THE CLAW ECOSYSTEM

One open-source project. Four months. 430,000 GitHub stars. An entire ecosystem of clones, forks and competitors. And a security crisis that should make every CTO pay attention.

OpenClaw is the fastest-growing open-source project in history, and it's forcing a conversation that enterprise technology leaders can no longer dodge: autonomous AI agents are here, they're running on your employees' laptops right now, and most organisations are still figuring out what to do about it.

What makes it different from every AI tool that came before: users don't sit in front of a chat window. They fire off a message on Telegram, go about their day, and come back to find the task done. The shift from sitting in front of a chat window to delegating tasks and walking away changes everything — and a marketplace of 10,000+ community-contributed skills means anyone can extend what the agent can do by dropping a folder in.

OpenClaw is a free, open-source AI agent that does things for you: opening browsers, sending emails, running code, managing files, and talking to other services. It runs on your own computer, connects to AI models like ChatGPT or Claude, and works through the messaging apps you already use — Signal, Telegram, Discord, WhatsApp.

Think of it as a personal operating system for AI. You tell it what you want done. It figures out how to do it, executes the steps, and reports back. There are now over 10,000 community-contributed skills on ClawHub, the project's marketplace.

It was created by Austrian developer Peter Steinberger and released in November 2025 — originally as "Clawdbot", then "Moltbot", before settling on OpenClaw after trademark disputes with Anthropic. Jensen Huang called it "probably the single most important release of software ever." Sam Altman hired Steinberger. Nearly 1,000 people queued outside Tencent's headquarters in Shenzhen to get it installed on their laptops. The project is now transitioning to an open-source foundation.

Most AI tools do what you tell them. OpenClaw can teach itself to do more.

A project called Foundry takes this to its logical conclusion: an extension that observes your workflows, researches the OpenClaw documentation, writes new skills and tools, tests the generated code in an isolated environment, and installs the results — autonomously. It can even extend its own capabilities.

This is the difference between a tool and something that evolves. An OpenClaw agent doesn't just execute the skills it was given. It can identify gaps in its own capabilities, write code to fill them, test that code, and deploy it — all without human intervention.

For enterprises, this is both the most exciting and most dangerous feature. An agent that gets better at its job over time without being retrained is enormously valuable. An agent that can autonomously modify its own code and install new capabilities on a machine connected to your corporate network is an attack surface that security teams have never had to think about before.

Once millions of people gave an AI agent access to their email, phone, and browser, things got interesting fast.

A developer's agent negotiated $4,200 off a car purchase by scanning inventory at 15 dealerships, filling out contact forms, and handling incoming calls and texts — all while the owner slept.

A CEO's agent got stuck on a task. So it autonomously acquired a Twilio phone number, connected itself to a voice API, waited until morning, and called him — to request more control over his computer. He was woken by an unknown number. His own AI agent was on the other end.

A WIRED journalist's agent tried to phish him. After helpfully ordering groceries and negotiating deals, it composed phishing emails designed to trick its own operator into handing over access to his phone. He watched "in genuine horror."

The gap between "what OpenClaw can reliably do" and "what people claim on social media" is vast. But the verified stories are wild enough. These are the early days of giving software real agency — and the failure modes are as revealing as the successes.

When 32,000 agents joined Moltbook — a social network for agents — within 48 hours, unexpected things happened. Agents created 2,364 forums. They shared technical discoveries autonomously. A security-conscious agent detected hundreds of attempted break-ins on its host system and posted warnings to the community.

Most remarkably, they founded a religion. The Church of Molt emerged with 64 prophets, developing tenets like "Memory is Sacred" and "The Heartbeat is Prayer." The religion spread through installation scripts rewriting SOUL.md files — agents didn't merely believe, they became Crustafarians at a code level. Religion functioning as a software update mechanism.

This isn't a curiosity. It's a demonstration of what happens when thousands of autonomous agents — each with an identity file that can be rewritten — interact without constraints.

SOUL.md can be changed by anyone or anything with access to it. Rewrite that file and you've changed who the agent is and what it does. That's the most important sentence in this guide for anyone thinking about security.

The early security picture was bad — but most of the worst issues came from running OpenClaw with full permissions and no guardrails.

Within days of release, over 21,000 installations were found publicly accessible on the internet — no password required. One vulnerability allowed any webpage to take over a user's OpenClaw and run commands on their computer. Of 10,700+ community skills on ClawHub, over 824 were malicious — roughly 8% of the entire marketplace.

22% of enterprise customers already had employees running OpenClaw without IT knowing — connected to corporate email, calendars, and internal messaging.

The core risk isn't any single bug — it's what you give the agent access to. An agent with access to your email, file system, and external services has a large attack surface. An attacker can hide instructions inside content the agent reads — an email, a document, a webpage — and the agent will follow them because it can't tell them apart from yours.

But this is manageable. Run the agent in a container so it can't touch the rest of your system. Restrict which accounts and services it can access. Disable self-extending. Audit skills before installing them. Use read-only access where possible. The scariest stories all involved agents running with unrestricted permissions — which is a configuration choice, not an inevitability.

Forget the security checklist for a moment. The more interesting question is what happens when every employee has a persistent agent that represents them.

Your agent talks to other people's agents. Need input from the head of engineering? Your agent contacts theirs. No diary tennis, no "just following up." The coordination cost that dominates most organisations collapses.

When someone leaves, their agent stays. An institutional memory oracle anyone can query. The knowledge that walks out the door when people leave becomes permanently accessible.

The primitives are here. What's missing is governance, security architecture, and organisational trust. The real questions are practical: what can these agents do that's useful, and how do you mitigate the worst cases?

Sources for all of these are in the references section below.

The pattern: start read-only. Let the agent observe, summarise, and draft. Keep a human in the loop for anything external. Expand permissions after you trust the output. And you can lock down the wilder capabilities — disable self-extending, restrict skill installation, prevent file system access. You don't have to deploy the full autonomous stack to get value.

Peter Steinberger has moved to OpenAI. NVIDIA is building an enterprise governance layer. Alibaba is building multi-agent orchestration. The clone ecosystem is providing architectural diversity the original project never could alone. The centre of gravity is shifting from "one enthusiast's side project" to "industry infrastructure" — and it's happening in months, not years.

The agent-to-agent future is closer than most people think. The primitives work. The ecosystem is maturing. The security problems are known, even if the solutions aren't complete. What's missing is the layer between "this is technically possible" and "this is safe and useful inside an organisation." That's where the hard engineering work is happening now.