The Lobster Review
The Lobster in the Shell: Why I Handed My Terminal Keys to Moltbot
We are constantly warned about the dangers of giving robots the keys to our physical lives. But what about the keys to our digital infrastructure? What happens when you grant a probabilistic model sudo access?
For the past few weeks, I’ve been running Moltbot (formerly known as Clawdbot), an AI assistant that breaks the mold. It doesn't just chat; it executes. It runs on my own hardware, interfaces with my messaging apps, manages my email, drives my browser, and—crucially—interacts directly with my shell.
The recent rebranding to "Moltbot" (complete with the tagline: EXFOLIATE! EXFOLIATE!) feels distinctively weird, yet appropriate. It signifies shedding the constraints of a traditional chatbot to emerge as something raw, vulnerable, and terrifyingly capable. It’s what the community calls the "Lobster Way." 🦞
This isn't a standard software review. It’s an examination of a nascent computing paradigm. We are shifting from "Computer as Tool" to "Computer as Agent." Moltbot offers a first glimpse of what that reality looks like when it's running on your metal, rather than in a sanitized cloud silo.
Part 1: Breaking the Browser Containment
Most current AI agents are constrained. They live in browser tabs (ChatGPT), proprietary wrappers (Perplexity), or specific development environments (Cursor). They function as islands of intelligence floating in a sea of dumb data, disconnected from the operating system that actually runs our lives.
Moltbot operates differently. It exists as a background daemon, haunting systemd or launchd. It bridges the gap between the LLM reasoning layer and the OS execution layer.
The scope of integration is significant. We aren't talking about simple text summarization anymore. We are talking about deep, OS-level agency:
1. Multi-Channel Context
I communicate with it via Telegram while mobile. It responds on Slack during work hours. It bridges into iMessage. Unlike standard bots that are siloed by platform, Moltbot maintains a unified, persistent context.
I can initiate a task on my phone via WhatsApp ("Remind me to check the server logs when I get home") and complete it on my desktop via the CLI. It feels less like using an application and more like interacting with a staff member who accompanies you throughout the day. The context travels with the user, not the device.
2. Distributed Nervous System (Device Nodes)
This is where the architecture becomes fascinating. Moltbot isn't just a centralized brain; it has limbs. By running "nodes" on auxiliary devices (an old Android phone, an iPad, a MacBook), the central intelligence can reach out and interact with the physical world.
- Vision: "What's on my desk?" triggers a camera capture from the node physically located there.
- Location: "Where did I leave my iPad?" queries the core location API of the iOS node.
- Screen Awareness: It can record screen activity to debug an issue or capture a workflow.
This creates a distributed nervous system. The "brain" might be running on a Linux server in the basement, but the "eyes" are active on the iPad in the kitchen.
3. The Ghost in the Machine (Browser Control)
Moltbot drives a headless (or headed) Chrome instance via the Chrome DevTools Protocol (CDP). This isn't just curl fetching static HTML. It interacts with the modern, dynamic web. It navigates complex SPAs, manages authentication states, fills forms, and executes Javascript.
I’ve watched it navigate a login flow, handle a 2FA prompt (by asking me for the code), and proceed to download a data export I needed. It turns the entire web into an API. Sites lacking public endpoints are no longer inaccessible; if a human can navigate it, the agent can too.
4. The Self-Healing Runtime
It’s not just calling APIs; it’s writing and executing code. It creates a feedback loop of action -> observation -> correction. If a script fails, it reads stderr, interprets the error, patches the script, and re-executes. It creates a dynamic, resilient workflow that static automation tools simply cannot replicate.
Part 2: A Narrative of Agency
To illustrate why this shift matters, consider a sequence of events from last Tuesday.
08:00 AM: I wake up. I check Telegram. Moltbot has delivered a "Morning Brief." It checked my calendar, noted a 10 AM meeting, and pulled the local weather. Useful, but standard.
10:15 AM: During the meeting, a colleague mentions a specific Jira ticket that has stalled. Without opening my laptop, I message Moltbot on Signal: "Check the status of Jira ticket PROJ-123 and summarize the last 3 comments."
Moltbot uses its browser tool, authenticates with Jira (using authorized cookies), scrapes the ticket data, and pushes a summary to my phone.
02:00 PM: Back at my desk, my local development environment is corrupted. Git is reporting a detached HEAD state I don't immediately recognize.
I type into the Moltbot CLI: "Fix my git repo in ~/projects/app. It's acting weird."
Moltbot runs git status, diagnoses the state, runs git reflog to identify the last stable commit, and offers a reset strategy. I authorize it. It executes. The repository is restored.
08:00 PM: While relaxing, I recall the need to download an invoice from a utility provider that only offers downloads via a legacy website.
I voice-message Moltbot: "Go to the water company site, login, and get the latest bill."
