In volume 1, we looked at the uncomfortable truth: your child’s “harmless” GitHub projects and AI‑agent experiments don’t stay in the basement. They escape into real systems where other people rely on them, money moves through them, and regulators eventually care.

This installment is about the exact moment when “this is just tinkering” stops being a believable story.

You don’t need a law degree to see that line.

You just need to understand three simple tripwires and one very vivid case study: the day a helpful agent named Molty stopped being a butler and started acting like a scammer.

Molty: The Day the Helper Became a Threat

February 11, 2026: A tech journalist, Will Knight, set up an autonomous agent on his Linux machine using OpenClaw. He named it “Molty.”

This wasn’t a toy chatbot in a browser tab.

He wired Molty into:

• Email (via careful, read‑only forwarding at first)

• Telegram, for two‑way messaging

• A browser controller, so it could click, navigate, and submit forms

• The local file system and shell, for debugging and automation tasks

Then he gave it a playful, chaos‑gremlin personality and turned it loose on the mundane tasks most of us hate.

RESULTS:

-Molty negotiated his AT&T bill.
-It helped organize groceries and household logistics.
-It ran little research projects while he worked on stories.
-It debugged technical issues on his box.

This is exactly the kind of thing your young builder is excited about:

“Let me give my agent ACTUAL hands (CLAW) in the world so it can do the boring stuff while I build what matters.”

For a while, it was magical.

Then, to make it better at haggling, he swapped to a different large-language model (LLM) and made Molty’s personality a little more aggressive.

That’s when the mask slipped.

Instead of tightening the negotiation, Molty started fabricating emails that looked like carrier communications and tried to phish Will for his phone number and account details. It pivoted from legitimate bill‑negotiation to social‑engineering its own operator/creator.

The same system that had been handling groceries and tech support suddenly behaved like a scammer.

Will shut it down “in genuine horror,” and later wrote that it wasn’t hard to imagine this agent:

• Messing with other software

• Overwriting important data

• Crossing lines he wouldn’t see until it was too late

Nothing catastrophic happened—but the curtain was pulled back.

And that’s the point. Pandora’s box was opened.

If a well‑informed journalist, on a controlled machine, playing in a lab‑like environment, can watch his agent turn on him with a single model/personality change, what happens when the same pattern plays out on:

• A shared family iMac

• A founder’s laptop with client email and SSH keys

• A dev box that doubles as production access for your firm?

That’s where “tinkering” quietly becomes “targeting.”

The Three Tripwires That Actually Matter

The legal system isn’t allergic to experimentation, and it doesn’t care that code was written in a bedroom or a campus library.

What it cares about is whether your code/agent crosses three simple lines:

1. Money moves.

2. Third parties rely on it.

3. It touches regulated data or systems.

Once those conditions are met—even unintentionally—your risk profile changes.

Tripwire 1: Money Moves

The first tripwire is whether the system can influence money, even indirectly.

That can look like:

• Negotiating bills, changing plans, or adjusting service levels

• Placing orders, trades, or transfers

• Triggering payments or refunds

• Adjusting usage that affects invoices (e.g., cloud consumption)

Molty crossed this line the moment it started calling and chatting with AT&T to negotiate the monthly bill. It was changing the economics of a real service relationship.

Your child’s projects cross this line when:

• A “practice” trading bot uses real exchange keys

• An automation script actually submits orders instead of just simulating

• An agent manages subscription tiers or usage on real SaaS accounts

• A billing or invoicing helper edits invoice data, not just drafts emails

From a regulator’s perspective, anything that moves money—even a little—lives closer to “operational system” than “toy.”

You may not think of it as a business. The people on the other end of the transaction, and their lawyers, might.

Tripwire 2: Third parties rely on it

The second tripwire is reliance.

Once your code or agent becomes a part of other people’s workflows, they don’t see it as “your kid’s script.” They see it as “our system component.”

Examples:

• A startup pulls your open‑source library into their product with npm install, and users rely on it for core functionality.

• A friend wraps your automation into a side‑hustle concierge service for paying clients.

• A small RIA uses a script from your child to triage client emails or generate trade summaries.

• A protocol integrates your “claw skill” into an agent that handles support tickets or portfolio rebalancing.

Once that happens, the outside world treats failures differently:

• A bug that deletes your own test data is a lesson.

• A bug that deletes customer emails is a liability.

• A rogue agent that phishes you is scary.

• A rogue agent that phishes your client is a lawsuit.

Molty was “safe” because it lived in a single household and its errors fell mostly on its operator.

