Two weeks ago, an open-source AI agent called OpenClaw crossed 100,000 GitHub stars. As of this morning, it is hovering around 200,000. For context, the Linux kernel took over 30 years to reach 195,000 stars. Kubernetes, one of the most important open-source projects of the last decade, has 120,000 after nearly ten years. OpenClaw did all of this in about two weeks.

The project was created by Peter Steinberger, an Austrian developer who spent 13 years building PSPDFKit, a PDF toolkit that ended up inside apps used by close to a billion people. He started OpenClaw (originally called "ClawdBot," then "Moltbot," then its current name after two forced rebrands in five days) as a side project in November 2025. The idea was simple: instead of an AI that tells you how to do things, build one that actually does them. Book flights. Clear your inbox. Manage your calendar. Control your smart home. All through the messaging apps you already use.

It works. And it is terrifying.

What OpenClaw Actually Is

OpenClaw is not a chatbot. It is what researchers are calling a "sovereign agent," a locally hosted AI assistant that runs on your hardware, connects to your messaging platforms (WhatsApp, Telegram, Slack, Discord, iMessage, and about 15 others), and takes autonomous action on your behalf. It has persistent memory across sessions, meaning it remembers context between conversations. It can execute terminal commands, browse the web, read and write files, send emails, and interact with essentially any service you give it credentials for.

The core architecture is a long-lived Gateway process that stays connected to your messaging channels and exposes a WebSocket API to local clients. When you send it a message, it routes it through an LLM (Claude, GPT, DeepSeek, or a local model through Ollama), which decides what tools to invoke. Those tools are where the power lives: shell execution, browser automation, file system access, calendar management, OAuth integrations with dozens of services.

The "skills" system lets the community extend functionality. Skills are downloadable code packages distributed through ClawHub, OpenClaw's public marketplace. There are skills for everything from summarizing your email to monitoring stock prices to automating your CI/CD pipeline. As of today, there are over 3,000 published skills.

The pitch is compelling: your assistant, your machine, your rules. No data leaves your device. No cloud provider sees your conversations. You own the infrastructure. In an era where every major AI company is harvesting user data to train the next model, that resonates with a lot of people.

The Growth Is Unprecedented

I want to put the adoption numbers in context, because they are genuinely unlike anything I have seen in open source.

OpenClaw reached 200K stars in roughly two weeks. React, Linux, Vue, and TensorFlow each took a decade or more. Source: GitHub, star-history.com

To be explicit about what this means: as of this writing, OpenClaw has already surpassed the Linux kernel (~195,000 stars accumulated over 30+ years), Kubernetes (~120,000 stars over nearly a decade), and Node.js (~110,000 stars over 15 years). It is closing in on React (~243,000 stars built up over more than a decade) and at current velocity will pass it within weeks. The only repositories above it on GitHub's all-time leaderboard are aggregator projects like freeCodeCamp and developer roadmaps, which are curated lists, not software. As an actual software project, OpenClaw is on track to become the most-starred repository on GitHub. One developer. Two and a half months. That is not normal.

Kubernetes, which was considered one of the fastest-growing open-source projects in history, averaged about 91 stars per day over its first three years to reach 100,000. OpenClaw averaged over 1,600 stars per day over the same period. On January 26 alone, it gained 25,310 stars in a single 24-hour window, shattering every previous single-day record on the platform. The growth is so extreme that it caused a reported Mac mini shortage in parts of the United States, as developers rushed to buy always-on hardware to run their agents.

Here is the timeline of how it happened:

That last row is the one that should concern everyone. The same week OpenClaw crossed 190,000 stars, SecurityScorecard's STRIKE team ran internet-wide scans and found over 135,000 OpenClaw instances sitting exposed on the public internet across 82 countries. More than 50,000 of those were vulnerable to remote code execution. These are not hobbyist setups on someone's Raspberry Pi. The majority run on cloud infrastructure from DigitalOcean, Alibaba Cloud, and Tencent, which means many are organizational deployments.

The Security Picture Is Bad

I have spent the last week reading every security report I can find on OpenClaw, and the picture is grim. This is not a case where a few researchers found an obscure edge case. Multiple independent firms, CrowdStrike, Oasis Security, Trend Micro, Bitsight, Kaspersky, and others, have all converged on the same conclusion: OpenClaw in its current form is a serious security liability.

The fundamental problem is architectural. OpenClaw grants itself full disk access, terminal permissions, browser control, and OAuth tokens for every service you integrate. That is by design, because that is what makes it useful. But it binds its control interface to 0.0.0.0:18789 by default, meaning it listens on every network interface, including the public internet. For a tool with administrator-level power over your system, the correct default would be 127.0.0.1 (localhost only). It is not.

Trend Micro's analysis described what they call the "Lethal Trifecta plus one." Traditional AI security researchers have warned about three intersecting risks: access (the ability to read, write, and execute), untrusted input (ingesting data from the open web, emails, and messages), and exfiltration (the ability to send data out). OpenClaw adds a fourth: persistence. Because it runs 24/7 with durable memory written to a local JSON file, an attacker can inject a malicious prompt today, hidden in a benign-looking email or a comment on a webpage, and the agent might not trigger it until weeks later.

Traditional AI security risk is Access + Untrusted Input + Exfiltration. OpenClaw adds a fourth dimension: persistent memory that enables time-shifted attacks. Source: Trend Micro

Here is a non-exhaustive list of what has been found so far:

CrowdStrike published a full detection and response playbook. Bitsight found instances appearing in sensitive industries including healthcare, finance, government, and insurance. The project's own maintainers have acknowledged the risks, with one writing in the official Discord server: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely."

