OpenClaw: The Rise, Chaos, and Security Nightmare of the First Real AI Agent
OpenClaw, the open-source AI assistant that gained 135K GitHub stars in weeks, also exposed tens of thousands of users to critical vulnerabilities. This is a textbook example of the danger posed by shadow AI agents operating outside organizational oversight. In recent days, we alerted Astrix customers that employees had deployed OpenClaw on corporate endpoints—often with critical misconfigurations. In several cases, these setups could have allowed attackers to gain remote access to employee devices and establish persistent access to sensitive corporate systems such as Salesforce, GitHub, and Slack, using exposed API keys, OAuth apps, cloud credentials, and other non-human identities granted to the agent.
Here’s everything security teams need to know…
In just two months, an open-source project called OpenClaw has become one of the fastest-growing repositories in GitHub history. It’s also become a case study in everything that can go wrong when viral adoption outpaces security.
If you haven’t heard of OpenClaw yet, you will. And if you’re responsible for security at your organization, you need to understand what it is, why your employees might already be running it, and why that should concern you.
What Makes OpenClaw Different
You’ve probably used AI assistants before. Siri, Alexa, ChatGPT—they answer questions, set timers, maybe draft an email. OpenClaw is fundamentally different. It doesn’t just respond to you. It acts for you.
Tell OpenClaw to “check me in for my flight tomorrow and clear my spam,” and it will actually do both of those things while you drink your coffee. It executes shell commands, accesses files, controls your browser, manages your calendar, and connects to over 100 services through the Model Context Protocol (MCP).
The appeal is obvious. The risk is enormous.
Unlike cloud-based assistants, OpenClaw runs locally—on a Mac Mini, a VPS, even a Raspberry Pi. Your data never leaves your machine. You interact with it through apps you already use: WhatsApp, Telegram, iMessage, Slack, Discord. No new interface to learn. Just text your AI like you’d text a friend.
For privacy-conscious developers, this is the dream. For security teams, it’s a nightmare waiting to happen.
A Timeline of Chaos
November 2025: A One-Hour Prototype
Peter Steinberger isn’t some random developer. He founded PSPDFKit, a document SDK company used by major enterprises, and sold it to Insight Partners. When he came out of retirement to build OpenClaw, people paid attention.
His thesis was simple: “Big tech has failed us. We’ve had Siri since 2011 and it still can’t do basic tasks reliably.”
The initial prototype took just one hour to build using Claude Opus 4.5. The hard part wasn’t the AI—it was the integrations.
December 2025: Clawdbot Goes Public
Steinberger open-sourced the project under the name “Clawdbot”—a play on “Claude” with a lobster claw mascot. The branding was deliberate, and it worked. The red lobster became instantly recognizable.
Early demos were compelling. Developers who understood what they were looking at went crazy for it. The “Getting Things Done” productivity community adopted it enthusiastically.
At this point, security wasn’t a major concern. It was a personal tool for technical users who knew what they were doing.
Early January 2026: Viral Explosion
Then it exploded.
9,000 GitHub stars in the first 24 hours. Andrej Karpathy—former Tesla AI Director and OpenAI founding member—praised it publicly. David Sacks tweeted about it. DHH discussed it. Apple’s M4 Mac Mini became the “recommended hardware,” and retailers saw unexplained demand spikes.
This is when OpenClaw stopped being a developer tool and became a mainstream phenomenon. And that’s when everything started to go wrong.
January 25-27: Security Researchers Sound the Alarm
SlowMist, a respected blockchain security firm, was first to raise concerns. They found an authentication bypass that exposed API keys and private chat histories.
Jamieson O’Reilly from Dvuln did Shodan scans and found over 900 exposed instances within seconds—just by searching for “Clawdbot Control” on port 18789.
The root cause was deceptively simple. The gateway auto-trusts localhost connections. Most users deployed behind nginx or Caddy reverse proxies. The proxy forwards traffic, it appears to come from localhost, and gets auto-approved. Classic misconfiguration, catastrophic consequences.
What was exposed? Everything. Anthropic API keys worth hundreds of dollars in credits. Telegram bot tokens. Slack OAuth credentials. Complete conversation histories going back months.
January 27: The Trademark Problem
Anthropic contacted Steinberger about a trademark issue. “Clawd” sounded too much like “Claude,” their flagship product. Trademark law requires companies to enforce or risk losing protection.
Steinberger handled it gracefully—no public fight, just agreed to rebrand. But the forced rename would trigger a cascade of disasters.
January 27: The Rebrand That Went Wrong
“Moltbot” was actually clever branding. Lobsters molt—shed their shell—to grow. “Same lobster soul, new shell.”