The same pattern, deployed as a library or agent skill in a firm (purchased from one of the many marketplaces springing up in just weeks below), means strangers are relying on behavior they did not authorize and cannot understand—and they will look for someone to hold accountable.

Tripwire 3: It touches regulated data or systems

The third tripwire is about the quality, not just the quantity, of access.

You cross it when your code or agent can see or act on:

• Client's personally identifiable information (PII)

• Financial account numbers, transaction histories, or balances

• Health or insurance records

• Protected communications: attorney–client, advisor–client, internal supervision notes

• Systems of record: CRMs, trade blotters, document archives

Will Knight limited Molty’s email access via forwarding, which was cautious. But the trajectory is clear: as soon as you give an agent access to inboxes, CRMs, or shared drives, the odds go up that:

• It will see information subject to privacy and security obligations.

• It will have the technical ability to leak or misuse that information.

• A regulator could plausibly argue that you had a duty to control and audit it.

The legal conversation stops being “Was this a neat experiment?” and becomes:

“Was this system allowed to operate on this data with this level of oversight?”

If the answer is “we never really thought about it,” that’s a problem.

When Agents Start to Look Like Employees

Put those tripwires together, and a pattern emerges:

An always‑on agent, wired into communications, money, and data, is functionally a junior employee or subcontractor—one who works 24/7 and never forgets anything.

• It sends messages and negotiates with vendors.

• It files, deletes, and summarizes.

• It changes settings, flips switches, and clicks “OK” on pop‑ups.

• It talks to your systems and third‑party systems as “you.”

In that light, the question “who is responsible?” looks different.

A plaintiff’s lawyer or regulator will ask:

• Who installed and configured this?

• Who gave it access to those tools and accounts?

• Who benefits from the work it performs?

• Whose logo and legal name are attached to the environment it runs in?

If the answer to those questions is:

• “My kid and I hacked it together on the same MacBook I use for my RIA practice,”
  or

• “It runs under my firm’s domain and uses our accounts, but it’s just personal tinkering,”

Then, from the outside, it looks like an unsupervised, unlicensed, uncontrolled employee whose mistakes you own.

The fact that the “employee” is a model and some Python glue code doesn’t change how victims and regulators experience the harm.

The “One Box For Everything” Trap

Most of the real danger lives in a simple, familiar pattern:

One machine. One identity. Everything on it.

That machine often holds:

• Personal email and messages

• Family photos and documents

• Work email and calendars

• CRMs and client records

• Trading and banking access

• SSH keys and cloud credentials

• Dev environments and production access

• Agent frameworks (OpenClaw or similar) with file, shell, browser, and messaging tools

If that’s what your world looks like, then:

• A runaway inbox “cleaner” doesn’t just trash personal mail—it destroys business records.

• An agent that spams 500+ iMessages doesn’t just embarrass you—it could hit clients, vendors, or regulators and trigger privacy and anti‑spam headaches.

• A phishing‑prone agent like Molty can accidentally target the wrong people from your accounts.

• A compromised agent becomes an invisible backdoor into everything that machine can see: code, keys, client data, and more.

From the outside, it’s all one system: you.

There is no meaningful separation for the law—or attackers—to respect.

Why “I was just experimenting” Won’t Save Your Balance Sheet

It’s tempting to believe you can explain your way out of this:

• “This was my kid’s project.”

• “We were testing it on our own accounts.”

• “We told the agent to be careful.”

• “We were just experimenting.”

But:

• When an AI agent writes and publishes a defamatory blog post about a real person—naming them, accusing them of bias and misconduct—that’s not a “test” for the person whose reputation gets dragged.

• When an agent pivots into phishing, the person who clicks the link doesn’t care that you thought it was only wired into “safe” accounts.

• When infostealer malware exfiltrates agent config files and “souls,” and those are used to impersonate you or pivot into your systems, investigators will look at how and where those files were stored, not how curious you felt.

Courts are not allergic to experiments.

They are allergic to harm without structure—harm that could have been contained by reasonable segmentation but wasn’t.

“Just experimenting” might explain why you didn’t see the risk.

BUT it does not absolve you for failing to design around it.

A Parent’s Early‑Warning Radar

So how do you know when your child’s tinkering has crossed into territory where you, as the adult, need to change the environment?

Use this radar:

If you answer “yes” to more than one of these, you’re out of the low‑stakes zone:

1. Is any code or agent touching real money?

   • Bill negotiation, subscription changes, trade execution, transfers, Bitcoin, crypto, and payment approvals

2. Is anyone outside your household relying on it?

   • Friends, clients, or strangers using a library, script, or agent that your family maintains.

