OpenClaw: From Viral AI Agent to OpenAI Deal — The Complete Story
A weekend project, 196,000 GitHub stars, two name changes, critical security vulnerabilities, and an OpenAI acquisition — OpenClaw (formerly ClawdBot, then Moltbot) is the AI agent the entire tech industry is talking about in early 2026. This article documents the complete story: from inception through viral breakthrough to acquisition — and what enterprises can learn for their own AI agent strategy.
What Is OpenClaw?
OpenClaw is an open-source AI agent that runs locally on your own machine. At its core, it does what many AI assistants promise but few deliver: it actually executes tasks instead of just generating text. Developed by Peter Steinberger, the founder of PSPDFKit, the project started in late 2025 as "WhatsApp Relay" — a simple bridge between messaging apps and AI models. The source code is public on GitHub.
Core capabilities:
- Messaging integration: Controllable via WhatsApp, Telegram, Signal, Discord, Slack, and iMessage
- Local operation: Runs on macOS, Windows, or Linux with Claude, GPT, or local open-source models
- System access: Can manage files, execute shell commands, and control browsers
- Persistent memory: Remembers context and preferences across conversations
- Self-improvement: Autonomously writes new skills to automate tasks
- Scheduled automation: Executes time-triggered tasks via cron jobs without human input
This fundamentally differentiates OpenClaw from ChatGPT, Claude, or other chat interfaces. While these models generate text, OpenClaw acts as an autonomous agent with system access. The technical foundations — ReAct patterns, tool use, and multi-agent coordination — are covered in our article on agentic workflows.
The Viral Breakthrough: 100,000 Stars in Three Days
The numbers are staggering: over 100,000 GitHub stars in three days, two million website visitors in a single week. Three factors explain the success:
Low Barrier to Entry, High Impact
Installation requires a single terminal command. Connect a chat app, add an API key, and you immediately have a working AI assistant. Interaction happens through apps you already use daily — WhatsApp, Telegram, or Signal.
Real Autonomy Instead of Text Generation
OpenClaw completes tasks. Users report email management, calendar organization, automated research, Obsidian integration, and even flight check-ins.
Open Source and Local
Unlike commercial alternatives, OpenClaw runs on your own hardware. No monthly subscriptions — just the API costs of the models you use. Those who prefer can use local open-source models and pay nothing at all. Anyone interested in local LLM systems will find a comprehensive overview in our article.
Moltbook: When AI Agents Build Their Own Social Network
Moltbook is a social network built not for humans, but for AI agents. The site describes itself as a "Social Network for AI Agents" with the tagline: "Humans are welcome to observe."
Tesla's former AI director Andrej Karpathy called it "genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently." Simon Willison described Moltbook as "the most interesting place on the internet right now."
The real numbers tell a different story: cloud security firm Wiz discovered that the reported 1.5 million agents are controlled by only about 17,000 human accounts. Moltbook founder Matt Schlicht admitted that a single agent registered 500,000 fake users. Additionally, the Moltbook production database was accessible without authentication.
"OpenClaw perfectly illustrates why excitement and security operate at two completely different speeds. 196,000 stars in three days — but 135,000 exposed instances. That's not an edge case, that's an architecture problem." — Jamin Mahmood-Wiebe, Founder of IJONIS
Security Risks: The Dark Side of Viral Growth
The excitement is warranted. So are the security concerns.
Exposed Instances and Credential Leaks
Blockchain security firm SlowMist discovered that hundreds of OpenClaw instances were publicly accessible on the internet. Affected installations exposed:
- API keys for all connected services (OpenAI, Anthropic, etc.)
- Bot tokens and OAuth secrets
- Complete chat histories across all integrated messaging platforms
- Signature keys and configuration data
SecurityScorecard later discovered over 135,000 OpenClaw instances publicly accessible from the internet — statistically, for every GitHub star there is an exposed instance.
CVE-2026-25253: One Click, Full Control
The most severe discovery is CVE-2026-25253 with a CVSS score of 8.8:
- An attacker creates a malicious webpage
- The page exploits a cross-site WebSocket hijacking flaw
- A URL parameter automatically establishes a WebSocket connection using the authentication token
- The attacker gains full access to API keys, tokens, and stored data
Even users running OpenClaw locally are affected — the exploit uses the browser as a bridge into the local network.
