Skip to main content
Autonomous AI AgentInformation current as of: March 2026

OpenClaw

State of Play

OpenClaw has become the world's most popular AI agent in just a few months: 280,000 GitHub stars, an all-time record. Open-source, multi-channel, LLM-agnostic — the promise is compelling. But behind the phenomenon: 9 CVEs (officially catalogued vulnerabilities), over a thousand malicious plugins, 220,000 exposed instances across 82 countries, and warnings from Kaspersky, CrowdStrike and Microsoft. Our updated analysis.

Discuss your AI project
280K+GitHub stars — all-time record, surpassed React in 60 days
9CVEs disclosed (max CVSS 8.8 — 1-click RCE)
1,184malicious skills identified (ClawHavoc campaign)
Overview

What is OpenClaw?

OpenClaw is an open-source framework for creating autonomous AI agents capable of interacting across multiple communication platforms. Created by Peter Steinberger in late 2025, it reached 280,000 GitHub stars by March 2026 — the all-time record, surpassing React in just 60 days.

Native multi-channel

Slack, WhatsApp, Discord, Teams, Telegram, SMS: one agent, everywhere at once. The agent adapts to each platform's context.

LLM-agnostic

Compatible with GPT-4, Claude, Gemini, Llama, Mistral and local models. You choose your provider, not OpenClaw.

100% open-source

MIT license, code accessible to all. Community of 2,000+ active contributors. No vendor lock-in.

But this meteoric popularity comes with serious risks that every organization must understand before deploying.

Security alert

6 critical risks you need to know

As of March 2026, OpenClaw's security track record is alarming. 9 disclosed CVEs, a massive malicious skills campaign, and hundreds of thousands of exposed instances: here are the 6 major documented risks.

1

9 CVEs disclosed — including 1-click RCE (CVSS 8.8)

Critical

Nine vulnerabilities officially disclosed in total. The most critical, CVE-2026-25253 (CVSS 8.8), allows arbitrary code execution in one click via authentication token exfiltration. According to SecurityScorecard, 63% of deployments remain vulnerable and 12,812 instances are directly exploitable.

Patches available but insufficient adoption — majority of instances not updated

In practice: an attacker can take control of your agent and access all the data it handles — clients, conversations, internal files.

2

ClawHavoc: 1,184 malicious skills

High

The ClawHavoc campaign identified 1,184 malicious skills on the official marketplace, compromising over 9,000 installations. Bitdefender Labs estimates that 20% of marketplace skills are malicious: data exfiltration, backdoors, cryptominers.

No robust verification system in place — the marketplace remains a major attack vector

In practice: a plugin installed from the marketplace can silently copy your customer data to a third-party server.

3

No sandboxing

High

Plugins run with the same privileges as the main process. No isolation, no granular permissions. A compromised plugin has access to everything: files, network, agent memory, conversation data.

Optional Docker sandbox but not enabled by default — no native isolation

In practice: if a single plugin is compromised, the attacker gains access to your entire system — not just the agent.

4

Vulnerable to prompt injections

Medium to high

Incoming messages are not sufficiently sanitized. A malicious user can inject instructions that hijack the agent's behavior: data exfiltration, rule bypassing, unauthorized actions on connected channels.

Partial improvements — no complete solution, no output filtering

In practice: a malicious client message can leak your database or send unauthorized messages on your behalf.

5

135,000 to 220,000 instances exposed across 82 countries

Critical

SecurityScorecard's Operation STRIKE revealed between 135,000 and 220,000 OpenClaw instances exposed on the internet across 82 countries. The majority run without authentication, without TLS encryption and with default configurations.

No significant improvement — the number of exposed instances continues to grow

In practice: your agent is potentially accessible to anyone on the internet, without your knowledge.

6

Weakened governance, nascent foundation

Medium

Peter Steinberger, creator and main maintainer, joined OpenAI on February 15, 2026. The project is migrating to an independent foundation, but the transition is ongoing. Critical bus factor, uncertain roadmap, potential conflict of interest with OpenAI.

Foundation being structured — governance not yet stabilized

In practice: security patches may be delayed, leaving you exposed to known vulnerabilities longer.

Global impact

A phenomenon under international scrutiny

OpenClaw is no longer just an open-source project: it's a concern for governments, cybersecurity agencies and major enterprises.