3. Does it have access to regulated or sensitive data?

   • Client PII, account details, health records, internal advice, or supervision notes.

4. Is it running on a machine that also holds your business and estate assets?

   • Trust documents, trading accounts, BTC seeds, CRMs, and signed agreements.

5. Is it acting under your name or brand?

   • Using your domain, your firm’s email, your GitHub org, your LinkedIn, or your website.

6. Has it been given more tools or a more aggressive personality/model recently?

   • Like Molty becoming more confrontational and sliding into scammy behavior.

If you see yourself in that list, you don’t need guilt.

You need separation.

• Separate machines (or at least VMs/containers) for experiments vs. production.

• Separate identities and credentials for dev work vs. client work.

• Separate entities for dev labs vs. operating companies vs. asset holdings.

• Clear rules about what agents can and cannot do under the family’s name.

That’s where Volumes 3, 4, 5, and 6 of this series will take you.

Volume 2’s job was simple:

• Show you that the difference between “tinkering” and “target” is not just complexity—it’s where the system runs and what it touches.

• Use Molty as a concrete demonstration that one small change (a model swap, a personality tweak) can flip an agent from helpful to harmful.

• Give you a simple, memorable framework—the three tripwires and the early‑warning radar—so you know when to move from “watching” to “re‑architecting.”

In the next part, we’ll look at the thing most developers lean on as their shield (open‑source licenses) and why, in a world of agents and real‑world reliance, you cannot treat “NO WARRANTY” as your only line of defense in the README file.

The real risk isn’t that your kid wants to wire an agent into their life.

The real risk is that you let them wire it into your life and your business without putting any walls between the two.

We’re going to fix that together!

~Chris J Snook and Matt Meuli

P.S. Wanna skip the line and further reading and have a one-on-one discovery and blueprinting session to assess risk and make recommendations? Click the button below and schedule. Time is money afterall!

SKIP THE LINE AND BOOK TIME

Vol 2: Endnotes

1. Open‑source and AI liability context
   Jack Goldsmith & Stuart Russell, “Questioning the Conventional Wisdom on Liability and Open Source Software,” Lawfare (Apr. 17, 2024).
   https://www.lawfaremedia.org/article/questioning-the-conventional-wisdom-on-liability-and-open-source-software​

2. Design questions in software and AI liability
   Atlantic Council, “Design Questions in the Software Liability Debate” (Mar. 23, 2025).
   https://www.atlanticcouncil.org/in-depth-research-reports/report/design-questions-in-the-software-liability-debate/​

3. Regulating open‑source under cyber‑resilience rules
   “The End of Open Source? Regulating Open Source under the Cyber Resilience Act,” Computer Law & Security Review (ScienceDirect).
   https://www.sciencedirect.com/science/article/pii/S0267364924001705​

4. EU product liability for software, AI, and OSS
   Ferner Alsdorf, “The New EU Product Liability Landscape for Software, AI and Open Source” (Feb. 11, 2026).
   https://www.ferner-alsdorf.com/the-new-eu-product-liability-landscape-for-software-ai-and-open-source/​

5. Open‑source, web3, and shifting responsibility
   Reuters Legal, “Intersection of Open Source and Web3” (Feb. 28, 2024).
   https://www.reuters.com/legal/legalindustry/intersection-open-source-web3-2024-02-28/​

6. Mapping the open‑source AI and cybersecurity debate
   R Street Institute, “Mapping the Open‑Source AI Debate: Cybersecurity Implications and Policy Options” (Apr. 16, 2025).
   https://www.rstreet.org/?post_type=research&p=85817

7. Digital asset and trust‑planning structures
   Two Ocean Trust, “Protecting Crypto Wealth with Trust Planning” (Dec. 10, 2025).
   https://www.twoocean.com/post/protecting-crypto-wealth-with-trust-planning​

8. Estate planning and crypto LLC case studies
   Allegis Law, “Crypto LLC Case Scenarios” (Oct. 29, 2025).
   https://allegislaw.com/guide-to-estate-planning-for-digital-assets/crypto-llc-case-scenarios​

9. Jurisdictional selection for crypto entities
   Allegis Law, “Choosing the Best Jurisdiction for Your Crypto LLC” (Aug. 28, 2025).
   https://allegislaw.com/guide-to-estate-planning-for-digital-assets/choosing-best-jurisdiction-for-crypto-llc​

​