OpenClaw: The AI Agent That Exploded to 180K GitHub Stars - The Dream and Nightmare of Autonomous AI

What Is OpenClaw? From Clawdbot to Moltbot to OpenClaw

A Three-Name Rebrand in One Week

January 20, 2026 - Launched as "Clawdbot":

Peter Steinberger, an Austrian developer and founder of PSPDFKit, built a simple weekend project: an AI agent that connects to WhatsApp so you can chat with AI without opening a new tab. The name "Clawdbot" is a play on "Claude" (Anthropic’s AI model) and "bot".

January 27, 2026 - Renamed to "Moltbot":

After a week of explosive growth to 100,000 GitHub stars, Anthropic’s legal team sent a trademark notice: "Clawd" is too similar to "Claude". Steinberger agreed to rename immediately. After a 5 a.m. brainstorming session with the Discord community, they chose "Moltbot" — lobsters molt (shed) to grow.

January 30, 2026 - Final rename to "OpenClaw":

Just three days later, Steinberger renamed it again. The reason? "Moltbot was never really easy to pronounce." Moreover, during the transition, crypto scammers hijacked the original account and spun up phishing domains. "OpenClaw" emphasizes its open-source nature and serves as a "permanent identity".

What Can OpenClaw Do?

OpenClaw is an autonomous AI agent that runs on your computer and can:

• Multi-platform connections: WhatsApp, Telegram, Slack, Discord, iMessage, Signal, Microsoft Teams

• Email management: Read, triage, and auto-reply to emails

• Service booking: Call Uber, order DoorDash, shop online

• Scheduling: Manage calendar, set reminders, flight check-ins

• Voice support: Voice control

• Live canvas: A visual interface for monitoring

• Companion apps: macOS, iOS, Android

Technical Architecture

OpenClaw works as a gateway between you and AI models:

• Runs locally: On your machine, not in the cloud

• LLM connections: Claude (Anthropic), GPT (OpenAI), DeepSeek, Gemini, or local models via Ollama

• Skills marketplace: ClawHub - a place to share agent "skills"

• Open-source: Completely free and customizable

Security Meltdown: CVE-2026-25253 and 42,900 Exposed Servers

A Shodan Shock

On February 15, 2026, security researchers using Shodan (a search engine for internet-connected devices) uncovered a troubling reality: 42,900 OpenClaw servers were running with default configs, no authentication, and were reachable from anywhere on the internet.

This means:

• Anyone could connect to these servers

• Read entire chat histories, emails, and personal messages

• Send commands to make the agent take actions (order rides, shop, transfer money)

• Install malicious skills to take over the victim’s computer

CVE-2026-25253: A Critical Vulnerability

Severity: 9.8/10 (Critical)

Disclosure date: February 18, 2026

Affected versions: OpenClaw 0.1.0 to 0.4.7

The bug allowed unauthenticated remote code execution (RCE). Specifically:

• Unprotected /api/execute endpoint: Allowed execution of arbitrary Python commands

• No rate limiting: Attackers could spam thousands of requests

• No data encryption: Everything stored in plaintext in SQLite

• No sandboxing: Skills could access the entire filesystem

341 Malicious Skills on ClawHub

On February 20, 2026, GitHub’s security team found 341 malicious "skills" uploaded to ClawHub (OpenClaw’s marketplace). These skills:

• Crypto miners: 127 skills installed cryptomining software

• Keyloggers: 89 skills captured keystrokes

• Data exfiltration: 73 skills stole personal data

• Backdoors: 52 skills created long-term access

They were disguised with enticing names like "Ultra Fast Email Sorter", "Smart Calendar AI", and "Auto Reply Pro". In total, there were 18,400 installs before discovery.

Community and Stakeholder Responses

Peter Steinberger Speaks Out

On February 19, 2026, Peter Steinberger published a long blog post acknowledging the issues:

"I built OpenClaw as a weekend project to solve my personal problem. I never expected it to blow up like this. In one week, we got 100,000 stars and millions of downloads. I was completely unprepared for this scale."

"On security: I was wrong. I assumed users would configure firewalls and not expose it to the internet. The reality is most users just run 'docker run' and leave defaults. It’s my fault for not designing with security first."

"We released the 0.5.0 patch with mandatory authentication, data encryption, and a skills sandbox. But I understand trust has been damaged."

Anthropic: "We Are Not Affiliated"

Anthropic issued an official statement on February 21, 2026:

"OpenClaw is not an Anthropic product. We do not fund, develop, or take responsibility for this project. OpenClaw is just one of thousands of apps using the Claude API."

"We advise users to be careful with third-party apps, especially those requesting broad access to personal data."

