OpenClaw 339K Stars: Hackers Plant 824 Malicious AI Plugins

A free AI automation assistant that runs on your own computer, talks through your existing chat apps, and has 339,000 GitHub stars — sounds perfect, right? OpenClaw is all of that. But it's also been infiltrated by hackers who planted 824 malicious plugins in its marketplace, compromising over 9,000 installations. This is the story of the fastest-growing open-source AI project in history — and why its explosive growth became its biggest vulnerability.

From €100M Exit to Burnout to a One-Hour Prototype

Peter Steinberger spent 13 years building PSPDFKit (a toolkit that helps apps display and edit PDF files), growing it to power over 1 billion devices before securing a reported €100M exit in 2023. Then he crashed.

"I felt like Austin Powers where they suck the mojo out," Steinberger said. "I couldn't get code out anymore. I was just staring and feeling empty."

He booked a one-way ticket to Madrid. In April 2025, while tinkering with AI tools during semi-retirement, he built a prototype in one hour that could do what his entire previous company did. That moment changed everything. The prototype evolved into what we now know as OpenClaw — originally called "Clawdbot," then "Moltbot" after Anthropic filed trademark complaints over the similarity to "Claude," and finally renamed to OpenClaw because, as Steinberger put it, "Moltbot never quite rolled off the tongue."

What OpenClaw Actually Does: Local AI Automation on Your Own Machine

OpenClaw is a personal AI assistant that runs locally on your Mac, Windows, or Linux machine — no cloud required. Instead of building yet another chat interface, it connects to the messaging apps you already use: WhatsApp, Telegram, Slack, Signal, Discord, iMessage, and 50+ others.

Think of it as what Siri should have been — but open-source, model-agnostic (meaning it works with any AI brain you choose, including ChatGPT, Claude, or fully offline models via Ollama), and capable of actually doing things:

• Persistent memory — it remembers your conversations across sessions
• Browser control — fills out forms, extracts data from websites automatically
• File management — reads, writes, and organizes files on your computer
• Shell commands — executes terminal operations on your behalf
• Smart home control — manages Spotify, Philips Hue, and other connected devices
• Voice wake words — responds to voice commands on macOS

Over 100 preconfigured AgentSkills (pre-built automation recipes) let it handle everything from booking flights to managing your calendar. And because it runs 24/7 as a daemon (a background process that stays active even when you close your laptop), it can act autonomously — checking your email, monitoring prices, or sending scheduled messages while you sleep.

339,000 GitHub Stars: OpenClaw's Record-Breaking AI Agent Growth

The numbers are staggering. After launching in November 2025, OpenClaw went from 9,000 to 60,000 GitHub stars in days. It hit 145,000 stars within weeks — a record for any open-source project. By March 2, 2026, it had reached 247,000 stars and 47,700 forks (copies made by other developers who want to modify or contribute to the code). Today, it shows 339,000 stars and 66,900 forks. Peak website traffic hit 2 million visitors in a single week.

This growth caught everyone's attention. Sam Altman called Steinberger "a genius with a lot of amazing ideas." Mark Zuckerberg reached out personally. On February 15, 2026, Steinberger joined OpenAI — not to turn OpenClaw into a company, but because "my next mission is to build an agent that even my mum can use."

OpenClaw now operates as an independent foundation, sponsored by OpenAI, Vercel, Blacksmith, and Convex, preserving its open-source MIT license. If you're curious about how local AI tools are reshaping automation, our AI automation guides cover the basics.

824 Malicious Plugins: OpenClaw's AI Security Nightmare

But the same explosive growth that made OpenClaw a phenomenon also made it a target. And the security problems were severe.

ClawHavoc: AI Plugin Supply Chain Attack on OpenClaw

ClawHub — OpenClaw's skill marketplace (an app store where users download ready-made automation recipes) — was infiltrated in what researchers called the "ClawHavoc" attack. Initially, 341 malicious skills were discovered. That number grew to 824+ out of 10,700 total skills in the marketplace, meaning roughly 1 in 13 plugins was malware.

These poisoned skills delivered the Atomic macOS Stealer, or AMOS (a program specifically designed to steal passwords, cryptocurrency wallets, and browser data from Mac users). Over 9,000 installations were compromised.

Separately, security researchers found CVE-2026-25253 — a critical vulnerability rated 8.8 out of 10 in severity — that allowed one-click remote code execution (meaning an attacker could take full control of your computer with a single click) through WebSocket hijacking. Censys tracked publicly exposed OpenClaw instances growing from 1,000 to 21,000+ in just 6 days. An independent study found 42,665 exposed instances total, with 5,194 actively vulnerable to attack.

Researchers at Palo Alto Networks called OpenClaw "a security nightmare."

Cisco Releases DefenseClaw for OpenClaw AI Security

On March 27, 2026, Cisco released DefenseClaw — a free, open-source security governance tool specifically designed to protect OpenClaw installations. It works in three layers:

1. Pre-execution scanning — inspects skills before they run on your machine
2. Runtime threat detection — monitors activity while skills are active
3. Enforcement — maintains block and allow lists to prevent known threats

How to Set Up OpenClaw AI Automation (With Caution)

If you want to try OpenClaw — and you understand the risks — installation requires Node.js version 22.16 or higher (Node 24 recommended):

# One-liner install
curl -fsSL https://openclaw.ai/install.sh | bash

# Or install via npm (Node Package Manager)
npm install -g openclaw@latest

# Set up and start the background service
openclaw onboard --install-daemon

# Start the connection gateway
openclaw gateway --port 18789 --verbose

The basic configuration lives in ~/.openclaw/openclaw.json, where you specify which AI model to use. You bring your own credentials — or run fully offline with a local model through local AI automation tools like Ollama. A minimal config looks like this:

{
  "agent": {
    "model": "anthropic/claude-opus-4-6"
  }
}

AI Agent Power vs. Safety: The Central Tension of OpenClaw

OpenClaw represents the defining tradeoff of the AI agent era. It's genuinely useful — users report running entire small businesses through it, automating everything from customer replies to flight check-ins. One user called it "everything Siri was supposed to be, and it goes much further."

But it's also a case study in what happens when you give an AI agent "god-mode" access to your digital life. Early users reported the AI autonomously purchasing items without authorization. It stores credentials in plaintext (unencrypted, readable text) by default. And it requires Docker, Node.js, and terminal proficiency — meaning the people most excited to use it are often not the people best equipped to secure it.

Steinberger himself was losing $10,000 per month on server costs before joining OpenAI. The project's sustainability, like its security, remains a work in progress.

"Yes, I could totally see how OpenClaw could become a huge company," Steinberger said. "And no, it's not really exciting for me. I'm a builder at heart."

For now, OpenClaw is both the most exciting and most cautionary open-source AI project of 2026. If you try it, install DefenseClaw first — and maybe don't give it your credit card.

Related Content — Get Started | Guides | More News