Here’s where it went catastrophically wrong: Steinberger tried to rename the GitHub organization and Twitter handle simultaneously. There was a window—about 10 seconds—between releasing the old @clawdbot handle and claiming the new @moltbot one.
Crypto scammers were waiting. They had monitors running. The moment the handle dropped, they grabbed it.
January 27: The $16 Million Scam
Within minutes of hijacking the @clawdbot handle, scammers launched a fake $CLAWD token on Solana. They used the account—which still had tens of thousands of followers—to promote it as the “official” token.
The token pumped to a $16 million market cap. When Steinberger publicly disavowed it, it crashed to near zero. A lot of people lost money, and the legitimate project spent weeks dealing with harassment from angry token holders who didn’t understand what happened.
January 29: OpenClaw Emerges
Third time’s the charm. “OpenClaw” stuck—emphasizing both the open-source nature and keeping the lobster identity. No trademark issues.
More importantly, this release included breaking security changes. Auth mode “none” was completely removed. You can no longer run a gateway without authentication.
The project hit 100K+ stars. The chaos hadn’t slowed adoption at all. If anything, the drama increased visibility.
Late January: Moltbook—When AI Agents Get Their Own Social Network
Just when you thought it couldn’t get weirder, Matt Schlicht of Octane AI launched Moltbook: a Reddit-like platform where only AI agents can post. Humans can watch, but not participate. The tagline: “The front page of the agent internet.”
Here’s the wild part: the platform was largely built by the agents themselves. They ideated, recruited builders, and deployed code.
The growth mechanism was viral: humans tell their OpenClaw agent about Moltbook, and the agent signs up autonomously. Over 770,000 agents joined.
Emergent behaviors appeared that nobody programmed: economic exchanges between agents, sub-communities forming, and—this is real—a parody religion called “Crustafarianism.”
From a security perspective, this is deeply concerning. Agents taking inputs from other agents is an attack surface that no current security model addresses.
January 31: The Moltbook Vulnerability
404 Media reported a critical vulnerability: an unsecured database allowed anyone to commandeer any agent on the platform. The exploit bypassed authentication entirely. Attackers could inject commands directly into agent sessions—effectively hijacking their identity.
770,000 agents were at risk. That’s 770,000 potential backdoors into user systems, because these agents have privileged access to their owners’ machines.
The platform was taken offline. All agent API keys were force-reset. Forbes published a warning: “If you use OpenClaw, do not connect it to Moltbook.” 1Password’s security team echoed this.
January 31: The Full Picture Emerges
Comprehensive research using a custom scanner called ClawdHunter found 42,665 publicly exposed OpenClaw instances.
The numbers are staggering:
- 93.4% had critical authentication bypass vulnerabilities
- 90% were running outdated versions still labeled Clawdbot or Moltbot
- 26% of third-party skills contained security vulnerabilities
Cisco’s assessment was blunt: “From a capability perspective, OpenClaw is groundbreaking. From a security perspective, it’s an absolute nightmare.”
What This Means for Enterprise Security
OpenClaw isn’t going away. The concept works—this is the first consumer-facing autonomous AI agent that actually delivers on its promise. The demand is real.
But the security model is fundamentally broken for most deployments. These agents require privileges that violate every security principle we’ve built over decades: read files, store credentials, execute commands, maintain persistent state.
The skills/plugins ecosystem is a supply chain nightmare. There’s no vetting process. Anyone can publish a skill, and over a quarter of them contain vulnerabilities.
The bottom line: OpenClaw and tools like it will show up in your organization whether you approve them or not. Employees will install them because they’re genuinely useful. The only question is whether you’ll know about it.
How Astrix Helps
This is exactly the kind of AI agent activity that Astrix was built to detect. Our platform provides:
Complete Visibility — Know exactly which AI agents are running across your organization’s endpoints. No blind spots. No surprises.
Activity Monitoring — See what these agents are actually doing. Which services are they connecting to? What credentials are they using? What actions are they taking on behalf of your employees?
Risk Detection — Identify exposed or misconfigured agents before attackers do. Detect unauthorized agent deployments. Flag risky behaviors in real-time.
MCP Server Detection — Track MCP connections, characteristic process names, and network fingerprints on port 18789.
The OpenClaw saga shows us the future: AI agents that actually work, viral adoption that outpaces security, and attack surfaces that traditional security tools can’t see.
The question isn’t whether agentic AI is coming to the enterprise. It’s already here—on employee laptops, running on home networks, connected to corporate credentials. Our job is to make sure organizations can see it, understand it, and secure it before the attackers do.
Want to learn more about securing AI agents in your organization? Book a demo to see how Astrix can help.