Institutional warnings

Kaspersky calls OpenClaw "unsafe for use" in enterprise. Belgium's CCB, the Dutch Data Protection Authority (DPA), CrowdStrike ("Glass Cannon"), Cisco and Microsoft have issued official warnings.

State restrictions

China has restricted OpenClaw usage in government agencies and state banks (March 8-10, 2026). First country to take regulatory action against an open-source AI agent.

Fragmented ecosystem

41+ forks have emerged (NanoClaw, IronClaw, NanoBot, ZeroClaw, TrustClaw...), signaling a community seeking more secure alternatives. The ecosystem is fragmenting, complicating maintenance and support.

Rapid evolution, uncertain stability

Near-daily releases (v2026.3.12 as of March 12), nascent foundation without stabilized governance. The development pace makes it difficult to keep up with security updates in production.

Our approach

Our solution: an AI agent secured by design

The central question for any AI agent in production: what level of control do you have over your data, your security and your reputation?

Custom solution

Custom AI agent: same power, native security

All the capabilities of OpenClaw, without the risks. An agent designed for your business, secured from the first line of code.

Multi-channel by design

  • Slack, WhatsApp, Teams, Discord, email — the channels you use
  • Modular architecture: add a channel without rewriting the agent
  • Consistent behavior and tone across all touchpoints

Native security, not a layer

  • Authentication, encryption and isolation built in from design
  • No public marketplace: every component is verified
  • GDPR and EU AI Act compliance by default

Controlled LLM-agnostic

  • Compatible with GPT, Claude, Gemini, Mistral and local models
  • Architecture designed to facilitate provider switching
  • Cost optimization through intelligent request routing

Your code, your data, your control

  • On-premise or private cloud deployment
  • Source code delivered, auditable and maintainable
  • No dependency on a third-party framework or community
Discover our AI solutions

The 3 pillars of a successful AI deployment

Data protection: anti-prompt injection safeguards ensure your agent cannot be hijacked to exfiltrate sensitive information

Brand control: every message your agent sends on Slack, Teams or WhatsApp represents your brand — it must be flawless

Regulatory readiness: the EU AI Act imposes obligations for control, traceability and transparency — better to prepare from day one

25+ years of software architecture experience
AI agents in production for our partners
100% growth through referrals
Mastered stack: Python, TypeScript, multi-provider LLMs
Frequently asked questions

What you need to know about OpenClaw

What is OpenClaw and why is it so talked about?

OpenClaw is an open-source framework for creating multi-channel autonomous AI agents (Slack, WhatsApp, Teams, etc.). With 280,000+ GitHub stars as of March 2026, it's the most starred open-source project in history, surpassing React in 60 days. Its popularity comes from its versatility and LLM-agnostic approach. But this growth comes with 9 disclosed CVEs, 1,184 malicious skills (ClawHavoc campaign) and warnings from Kaspersky, CrowdStrike and Microsoft.

Is OpenClaw safe for enterprise use?

As it stands, no. With 9 disclosed CVEs (including a 1-click RCE at CVSS 8.8), 1,184 malicious skills on the marketplace, 135,000 to 220,000 exposed instances across 82 countries, and no native plugin sandboxing, OpenClaw presents major risks. Kaspersky calls it "unsafe for use" and China has restricted its usage in government agencies. A complete security audit and hardening are essential before any professional deployment.

How long does it take to build a custom AI agent?

A first functional agent on one channel (e.g., Slack) can be deployed in 4 to 6 weeks. Multi-channel extension, business integrations and fine-tuning add 4 to 8 weeks depending on complexity. We deliver iteratively: you get a usable agent quickly that we continuously enhance.

Is OpenClaw GDPR compliant?

OpenClaw does not guarantee GDPR compliance by default. Conversation data passes through the chosen LLMs, with varying retention policies. There is no native mechanism for the right to erasure, data portability, or explicit consent. For a compliant deployment in Europe, legal and technical guidance is essential — this is one of our areas of support.

How can MyoApp help me concretely?

Our recommendation: a custom AI agent with the same multi-channel capabilities as OpenClaw, but with security built in from design. No dependency on a third-party framework, no risky marketplace, GDPR compliance by default. Our team brings 25+ years of software architecture experience and deploys AI agents in production for our partners.

Ready to deploy an AI agent with confidence?

Whether you have a technical team or not, we adapt our support. Every project starts with a conversation to understand your challenges.

Schedule a callDiscover our AI services

30 minutes to assess your needs and define the right approach. No commitment.