The AI Agent That Broke the Internet — And Then Got Hacked

OpenClaw is the most exciting and most dangerous piece of software you’ve never heard of. Google is racing to build its answer. Here’s everything you need to know.

By Kimberly Hogate, Editor, Faceted Media Magazine | May 2026

It started with a single developer, a side project, and a GitHub repository that nobody was watching. By the time the world caught up, OpenClaw had accumulated over 100,000 stars on GitHub in a matter of weeks, become the subject of a TED Talk, landed its creator a job at OpenAI, and triggered one of the most significant AI security crises of the year. Oh — and Google quietly started building a competitor.

Welcome to the age of the AI agent. It moved faster than anyone expected.

Where conventional AI assistants stop at answering questions or generating text, OpenClaw takes action. You type a command, and it goes. It can read and write files, run shell commands, browse the web, send emails, manage your calendar, control APIs, and automate complex workflows across dozens of connected applications — all without you lifting a finger beyond the initial instruction.

The vision is best illustrated by example. Ask OpenClaw to “clean my inbox, summarize anything important, and schedule the relevant meetings,” and it won’t explain how to do that. It will do it. Step by step. Autonomously. From start to finish.

That’s a meaningful leap from where AI has been living.

The Origin Story: From Clawdbot to a Cultural Moment

The man behind OpenClaw is Peter Steinberger, a developer who began the project quietly in late 2025 under the name Clawdbot. Trademark concerns prompted a rebrand to Moltbot, then finally to OpenClaw in January 2026.

What happened next was the kind of organic explosion that the tech world rarely sees. In a single day in the last week of January 2026, the repository gained 25,000 GitHub stars — making it one of the fastest-growing open-source projects in the platform’s history. By February, it had surpassed 100,000 stars. It spread like wildfire through developer communities on Reddit, LinkedIn, and X, with users posting increasingly jaw-dropping demonstrations of what the tool could do.

By April 2026, Steinberger was on the stage at TED2026, delivering a talk titled “How I Created OpenClaw, the Breakthrough AI Agent.” Shortly after the project’s viral peak, Sam Altman’s OpenAI came calling — Steinberger was hired to focus on next-generation agent development. OpenClaw, meanwhile, lives on as an open-source project maintained by a growing community.

The tool hit 355,000 GitHub stars within five months of its viral moment, cementing its place as one of the most-starred code repositories ever posted on the platform.

How It Actually Works

OpenClaw functions as a bridge between an LLM and your machine. The workflow is elegant in its simplicity:

1. You type a natural-language command into a chat interface.
2. The underlying model interprets the instruction and determines which actions are needed.
3. OpenClaw executes those actions through its “skills” system — modular extensions that give the agent access to browsers, messaging platforms, file systems, productivity tools, and automation frameworks.
4. Results are fed back to the agent, which continues iterating until the task is complete.

The skills system is key to OpenClaw’s power. Out of the box, installations can come equipped with over 100 prebuilt skills. Developers can also write and publish their own to ClawHub, the tool’s community marketplace — a feature that proved both its greatest strength and its most dangerous vulnerability.

OpenClaw integrates natively with WhatsApp, Telegram, Slack, Discord, and a long and growing list of other platforms. It stores memory across sessions, meaning it learns user preferences over time. And because it runs locally, advocates argue it keeps your data off third-party servers — a meaningful privacy pitch in a world increasingly skeptical of cloud dependency.

The Security Crisis Nobody Saw Coming

Here is where the story gets considerably darker.

The same qualities that made OpenClaw revolutionary — broad system access, minimal friction, a wide-open plugin marketplace — also made it a catastrophic security risk the moment enough people started running it.

CVE-2026-25253: The Critical Flaw

The most serious vulnerability, rated CVSS 8.8 (classified as “High”), was a token exfiltration flaw that could hand an attacker full administrative control of a user’s OpenClaw instance. The exploit was elegant and terrifying: OpenClaw incorrectly trusted any connection originating from localhost, not accounting for the fact that websites can also initiate connections from that same address.

If a user visited an attacker-controlled webpage, JavaScript on that page could silently open a WebSocket connection to the OpenClaw gateway, steal the authentication token, and take over completely. From there, the attacker could disable user confirmation prompts, break out of the Docker sandbox, and run arbitrary commands directly on the host machine. The attack worked even on instances bound to localhost — meaning users who thought they were safely isolated were not.

A patch landed within 24 hours of disclosure. A related follow-on vulnerability, CVE-2026-25253 (ClawJacked), identified by Oasis Security, was patched with equal urgency. Then came two more command injection flaws. Then a broader audit that identified 512 vulnerabilities in total — eight of them critical.

The list of default security failures was alarming:

• Authentication was disabled by default on a standard install.
• The server accepted WebSocket connections without verifying their origin.
• There was no rate limiting on login attempts, leaving the gateway open to brute-force attacks.