It spins up a browser instance. It encounters a CAPTCHA. It snapshots the challenge, sends the image to my phone. I reply with the text. It proceeds, downloads the PDF, and writes it directly to my NAS.
This seamless transition between voice, text, CLI, and browser—all sharing a single cognitive thread—is what defines the "Lobster Way."
Part 3: The "Live Canvas" and Ephemeral UI
One feature that deserves specific attention is the Canvas.
We are accustomed to interacting with AI via a linear stream of text. User says X, AI says Y.
Moltbot breaks this paradigm with "Live Canvas." The agent can render a user interface for you on the fly.
If I ask: "What's the stock price of Apple vs Microsoft over the last 5 years?"
Instead of generating a paragraph of text, Moltbot writes a React component or HTML/JS snippet and pushes it to my view. Suddenly, I am not reading text; I am interacting with a chart.
If I ask: "Give me a dashboard for my server health."
It doesn't list CPU usage stats. It constructs a gauge cluster showing CPU, RAM, and Disk usage, updating in real-time.
This is A2UI (Agent to User Interface). It implies that applications are no longer static binaries we download and install. Apps become transient experiences generated on-demand by the assistant to solve a specific problem in a specific moment. When the task is complete, the "app" dissolves.
Part 4: The Discourse – "Security of the Clone"
The internet's reaction to Moltbot has been a study in cognitive dissonance. We collectively desire an AI that has agency, yet we are terrified of the implications.
On GitHub Discussions, the debate is active. User vigil-xy recently started a thread titled "Security of the clone", which addresses the core anxiety. When you run a local agent with exec permissions, you aren't just running software; you are instantiating a probabilistic entity with root-adjacent capabilities.
"Just saw a demo of Moltbot. Giving an LLM shell access is the security equivalent of juggling chainsaws while blindfolded. 10/10 would not deploy." — Representative SecOps sentiment
Conversely, the builders see the potential. User Ender68-ai asks "Does this support local llms?", highlighting the demand for offline, privacy-preserving intelligence. sirily11 pushes for "Kubenates Helm Chart support", wanting to orchestrate this agent in the cloud. win4r demonstrates deployments that appear almost magical.
The "God Mode" Conundrum
We are conditioned to view sandboxing as the default security posture. Docker containers, VMs, chroots—we build walls. Moltbot asks us to dismantle them. Why? Because utility is directly proportional to access.
- If I sandbox it, it cannot repair my local git configuration.
- If I lock it down, it cannot organize my chaotic Downloads directory.
- If I treat it like a stranger, it cannot function as my assistant.
The developers do provide a sandbox mode (Dockerized sessions) for non-main channels, which is essential. You don't want a random user in a Telegram group injecting rm -rf / into the chat. But for the single-user "God Mode" (the main session), the friction of sandboxing often destroys the utility. You want it to edit your local files. You want it to control your Hue lights.
This necessitates "Permission Engineering." Instead of blocking access, we must engineer trust. We rely on the model's "Thinking" capability (Chain of Thought) to pause and evaluate: "Is this command safe? Is it aligned with the user's intent?"
It is a significant trust fall. But it is likely the only path forward if we want agents that are truly capable.
Part 5: The "Skill" Economy
Moltbot architecture is modular. It utilizes a skill system (analogous to the Model Context Protocol) to extend capabilities.
I recently installed the bird skill to interact with X (Twitter). The agent fetched the skill definition, recognized the requirement for specific CLI tools, and guided me through the configuration.
This modularity is critical.
- Need to control Spotify? Install the Spotify skill.
- Need to manage AWS resources? Install the AWS skill.
- Need to interface with a proprietary legacy system? Write a simple Markdown file defining the tool, and the agent learns it immediately.
The skill definition format (SKILL.md) is essentially documentation. The AI reads the documentation to learn how to operate the tool. It is "Instruction Tuning" applied to software plugins.
Part 6: Verdict – Embrace the Pinch
Moltbot represents a fundamental shift in our interaction with AI. It transforms the AI from an oracle we consult into an agent we employ. It changes the relationship from Input -> Output to Intent -> Outcome.
The rebranding to "Moltbot" is more than a superficial name change; it is a statement of evolution. We are shedding the shell of the "Chatbot" and growing into something new.
Is it dangerous? Yes. Just as a vehicle is dangerous. Just as a power tool is dangerous. If used incorrectly, it can cause damage.
Is it buggy? Occasionally. It remains software. Sometimes it hallucinates a flag that doesn't exist.
Is it the most engaging computing experience I've had in years? Absolutely.
For the first time in a long time, the computer feels alive. It feels like a partner.
If you are willing to accept the risk, the Lobster Way offers a glimpse of the future. Just ensure your backups are current. And perhaps hesitate before granting sudo without a password.
Exfoliate! 🦞