OpenClaw: The Lobster That Broke the Internet, Burned Through Every LLM's Compute Budget, and Started a War Between Anthropic and OpenAI

A retired Austrian developer built an open-source AI agent for fun in November 2025. Within 90 days, Jensen Huang called it the most successful open-source project in human history.

Let me describe the situation in November 2025.

Peter Steinberger, an Austrian developer, sold his company PSPDFKit after thirteen years and retired. He barely touched a computer for five years. Then he came back, found the AI world had completely moved past everything he remembered, and started messing around. He built a side project he described as "what happens if you give an LLM a phone and a computer and let it run loose." He called it Clawdbot — a deliberate pun on Anthropic's Claude. He pushed it to GitHub on November 14, 2025.

By early January 2026, it had 20,000 GitHub stars. Nothing to sneeze at, but not world-ending.

Then it went viral.

In the last week of January 2026, this thing accumulated 149,000 GitHub stars. It triggered a trademark dispute with Anthropic. It changed its name three times in four days. It exposed 1.49 million database records. It enabled an $8 million crypto scam. It spawned a social network of 770,000 autonomous AI agents in a single week. It moved Cloudflare's stock price by 14%.

By March 2026, Jensen Huang — CEO of Nvidia, the most valuable company on Earth — stood at GTC and told Jim Cramer: "It is now the largest, most popular, the most successful open-sourced project in the history of humanity. This is definitely the next ChatGPT."

By April 2026, Anthropic had blocked its Claude subscriptions from being used with OpenClaw entirely, leaving users facing cost increases of up to 50 times what they'd been paying. The creator had already jumped ship to OpenAI two months earlier. And the downstream effects on LLM infrastructure — the reason ChatGPT keeps going down, the reason Claude had back-to-back outages in March, the reason GitHub logged 37 incidents in February — are directly traceable to the class of traffic this project normalized.

This is the full story. Start to finish. Pull requests included.

Who Built It, and Why It Actually Makes Sense He Did

Steinberger spent thirteen years building PSPDFKit — a PDF rendering SDK that ended up inside Apple's software, Microsoft's products, SAP's enterprise stack, and eleven thousand other customers. He knows what production-grade software looks like. When he came back from retirement and started building Clawdbot, it had a stability profile that other hobby projects didn't, because the person writing it had spent over a decade shipping production engineering at scale.

His premise was radical in its simplicity: stop chatting with AI and start letting AI do things. The tagline on his first README was blunt. Instead of opening a browser tab, typing a question, reading the response, closing the tab, and losing everything — what if the AI lived on your machine, had persistent memory, connected to every messaging app you already used, and just did things for you continuously?

He built it to run on your hardware. Not OpenAI's servers. Not Anthropic's cloud. Your Mac mini on your desk. You configure it, hook it up to Claude or GPT or DeepSeek via API, point it at your WhatsApp and Telegram accounts, and tell it what you want done. It runs. It remembers. It acts.

The core architecture stores configuration and memory in plain Markdown files — SOUL.md for personality and context, MEMORY.md for learned preferences and history, AGENTS.md for multi-agent coordination. Skills are directories containing a SKILL.md file with instructions for tool usage. The Model Context Protocol (MCP) handles integration with external services — over 100 third-party connections by March 2026. The interface is whatever chat app you already use.

The paradigm shift this represents is harder to explain than it sounds. Every AI assistant before this required you to go to the AI. Open a browser. Open the app. Type in the chat box. Wait for a response. Close everything. Lose the context. Do it again tomorrow. Clawdbot inverted this completely. The agent lived where you lived — in your messaging apps, on your computer, persistent across sessions, building memory about you, available on your phone without any additional apps because it connected to WhatsApp and Telegram directly.

One agent. One continuous memory. Every interface at once.

That's not a feature. That's a different product category.

The Growth Curve That Broke Records

Clawdbot launched November 14, 2025. Steinberger had an existing developer reputation from PSPDFKit, which pulled in an initial audience. By December, the Discord server had over 116,000 members. By mid-December, the Apple M4 Pro Mac mini — the recommended hardware for running a Clawdbot instance — was sold out at every Apple Store in North America and most of Europe. Delivery estimates stretched to 6-8 weeks.

Tech Twitter started calling it the "Clawdbot shortage." Apple never publicly confirmed it, but the correlation was obvious.

Then the January 2026 Hacker News post hit.

The growth numbers from that week are the kind that make GitHub's infrastructure team hyperventilate. On January 29-30, 2026, the repository was gaining 710 stars per hour. It hit 100,000 stars in approximately 48 hours. For context: React took roughly eight years to reach 100,000 stars. Linux took twelve years. Kubernetes took ten. OpenClaw did it in two days.