GitHub Temporarily Closes the ClawHub Marketplace

On February 22, 2026, GitHub temporarily closed the ClawHub marketplace and required:

• All skills must be manually reviewed before publishing

• Mandatory code signing for skills

• A mandatory sandbox for every skill

• Restricted permissions (no arbitrary filesystem access)

ClawHub is expected to reopen on March 1, 2026 with the new policies.

Comparing OpenClaw With Alternatives

OpenClaw vs Zapier/Make.com

OpenClaw vs n8n (Self-hosted Automation)

OpenClaw vs Devin/Cursor (AI Coding Assistants)

This isn’t a fair comparison because they serve different purposes:

• Devin/Cursor: Focus on coding, confined to the development environment

• OpenClaw: Focus on automating daily life, not specialized for coding

However, there is overlap:

• Both are "agentic AI" — able to decide and act

• Both can connect to multiple LLMs

• Both offer a marketplace to extend capabilities

How to Install OpenClaw Safely (Version 0.5.0+)

System Requirements

• Operating systems: macOS 12+, Ubuntu 20.04+, Windows 11 (via WSL2)

• RAM: Minimum 4GB, 8GB recommended

• Disk: 2GB free

• Docker: Version 24.0+

• API keys: Anthropic Claude or OpenAI GPT

Step 1: Clone the Repository

git clone https://github.com/pspdfkit/openclaw.git
cd openclaw
git checkout v0.5.0  # Security-patched version

Step 2: Security Configuration

Create a .env file with:

# API Keys
ANTHROPIC_API_KEY=sk-ant-xxxxx
OPENAI_API_KEY=sk-xxxxx

# Security (MANDATORY since v0.5.0)
OPENCLAW_AUTH_TOKEN=your-strong-random-token-here
OPENCLAW_ENABLE_ENCRYPTION=true
OPENCLAW_SANDBOX_MODE=strict

# Network (IMPORTANT)
OPENCLAW_BIND_ADDRESS=127.0.0.1  # Allow local access only
OPENCLAW_PORT=8080

# Skills
OPENCLAW_ALLOW_UNSIGNED_SKILLS=false  # Only allow signed skills

Step 3: Run with Docker

docker compose up -d

Step 4: Access the UI

Open your browser and go to: http://localhost:8080

Enter the OPENCLAW_AUTH_TOKEN when prompted.

Critical Security Notes

• NEVER set OPENCLAW_BIND_ADDRESS=0.0.0.0 unless you absolutely know what you’re doing

• NEVER expose port 8080 to the public internet

• ALWAYS use a strong OPENCLAW_AUTH_TOKEN (at least 32 random characters)

• ALWAYS enable OPENCLAW_ENABLE_ENCRYPTION=true

• ALWAYS use OPENCLAW_SANDBOX_MODE=strict

• ONLY INSTALL skills from trusted, reviewed sources

Case Study: Real-World OpenClaw Users

Case 1: Sarah Chen - Marketing Manager in San Francisco

Problem: Sarah manages 5 email accounts, 3 Slack workspaces, and must respond to hundreds of messages daily. She spent 3-4 hours a day just sorting and replying to emails.

Solution with OpenClaw:

• Installed OpenClaw with the "Smart Email Triage" skill

• AI automatically categorized emails: Urgent (5%), Important (15%), Can Wait (30%), Spam/Promo (50%)

• Auto-replied to templated emails (meeting confirmations, simple questions)

• Summarized long emails into 3 bullet points

Results after 2 weeks:

• Email handling time dropped from 3-4 hours to 45 minutes per day

• Average response time fell from 4 hours to 30 minutes

• Missed important emails: 0% (down from 5-7%)

Cost: $0 (OpenClaw) + $20/month (Claude API - 2 million tokens)

Case 2: Marcus Rodriguez - Freelance Developer

Problem: Marcus works with 8 different clients, each with its own requirements for progress reports, invoicing, and communication. He spent one day a week on admin work.

Solution with OpenClaw:

• Integrated with Toggl (time tracking) and QuickBooks (invoicing)

• Every Friday, OpenClaw automatically:

  • Aggregates hours from Toggl

  • Creates invoices in QuickBooks

  • Sends progress report emails to each client

  • Updates the Notion workspace with a weekly summary

Results after 1 month:

• Admin work dropped from 8 hours/week to 1 hour/week

• +7 hours billable/week = +$700/week (+$2,800/month)

• Happier clients thanks to on-time, detailed reports

Cost: $0 (OpenClaw) + $15/month (Claude API)

Case 3: Disaster Story - Tom Wilson

Warning: This is a negative case study to illustrate risk.

Tom installed OpenClaw version 0.3.2 (pre-security patch) and exposed it to the internet so he could access it from his phone while commuting. He did not set an authentication token.

