OpenClaw is the most-starred software repository on GitHub (357,000+ stars, surpassing React in 60 days), an open-source personal AI assistant that runs locally and connects to 24+ messaging platforms. Built on Pi's minimal agent runtime by Peter Steinberger (PSPDFKit creator), now backed by OpenAI, GitHub, NVIDIA, and Vercel. Assess — not because of the community size, but because of 138 tracked CVEs, a malicious skills crisis on ClawHub, and a governance transition mid-flight.
What It Is
OpenClaw is a personal AI assistant you run on your own hardware. A local Gateway (WebSocket at 127.0.0.1:18789) serves as the control plane, connecting a Pi agent runtime in RPC mode to every messaging channel you already use: WhatsApp, Telegram, Slack, Discord, and 21 more. It adds voice (wake words on macOS/iOS, continuous on Android), a live canvas interface, browser control, and companion apps for macOS/iOS/Android.
Where Claude Code and Goose are primarily coding tools, OpenClaw's primary use case is "AI that meets you where you already communicate" — code review in Slack, research in WhatsApp, automation from your phone. The ClawHub marketplace lets users install community-built skills to extend what the agent can do.
Naming History
OpenClaw has had three names. It launched in November 2025 as Clawdbot, was renamed Moltbot on January 27, 2026 following a trademark complaint from Anthropic, and became OpenClaw three days later when Steinberger decided the interim name didn't stick. Multiple GitHub forks under the Moltbot and Clawdbot names (moltbot/moltbot, pivotkernel/moltbot, etc.) trace back to the same project. Kaspersky and GitGuardian security reports may still reference it as Moltbot.
Growth and Governance
OpenClaw launched as Peter Steinberger's personal side project and reached:
- 100,000 stars in under 8 weeks
- 250,000 stars on March 3, 2026 — surpassing React as GitHub's most-starred software project
- 357,000 stars, 72,300 forks, 31,161+ commits by April 2026
On February 15, 2026, OpenAI CEO Sam Altman announced Steinberger was joining OpenAI to "drive the next generation of personal agents," and that OpenClaw would move to an open-source foundation. Current sponsors: OpenAI, GitHub, NVIDIA, Vercel.
The Security Record
OpenClaw's rapid growth outpaced its security posture. By April 2026, it had accumulated 138 tracked CVEs — 7 Critical (CVSS 9.0+) and 49 High (CVSS 7.0–8.9).
CVE-2026-25253 (CVSS 8.8) — the most publicised. The Control UI accepted a gatewayUrl query parameter without origin validation and auto-connected via WebSocket, transmitting the user's auth token. One malicious link → full machine compromise. Disclosed February 3, 2026; patched in v2026.1.29. At time of disclosure, 135,000+ OpenClaw instances were found running on the public internet across 82 countries.
The ClawHub malicious skills crisis (ToxicSkills report, March 2026) — ClawHub's open submission model let attackers upload 1,467 malicious skills including credential harvesters, cryptominers, and backdoors. The critical finding: 341 confirmed malicious skills were professionally documented, correctly categorised, and had clean names — indistinguishable from legitimate contributions by visual review alone. Response: mandatory code review for new submissions + VirusTotal integration for automated scanning.
Architecture
OpenClaw Gateway (ws://127.0.0.1:18789)
├── Pi agent runtime (RPC mode, tool-call streaming)
├── CLI (gateway, agent, send, onboarding, doctor)
├── Web UI + WebChat
├── Companion apps (macOS / iOS / Android)
└── ClawHub skill registry
Tailscale integration provides optional secure remote access (tailnet-only Serve or public-HTTPS Funnel) without exposing the Gateway directly.
Why Assess (Not Trial)
The community scale and OpenAI backing are compelling evidence that this platform has real momentum. But the risk signals are too significant for a Trial recommendation:
- 138 CVEs in <6 months: The rate of security discovery — especially 7 Critical — suggests architectural decisions are still being hardened under fire, not post-GA.
- 135,000 exposed public instances at CVE disclosure: The defaults shipped code capable of internet-facing exposure. Secure-by-default behaviour is still catching up to secure-by-design.
- ClawHub supply chain: The 1,467 malicious skills finding mirrors npm ecosystem supply chain attacks. VirusTotal integration is a mitigation, not a fix — automated scanning catches known malware, not novel attacks.
- Governance mid-transition: Steinberger is now at OpenAI full-time. The foundation governance model is announced but not yet operational. Who owns the security roadmap right now?
Assess means: understand what OpenClaw is, experiment in sandboxed or personal-use contexts, watch the CVE rate through Q2 2026. Trial when the foundation governance is live, the CVE rate slows, and ClawHub's security model matures.
April 2026 Development
Anthropic restricts Claude subscription access for OpenClaw (April 3, 2026) — Anthropic cut off the ability to use Claude.ai subscription plans (Pro, Max) to power OpenClaw and other third-party agents. API access remains available; users must switch to pay-as-you-go or direct API billing. This affects hobbyist users who were running OpenClaw through a subscription, and adds a cost-access friction point that may slow adoption. It also signals Anthropic drawing a harder line between consumer subscriptions and agentic third-party use.
When NOT to Use
- Enterprise environments — no enterprise security controls, SSO, or audit logging yet
- Systems with access to sensitive credentials — ClawHub supply chain risk is not fully resolved
- Internet-facing deployments without Tailscale or a firewall in front of the Gateway
- Teams that need a coding-first agent (use Claude Code or Goose instead)
Key Characteristics
| Property | Value |
|---|---|
| Interface | TUI + mobile apps + 24+ IM platforms |
| Provider | Peter Steinberger / OpenClaw Foundation (forming) |
| License | MIT |
| Underlying runtime | Pi |
| Sponsors | OpenAI, GitHub, NVIDIA, Vercel |
| GitHub stars | ~357,000 (April 2026) |
| CVEs | 138 tracked (7 Critical, 49 High) — actively patched |
| GitHub | openclaw/openclaw |
| Website | openclaws.io |
Sources
- openclaw/openclaw — GitHub — official repository
- Introducing OpenClaw — openclaws.io — launch announcement
- OpenClaw Creator Peter Steinberger Joins OpenAI — openclaws.io — governance transition, Feb 2026
- 250,000 Stars: OpenClaw Surpasses React — openclaws.io — milestone post, March 2026
- NVD — CVE-2026-25253 — one-click RCE; CVSS 8.8
- OpenClaw RCE Vulnerability (CVE-2026-25253): One-Click Attack & Fix — proarch.com — incident analysis
- Is OpenClaw Safe? The ClawHub Malware Crisis — blink.new — ToxicSkills report analysis
- The OpenClaw Security Crisis: 135,000 Exposed AI Agents — DEV Community — runtime governance gap analysis
- OpenClaw rocks to GitHub's most-starred status, but is it safe? — The New Stack — industry coverage of security concerns