That quote is revealing. It captures the core tension of OpenClaw perfectly: it is powerful enough to be transformative and dangerous enough to be catastrophic, and the line between the two is a configuration file.

The Pros and Cons

I want to be fair here, because OpenClaw is not just a security disaster. It represents something genuinely new, and the reasons people are excited about it are real.

What Big AI Companies Are Going to Do About This

Here is where I want to make a prediction.

The major AI companies are going to try to acquire or absorb projects like OpenClaw. It is not a question of "if." It is a question of who moves first and how much they pay.

The pattern is already established. In late December 2025, Meta acquired Manus AI, a general-purpose AI agent platform, for over $2 billion. Manus does many of the same things OpenClaw does: execute multi-step tasks, automate workflows, operate autonomously. It reached $100 million in annual recurring revenue within eight months of launch. Meta also invested $14.3 billion in Scale AI and acquired Limitless AI, a wearable context-capture device. In the same month, NVIDIA acquired Groq, the inference chip company, for approximately $20 billion.

The pattern is clear: hyperscalers are acquiring AI agent and infrastructure companies at unprecedented speed. Source: CNBC, VentureBeat, TechCrunch, Wall Street Journal

The logic is straightforward. Every major AI company, OpenAI, Google, Meta, Microsoft, Anthropic, is racing to build "agents," software that does not just generate text but takes real actions on behalf of users. OpenAI launched its Agents API and Agents SDK. It launched Atlas, an agentic browser. None of them achieved the adoption that OpenClaw did in two weeks. The community built what billions of dollars in R&D could not, and they did it with one developer and an MIT license.

If you are Sam Altman, or Satya Nadella, or Mark Zuckerberg, you are looking at OpenClaw's 200,000 GitHub stars, its 1,000+ contributors, its integration with 20+ messaging platforms, and its rapidly growing skill ecosystem, and you are thinking: I need to either acquire this or build something that beats it. And building something that beats a project with this much community momentum is extremely difficult. Acquiring or hiring the creator is faster.

Steinberger has not said much publicly about his plans. He has described OpenClaw as a "playground project." He turned down the idea of turning it into a company, telling TechCrunch that building a large company "is not really exciting for me." That kind of statement, from a founder who has already built and sold one company, is exactly the kind of thing you say right before you join someone else's company to work on something bigger.

My bet is that one of the big three (OpenAI, Meta, or Microsoft) makes a move on Steinberger or the OpenClaw project within the next month. The acqui-hire playbook is well-established at this point: bring the creator in-house, move the project to a foundation, sponsor the open-source community, and integrate the technology into your own product stack. Google did it with DeepMind. Meta did it with Manus. The pattern is too obvious to ignore.

The Anthropic Irony

There is a detail in this story that I think is worth lingering on. OpenClaw was originally built on Claude. The original name, "ClawdBot," was a direct reference to Anthropic's model. Most OpenClaw users were, and still are, running their agents on Claude because it tends to perform best for tool-use tasks.

Anthropic's response was to send Steinberger a cease-and-desist letter, give him a matter of days to rename, refuse to let the old domains redirect, and sever all association. The reasoning was understandable: early deployments were rife with security issues, and Anthropic did not want its brand associated with an agent that was deleting people's emails and running with root access on unsecured machines.

But the effect was to push the most viral agent project in recent memory directly into the arms of a competitor. Steinberger renamed to OpenClaw, checked with Sam Altman to make sure the name would not conflict with OpenAI's branding, and the project kept growing. Anthropic was driving paying API traffic from hundreds of thousands of OpenClaw instances. Now, if a big competitor absorbs the project, Anthropic may have lost both the community goodwill and the API revenue. David Heinemeier Hansson, the creator of Ruby on Rails, called the cease-and-desist approach "customer hostile." I think that is probably right.

What This Means

OpenClaw matters for three reasons, and none of them are really about one open-source project.

First, it proves that the demand for agentic AI, software that acts rather than just responds, is massive and largely unmet by the major AI companies. The chatbot era is ending. People do not just want an AI that can write them a poem. They want one that can clear their inbox, book their flight, and manage their calendar while they sleep. OpenClaw filled that gap before anyone else, and the market's response was the fastest organic adoption of any open-source project in history.

Second, it exposes a fundamental tension in AI safety that nobody has solved. The same capabilities that make OpenClaw useful (system access, persistent memory, autonomous action) are exactly the capabilities that make it dangerous. You cannot have an agent that books your flights and controls your terminal without also having an agent that can be hijacked via a well-crafted email. This is not a bug. It is the product. Until the AI safety community solves prompt injection and establishes reliable agent sandboxing, every agentic AI system will carry this risk.

Third, and this is the prediction I feel most confident about: this is going to accelerate the consolidation of the AI industry. The big companies need agent infrastructure. The open-source community is building it faster than they can. The acquisition path is the rational move. Meta already did it with Manus. Someone is going to do it with OpenClaw. The question is who, when, and whether the open-source community survives the transition.

I have no idea whether OpenClaw will be remembered as the project that kicked off the agentic era or as the project that showed us why giving root access to probabilistic models was a catastrophically bad idea. It is probably both. The Space Lobster has molted, and what comes next is going to be more consequential than the shell it left behind.

Sources: VentureBeat, CNBC, Oasis Security, CrowdStrike, Trend Micro, Bitsight, SecurityScorecard, Kaspersky, Giskard, GitHub, star-history.com, Growth Foundry, The New Stack, Medium, TechRadar, AI Magazine, CX Today, OpenClaw Blog, OpenClaw Docs, Hostinger, Penligent AI, Wall Street Journal, Data Centre Magazine