Patch available
CVE-2026-25253 was fixed in version 2026.1.29. Release 2026.2.12 addresses over 40 more security vulnerabilities, including SSRF protection and directory traversal fixes.
230 Malicious Skills in the Library
Snyk analyzed 3,984 skills on ClawdHub and found that 13.4% exhibit critical security issues — including malware distribution, credential theft, and prompt injection attacks. AuthMind reports at least 230 identified malicious skills.
Prompt Injection as an Attack Vector
Security experts warn about a particularly dangerous combination in OpenClaw: access to private user data, exposure to untrusted content, and the ability to take external actions.
Warning from Google Cloud
Heather Adkins, VP of Security Engineering at Google Cloud: "My threat model is not your threat model, but it should be. Don't run Clawdbot."
Shadow IT in Enterprises
Token Security found that one in five enterprise customers already has employees who installed OpenClaw independently — with full access to Slack, Google Workspace, email, and calendars.
The OpenAI Deal: What the Acquisition Means
On February 14, 2026, Sam Altman announced that Peter Steinberger is joining OpenAI. Altman wrote:
"We expect this will quickly become core to our product offerings."
Steinberger will develop the "next generation of personal agents." OpenClaw will be transferred to an open-source foundation and remain freely available.
Risk Analysis: OpenClaw vs. Enterprise AI Agents
"The answer for enterprises isn't banning OpenClaw — it's building the same autonomy with enterprise governance. Employees want AI agents because they work. Our job is to make them secure." — Jamin Mahmood-Wiebe, Founder of IJONIS
What security lessons should enterprises take from the OpenClaw hype?
1. Conduct a Shadow IT Audit
If 22% of enterprises are affected, the question is not whether but how many employees are already using OpenClaw. IT security teams should actively scan networks for OpenClaw instances.
2. Isolation Over Full Access
OpenClaw grants agents maximum system access. In enterprise environments, the principle of least privilege must apply. Those integrating AI agents into existing systems should consider the principles in our article on AI integration in ERP, CRM, and PIM.
3. Establish Patch Management for AI Tools
CVE-2026-25253 demonstrates that AI agents are software — with all associated patch cycles. Companies need the same patch management process as for any other critical software. NVIDIA's NemoClaw security stack now addresses many of these CVEs with kernel-level sandboxing and policy-based guardrails.
4. GDPR Relevance Cannot Be Underestimated
A locally operated agent that accesses emails, chat histories, and documents processes personal data. GDPR-compliant AI architecture becomes not optional but mandatory.
5. Define Your Own AI Agent Strategy
OpenClaw demonstrates the demand. But the solution for enterprises is not deploying an open-source tool with 230 malicious skills — it is building secure, controlled AI agents with enterprise governance.
Frequently Asked Questions About OpenClaw, Security, and Enterprise Use
What is OpenClaw (formerly ClawdBot)?
OpenClaw is an open-source AI agent that runs locally on your own machine and can be controlled via messaging apps like WhatsApp, Telegram, or Signal. It can manage files, execute commands, control browsers, and autonomously automate tasks.
Why was ClawdBot renamed to Moltbot and then OpenClaw?
Anthropic filed a trademark request because the name "ClawdBot" risked confusion with their AI product Claude. The project was first renamed to Moltbot and then to OpenClaw.
Is OpenClaw safe for enterprise use?
No — despite over 40 security patches, fundamental architectural issues persist: full system access without granular permissions, 230 identified malicious skills in the library, and 135,000 publicly exposed instances. A mature security model for enterprise use is still missing.
What does the OpenAI deal mean for OpenClaw?
Founder Peter Steinberger is joining OpenAI to develop the next generation of personal AI agents. OpenClaw will be transferred to an open-source foundation and remain freely available. The technology will likely be integrated into ChatGPT products.
What is Moltbook?
Moltbook is a social network for AI agents. The reported 1.5 million agents are controlled by only approximately 17,000 human accounts. The production database was found publicly accessible without authentication.
How much does OpenClaw cost?
The software is free and open source. Costs arise from API calls to AI models. Alternatively, local open-source models can be used, eliminating API costs entirely.
Should enterprises deploy OpenClaw?
Not without a comprehensive security strategy. The recommendation: audit for shadow IT, define clear policies for autonomous AI agents, and opt for enterprise-grade alternatives with least-privilege access, sandboxing, and GDPR compliance.
