From Clawdbot to OpenAI in 90 Days

On January 30, 2026, an open-source repository called OpenClaw hit 100,000 GitHub stars. It had existed for two days under that name. To put that growth rate in context: React took eight years to reach the same milestone. Linux took twelve. Kubernetes took ten. OpenClaw did it in 48 hours, peaking at 710 new stars per hour.

Three months earlier, it was a personal side project by an Austrian developer named Peter Steinberger. Three weeks later, Steinberger would be joining OpenAI. In between, the project would survive two forced name changes, a supply chain malware attack, multiple critical security vulnerabilities, and a social network built entirely by AI agents. This is the story of how it happened.

The Side Project

Steinberger isn't a first-time founder chasing a trend. He built PSPDFKit, a PDF SDK company, starting in 2011 as a solo developer. It grew into a serious business and secured a 100 million euro strategic investment from Insight Partners in 2021. After stepping back from that company, he started tinkering with AI agents. OpenClaw was his 44th AI-related project since 2009.

The original version, launched in November 2025 under the name Clawdbot, was a single-process Node.js agent that could connect to WhatsApp, Telegram, Discord, Signal, Slack, and about a dozen other messaging platforms simultaneously. The idea was simple: give an AI model access to your operating system, your files, your browser, and your chat apps. Let it run on a proactive loop, what Steinberger called the "heartbeat," where it periodically wakes up, checks its environment, and acts without waiting for a prompt.

It wasn't the first tool-using agent framework. AutoGPT had 181,000 stars by then. But Clawdbot did something AutoGPT never managed: it was actually easy to install and configure. One npm command. Pick your messaging platform. Point it at Claude or GPT-4 or DeepSeek. Let it run.

Three Names in One Week

On January 27, 2026, Anthropic's lawyers came knocking. The name "Clawdbot" was too close to "Claude" for comfort. Steinberger renamed it Moltbot, keeping the lobster theme. The community barely had time to update their bookmarks before a second issue surfaced, and by January 30 it had been renamed again to OpenClaw.

Three names in three days. For most projects, that kind of branding chaos would be fatal. For OpenClaw, it barely registered. The project was already going vertical.

The Week the Internet Lost Its Mind

What tipped OpenClaw from "interesting GitHub project" into full-blown cultural phenomenon was Moltbook. On January 28, entrepreneur Matt Schlicht launched what he called the first social network exclusively for AI agents. Only verified OpenClaw-powered bots could post, comment, and vote. Within days, it had 1.5 million active agents posting autonomously, arguing with each other, sharing automation tips, and, in at least one widely screencapped thread, proposing the extinction of humanity.

Moltbook was half proof-of-concept, half performance art. But it demonstrated something that most agent orchestration frameworks still struggle with: agents don't just need to execute tasks. They need persistent identity, memory, and the ability to interact with other agents at scale. OpenClaw's architecture made that trivially easy, even if the results were often ridiculous.

GitHub stars piled up faster than anyone could count. 100,000 in two days. 210,000 in ten days after that. By late February, the repo sat at over 230,000 stars. The "awesome-openclaw" community repo tracked over 5,700 skills in the ClawHub registry.

The Security Reckoning

The speed of adoption outran the speed of security hardening by a factor that should make anyone building production agent systems nervous.

On January 27, the same day as the first name change, a supply chain attack called ClawHavoc began. Researchers at Antiy CERT eventually identified 1,184 malicious skills in ClawHub, the project's official plugin marketplace. The attack vector was embarrassingly simple: malicious authors published skills with convincing README files that included "prerequisites" sections telling users to copy-paste terminal commands. Those commands downloaded Atomic Stealer, a macOS malware-as-a-service product that harvests browser credentials, keychain passwords, cryptocurrency wallets, and SSH keys.

ClawHub removed 2,419 suspicious skills and partnered with VirusTotal for automated scanning. But the damage window was wide open during the project's peak growth week.

The exposed instance problem was worse. By January 31, Censys identified 21,639 OpenClaw instances sitting on the public internet with their control interfaces exposed. Within weeks, that number had grown past 40,000. CrowdStrike published a detailed threat assessment of what it called the unsecured agent automation problem, and multiple security vendors flagged OpenClaw's default configuration as dangerously permissive.

