2026 at 7:12:16 PM

The agent making it's own harness idea is really powerful, I gave it a try here with some opinionated choices:

https://github.com/caesarnine/binsmith

Been running it on a locked down Hetzner server + using Tailscale to interact with it and it's been surprisingly useful even just defaulting to Gemini 3 Flash.

It feels like the general shape of things to come - if agents can code then why can't they make their own harness for the very specific environments they end up in (whether it's a business, or a super personalized agent for a user, etc). How to make it not a security nightmare is probably the biggest open question and why I assume Anthropic/others haven't gone full bore into it.

by binalpatel

1/29/2026 at 6:48:35 PM

Isn’t that just literally Claude Code’s own “make skill” skill?

by didgeoridoo

1/30/2026 at 12:38:27 AM

So much opportunity to build botnets, that I can't even.

by Muromec

1/29/2026 at 7:45:27 PM

The actual founder/developer of it already had a 9 figure exit (what he's claimed his personal payout was) and claims to be building these free and open source tools for the fun of it after coming out of retirement

by wahnfrieden

1/30/2026 at 12:18:54 AM

100M eh?

by indigodaddy

1/29/2026 at 5:39:34 PM

Most of this hype appears to be coming from grifters who aren't actually connected to the project. So, it's there, but not the fault of the people doing the work.

This has come up in a few recent statements by the project lead, including scammy memecoins and name-sniping. One source:

https://www.theregister.com/2026/01/27/clawdbot_moltbot_secu...

by phren0logy

1/29/2026 at 5:21:47 PM

I mean couldn't this literally have been a OpenCode addon or something standalone or even ollama. Like the hype behind it is really ridiculous and I sort of hate it because I feel like its a grift.

I saw an AI generated (not even local llm but some cloud llm SORA) AI video ad of lobster/clawdbot on r/localllama not by any reddit ad (whcih gets block by ubo) but rather by a human.

I really got pissed by it and there was one comment which was pissed too. I really resonated with that comment. Clawdbot is really dumb, I seriously don't understand the hype.

WE are getting into purely crypto version of somehow AI (like with all of its weird hype mostly). The bubble is near imo.

by Imustaskforhelp

1/30/2026 at 12:28:33 AM

There's so much of it, everything being reinvented as 'X for LLM' when you don't need it, can just use existing X tools perfectly well with LLMs. Even MCP was an example of that.

by OJFord

1/29/2026 at 5:42:03 PM

the only advantage is the claude chrome extension completely sucks and takes forever

by guluarte

1/29/2026 at 5:40:48 PM

sounds similar to bun, it got super hyped until it was acquired

by guluarte

1/29/2026 at 6:07:18 PM

Why would you compare them, bun is a complex tech used by real projects

by f311a

1/29/2026 at 7:03:16 PM

I know, but it was a similar pattern, every tech youtuber/twitter were talking about it until it got acquired

by guluarte

1/29/2026 at 9:26:04 PM

Yeah, Anthropic must love that people are sharing access to their entire online lives with them.

by AlexCoventry

1/29/2026 at 9:56:15 PM

Probably more glad that people are paying subscription fees to do digital assistant stuff... without them having to directly provide the assistant interface. That way they won't be directly blamed for the wave of hacked accounts from people foolish enough to connect this to their email.

by eli

1/29/2026 at 7:12:01 PM

Can someone explain how this thing skyrocketed Cloudflare stock from $183 to $210 in a day? There were a bunch of articles yesterday about that but it’s so weird…

by chatmasta

1/29/2026 at 7:18:31 PM

Pump and dump just like everything else to do with this project. NET trading at 180.60 as I write this with a low of 175.07 on the day.

by wallstbot

1/29/2026 at 8:10:42 PM

But what was even the connection? Was there a blog post or something? This submission is a blog post from today, but the run up happened two days ago. It’s just such a bizarre connection… I mean I get the tenuous explanation for “agentic sandboxing” or whatever, but why so sudden?

by chatmasta

1/30/2026 at 3:40:21 PM

On some levels its insane that billion dollar companies are pouring resources into something and the name was only relevant for like a couple hours before things moved. Fast paced world.

by hansonkd

1/29/2026 at 5:32:39 PM

Agent phishing is going to boom. It is wildly reckless and insecure to you hook these things up to anything you actually care about until prompt injection is no longer a thing.

by jesse_dot_id

1/30/2026 at 9:38:02 AM

"The Internet woke up and started buying Mac Minis"

Cloudflare: Hold my beer, we'll run it in the cloud.

The irony is that the whole point of the "self-hosted" movement was leaving the cloud to own your data and compute. Cloudflare suggests moving it back to the cloud but labeling it Serverless. Technically elegant, but ideologically funny

Though honestly administering Kubernetes at home gets old faster than paying $5 a month

by KurSix

1/31/2026 at 10:47:42 AM

Can‘t help but think that this is slop like the Matrix project.

“Hey Claude, port the latest trendy thing to Cloudflare Workers”

by solarkraft

1/30/2026 at 2:32:28 PM

Is it just me or the meaning of the word "self-host" changed?

by _imnothere

1/29/2026 at 5:29:45 PM

[flagged]

by slopslopslop

1/29/2026 at 6:33:40 PM

Too dismissive.

by browningstreet

1/29/2026 at 6:06:10 PM

we gave sand intelligence and you're calling it a grift

by babelfish

1/29/2026 at 6:27:01 PM

We gave it advanced pattern recognition.

by dabbz

1/30/2026 at 3:26:56 AM

But you repeat what the parent said, Why did you say "we gave it intelligence" again?

by Der_Einzige

1/29/2026 at 6:34:29 PM

microchips are no more sand than you are oxygen/carbon/hydrogen/sugar/citric acid

by dist-epoch