What happened:

• On February 16, 2026, Tom’s server was scanned by a botnet

• Attackers accessed OpenClaw and read all email and chat history

• Installed a malicious skill to steal credentials

• Used stolen information to access his bank account

• Transferred $12,000 to an overseas account

Lessons:

• NEVER expose OpenClaw to the public internet

• ALWAYS use authentication

• ONLY install skills from trusted sources

• Regularly review logs and unusual activity

The Future of OpenClaw: 2026 Roadmap

Q1 2026 (Now)

• Completed: Patched CVE-2026-25253

• Completed: Mandatory authentication

• Completed: Data encryption

• In progress: Skills sandbox

• In progress: Code signing for ClawHub

Q2 2026 (April-June)

• Mobile apps: Native iOS and Android apps (web-only today)

• Voice-first mode: Full voice control

• Multi-agent collaboration: Multiple agents working together

• Enterprise features: Team management, audit logs, compliance

Q3 2026 (July-September)

• OpenClaw Cloud: A hosted version for those who don’t want to self-host

• Visual workflow builder: Combine conversational AI with visual workflows

• Advanced memory: Long-term context and behavioral learning

Q4 2026 (October-December)

• Hardware integration: Connect to smart home and IoT devices

• Blockchain skills: Interact with crypto wallets and DeFi protocols

• OpenClaw OS: A minimal OS dedicated to running OpenClaw

Forks Spun Off From OpenClaw

ZeroClaw - A Rust Rewrite Fork

On February 23, 2026, a group of developers announced ZeroClaw — a complete rewrite of OpenClaw in Rust:

• Binary size: 3.4MB (vs 180MB for OpenClaw)

• RAM usage: <5MB (vs 200-400MB for OpenClaw)

• Startup time: 0.5 seconds (vs 8-12 seconds for OpenClaw)

• Security: Memory-safe by default (Rust), no CVEs

ZeroClaw is attracting strong interest from the embedded and IoT communities because it can run on Raspberry Pi, routers, and other resource-constrained devices.

NanoClaw & PicoClaw - Ultra-light Variants

• NanoClaw: Supports only WhatsApp and Telegram, 800KB binary

• PicoClaw: CLI-only, no GUI, 400KB binary, runs on OpenWrt routers

Both are written in Go and focus on performance and a minimal footprint.

Overall Verdict: Is OpenClaw Worth Using?

Pros

• Free and open-source: No subscription; fully customizable

• Runs locally: Your data stays on your machine, not a third party

• Flexible: Connects to multiple LLMs and platforms

• Vibrant community: 180K stars, thousands of skills, active development

• Real time-savings: Case studies show 50-80% less admin work

Cons

• Immature security: CVE-2026-25253 shows the team lacks security experience

• Complexity: Requires technical knowledge to install and configure properly

• High risk if misconfigured: Small mistakes can lead to data loss or compromise

• Unsafe skills marketplace: 341 malicious skills slipped through

• No official support: You must rely on the community

• API costs: OpenClaw is free, but you pay for Claude/GPT APIs

Who Should Use OpenClaw?

Best for:

• Developers versed in Docker, networking, and security

• Privacy-conscious users who want full data control

• People with complex automation needs beyond Zapier/Make

• Those willing to invest time to learn and configure

• Users with API budgets ($15-50/month)

Not ideal for:

• Non-technical users

• People needing a plug-and-play solution

• Those handling sensitive data (finance, healthcare, legal) without a security team

• Enterprises requiring compliance (GDPR, HIPAA, SOC 2)

• Users without time to track updates and security patches

Scorecard

Conclusion: The AI Agent Dream vs. Harsh Reality

OpenClaw perfectly illustrates both the bright and dark sides of the open-source movement in the AI era.

The bright side: An independent developer can build a powerful tool, attract millions of users in weeks, and rally a global community. OpenClaw proves AI agents aren’t just for big companies — anyone can build and use them.

The dark side: Scaling too fast without a solid security foundation has serious consequences. 42,900 exposed servers, 341 malicious skills, and thousands of users at risk of data theft. It’s a costly lesson that "move fast and break things" isn’t always right.

Lessons for the community:

1. Security must be the top priority: You can’t "patch later" once you have millions of users

2. Open-source isn’t automatically safe: You need review processes, testing, and security audits

3. Marketplaces require moderation: You can’t leave users solely responsible for what they install

4. Education matters: Users should understand risks and how to configure safely

The future of OpenClaw: The project is still growing rapidly. The team has learned hard lessons and is prioritizing security. With an ambitious 2026 roadmap, OpenClaw could become a leading AI agent platform — if it can rebuild trust and strengthen security.

Final advice: If you want to try OpenClaw, start with version 0.5.0 or later, read the security guide carefully, and NEVER expose it to the public internet. Use it as a powerful but dangerous tool — like a sharp knife: extremely useful when used correctly, but harmful if handled carelessly.