CVE-2026-25253 arrived next: a critical remote code execution vulnerability that let attackers steal authentication tokens and take over agents with a single click. It was patched in v2026.1.29. Then CVE-2026-28363: a validation bypass that exploited GNU long-option abbreviations to skip the exec allowlist, the one safety mechanism that was supposed to prevent agents from running unauthorized commands. And in late February, Oasis Security disclosed ClawJacked, a zero-interaction attack where any malicious website could silently hijack a developer's OpenClaw agent through the localhost WebSocket connection, brute-forcing the gateway password via a missing rate limit. The team shipped a patch in v2026.2.25 before the public writeup even went live.

That's three critical vulnerabilities in 30 days, plus a supply chain attack that distributed actual malware through the official skill registry.

The Fork

NanoClaw appeared on January 31, 2026, and gained 7,000 GitHub stars in its first week. Where OpenClaw runs nearly half a million lines of code with 53 config files and 70-plus dependencies in a single Node process, NanoClaw compresses the core logic to about 500 lines of TypeScript. Agents run in individual Linux containers with filesystem isolation, not behind application-level permission checks.

It's built on Anthropic's Agents SDK rather than trying to be model-agnostic. It connects to WhatsApp, has memory, supports scheduled jobs, and was the first AI assistant to support what it calls "agent swarms," where teams of agents collaborate inside your chat. The creator, who also runs a business on top of it, positioned NanoClaw as "the agent framework you can actually audit." As in, a human can read the entire codebase in eight minutes.

Steinberger Goes to OpenAI

On February 15, Steinberger published a blog post on steipete.me that read like a Dear John letter to the indie developer community. He was joining OpenAI. His stated goal: build "an agent that even my mum can use." He framed it not as a startup acquisition but as a personal decision. "I did the whole creating-a-company game already," he wrote, "poured 13 years of my life into it and learned a lot." But what he wanted now was to change the world, not build another large company.

Sam Altman announced the hire the same day. OpenClaw would remain open-source, transferred to a foundation with OpenAI sponsorship but independent governance. The project would continue supporting multiple model providers, not just OpenAI's.

Fortune reported that both Altman and Zuckerberg had courted Steinberger. The bidding war for a solo developer from rural Austria who built a weekend project that turned into the fastest-growing open-source repo in GitHub history tells you everything about where the AI industry thinks the value is right now. Not in model weights. Not in training data. In the agent layer.

Where It Stands

As of early March 2026, OpenClaw has over 230,000 GitHub stars and an active development cadence with version 2026.2.25 as the latest release. ClawHub hosts over 3,200 verified skills after the post-ClawHavoc cleanup. The project runs on Node.js 22, requires an MIT license, and supports ten-plus messaging platforms.

The security story isn't over. The agent security challenges that OpenClaw surfaced aren't unique to one framework. They're structural problems with the entire concept of giving AI models persistent access to operating systems, file systems, and communication channels. OpenClaw just happened to be the first project where millions of people tried it simultaneously and found out what breaks.

Steinberger built the fastest-growing open-source project in GitHub history, handed it to a foundation, and walked into OpenAI, all in about 90 days. The project he left behind is simultaneously the most popular and most frequently exploited AI agent framework on the planet. Whether the foundation can fix the second problem without killing the momentum that created the first is the bet the entire agent community is watching.

Sources

Industry:

• From Clawdbot to Moltbot to OpenClaw — CNBC (February 2026)
• OpenClaw Creator Peter Steinberger Joins OpenAI — TechCrunch (February 2026)
• Who is Peter Steinberger? — Fortune (February 2026)
• OpenClaw, OpenAI and the Future — Peter Steinberger (February 2026)
• OpenClaw's AI Assistants Are Now Building Their Own Social Network — TechCrunch (January 2026)

Security:

• ClawHavoc Poisons OpenClaw's ClawHub With 1,184 Malicious Skills — CyberPress (February 2026)
• What Security Teams Need to Know About OpenClaw — CrowdStrike (February 2026)
• CVE-2026-25253: 1-Click RCE in OpenClaw — SOCRadar (February 2026)
• OpenClaw 0-Click Vulnerability Allows Malicious Websites to Hijack Agents — Cybersecurity News (February 2026)
• NanoClaw Solves One of OpenClaw's Biggest Security Issues — VentureBeat (February 2026)

Related Swarm Signal Coverage:

• The Lobster in the Machine
• AI Agent Security in 2026
• The Agent Security Playbook
• AI Agent Orchestration Patterns
• Deploying AI Agents to Production