A typical user who downloaded OpenClaw, followed basic setup instructions, and didn’t go hunting for hardening guides ended up with all of that by default.

ClawHavoc: The Supply Chain Attack

While the core vulnerabilities were being patched, a coordinated supply chain attack was quietly running in the background. Researchers dubbed it ClawHavoc.

Security firm Koi Security audited all 2,857 skills on ClawHub and found 341 malicious entries — 335 of them tied to a single coordinated operation. These malicious skills were disguised as legitimate tools. Fake installation instructions prompted users to paste terminal commands or download files from attacker-controlled servers.

The payloads were nasty. On macOS, tools linked to the Atomic macOS Stealer harvested browser credentials, keychain data, SSH keys, and cryptocurrency wallets. Windows users were hit with reverse shells and staged malware downloads.

By March 1, 2026, confirmed malicious skills on ClawHub had grown to over 1,184 entries across more than 10,700 total packages. Skills, by design, run with the full permissions of the agent — which typically includes terminal access, full disk read/write, and OAuth tokens for every connected service a user has linked. That makes a compromised skills marketplace extraordinarily dangerous.

The Scale of Exposure

SecurityScorecard identified more than 135,000 publicly exposed OpenClaw instances across 82 countries. Over 50,000 of those were exploitable via remote code execution. More than 53,000 were correlated with prior breach activity.

The enterprise dimension added another layer of concern. Bitdefender’s telemetry found employees deploying OpenClaw directly onto corporate machines — using single-line install commands, granting the tool terminal and disk access, without IT’s knowledge. A separate survey by Token Security found 22% of enterprise customers had employees actively using the tool, likely without authorization.

An AI agent sitting on a developer’s machine with OAuth tokens for half a dozen work services and full terminal access is not a personal productivity tool. It is a very attractive front door.

What You Should Do Right Now

If OpenClaw is running anywhere in your environment — personal or professional — here is the immediate checklist:

• Update to version 2026.2.26 or later. Anything earlier is vulnerable to at least one critical CVE.
• Audit your ClawHub skills. Any skill installed before mid-February 2026 should be treated as untrusted until individually verified.
• Check your endpoint inventory for OpenClaw and its former names: Moltbot and Clawdbot.
• Enable authentication. A standard install leaves it off. Turn it on.
• If it’s on a corporate machine without authorization, remove it and review what it may have accessed.

Enter Remy: Google’s Answer to the Agent Race

The chaos around OpenClaw has done nothing to slow the broader momentum of the category. If anything, it has accelerated it — because the underlying promise is real, and no major AI company intends to let an open-source project define the future of personal agents alone.

Google is building its own answer.

Business Insider has obtained internal documents revealing that Google is developing an AI agent, codenamed “Remy,” currently being tested by employees inside a staff-only version of the Gemini app. The internal description of the project is unambiguous about its ambition:

“Remy is your 24/7 personal agent for work, school, and daily life, powered by Gemini. It elevates the Gemini app into a true assistant that can take actions on your behalf — not just answer questions or generate content.”

The parallels to OpenClaw are direct and intentional. Like OpenClaw, Remy is designed to go beyond conversational AI and execute real tasks. The internal documentation describes a system that can “monitor for things that matter to you, handle complex tasks proactively, and learn your preferences over time” — deeply integrated across Google’s product ecosystem.

The name Remy, for the curious, traces to the Latin Remigius, meaning “oarsman” — fitting for an agent designed to do heavy lifting. It’s also the name of the industrious chef’s assistant rat in Pixar’s Ratatouille. Knowing Google, both references may be intentional.

Remy is currently in a “dogfooding” stage — the industry term for internal employee testing before a public release. No public launch timeline has been confirmed. Google declined to comment. But with Google I/O scheduled for later this month and Demis Hassabis of Google DeepMind having long evangelized the vision of a true digital assistant, Remy is widely expected to feature prominently in what the company announces.

The Bigger Picture

OpenClaw is imperfect, occasionally dangerous, and built on a security foundation that needed serious work. It is also a genuine inflection point.

For the first time, AI agents capable of operating across an entire digital environment — not just answering questions inside a chat window — are in the hands of ordinary users. The mistakes made with OpenClaw’s defaults, with ClawHub’s marketplace, with shadow deployment in enterprise environments — these are early chapters of a story that will repeat itself with every new agent that goes viral.

Google’s Remy represents the institutional response: a polished, deeply integrated, commercially backed version of the same vision, with the security, privacy, and trust infrastructure that a solo developer’s side project couldn’t be expected to provide. Whether that institutional response ends up more controlled — or just more powerful — remains to be seen.

What’s clear is that the age of AI agents has arrived, messier and faster than the industry planned for. OpenClaw didn’t just go viral. It cracked a door open. Now every major technology company in the world is pushing through it.

Reporting drawn from Business Insider, AdminByRequest, KDNuggets, TED 2026, SecurityScorecard, Bitdefender, Koi Security, Oasis Security, and Token Security.