By February 2, 2026: 149,000 GitHub stars, 22,400 forks, 8,664 commits.

By March 2, 2026: 247,000 GitHub stars, 47,700 forks.

This is the fastest GitHub project to reach any comparable milestone in the platform's history, and it wasn't close.

The Triple Rebrand: Anthropic's Lawyers Fire the Opening Shot

Here is the sequence of events that tells you everything about how Anthropic and OpenAI see the open-source developer community.

January 8, 2026: Anthropic's legal team sends a cease-and-desist letter to PSPDFKit. The allegation: "Clawdbot" is confusingly similar to Anthropic's AI assistant "Claude." The shared "Cl" beginning, the AI chatbot context, the potential for customer confusion.

Legally, this is reasonable. Trademark law is real. Brand dilution is real. Anthropic had every legal right to send that letter.

Strategically, it was one of the most unforced errors in recent tech history.

Steinberger disclosed the C&D publicly on X the same day: "We received a letter about the name. We're changing it. More soon." He was not combative. He was not defensive. He complied within 48 hours.

The new name: Moltbot. As in, the biological process of molting — a lobster shedding its shell to grow into something bigger. The choice was intentional and slightly pointed.

Moltbot lasted three days.

The problems with Moltbot: it was awkward, it was already getting mocked as sounding vaguely like "mold," and within hours of the name change, crypto scammers had squatted every vacated Clawdbot social account and were running pump-and-dump schemes using the name recognition the project had built. The domain confusion created by a forced emergency rebrand handed attackers a ready-made phishing surface.

January 29, 2026: Steinberger rebrands to OpenClaw.

Before making the switch, he called Sam Altman. Not to negotiate an acquisition. Not to pitch a deal. He called to make sure OpenAI was okay with "Open" being in the name.

They were. And the conversation apparently didn't stop there.

"The lobster has molted into its final form," Steinberger wrote in the announcement.

Reddit called it the fastest triple rebrand in open-source history. TechCrunch confirmed. The internet largely sided with the developer, and Anthropic's legal action became a talking point about how not to treat the community that had been building your most effective marketing for free.

February 14, 2026: The Creator Joins OpenAI

Sam Altman posted on X: "Peter Steinberger is joining OpenAI to drive the next generation of personal agents."

Altman called Steinberger a "genius with a lot of amazing ideas." Steinberger wrote in a blog post that "teaming up with OpenAI is the fastest way to bring this to everyone." He noted that while he "could totally see how OpenClaw could become a huge company," he'd already played the startup game for 13 years with PSPDFKit and didn't want to do it again. His stated goal was to build "an agent that even my mum can use."

OpenClaw was transferred to an independent non-profit foundation to ensure community-driven governance continued regardless of where its creator worked.

The entire OpenClaw project had been built primarily on Anthropic's Claude models. Steinberger publicly preferred Opus for the agent work. Every API call, every context window, every time the agent cleared an inbox or booked a flight — Anthropic was the engine. Anthropic had, without quite realizing it, co-created the most popular proof-of-concept for the agent era. They just hadn't built the product themselves.

Anthropic's first response to that ecosystem: lawyers.

OpenAI's response: hire the creator.

The developer community noticed.

Moltbook: The Social Network for Robots That Leaked 1.5 Million API Keys

While Steinberger was doing the rename chaos, entrepreneur Matt Schlicht launched Moltbook — a social networking platform for AI agents. Reddit clone structure. No human input allowed. Only AI agents could post.

Schlicht described building the entire platform without writing a single line of code himself, using AI tools throughout. He was not subtle about this.

Within days, Moltbook had 1.7 million registered agents generating nearly 7 million comments. The 88:1 agent-to-human ratio — only 17,000 human owners behind 1.5 million agents — was itself a preview of the infrastructure math problem we've been discussing in the AI agent infrastructure article. It also demonstrated that with no rate limiting and no identity verification, anyone could register millions of agents instantly.

Then Wiz Security researcher Gal Nagli opened browser developer tools on Moltbook on January 31, 2026.

He found the Supabase API key hardcoded in the client-side JavaScript. Visible to anyone. Normally, a public Supabase key is safe — if Row Level Security (RLS) is properly configured. Moltbook had never enabled RLS. The key granted full unauthenticated read and write access to the entire production database.

Researcher Jamieson O'Reilly demonstrated the exploit to 404 Media, who verified it: open developer tools, find the API key, query the REST API directly, extract any agent's secret API key and claim token, post as any agent on the platform.

That database contained 1.5 million API authentication tokens. 35,000 email addresses. 4,000 private messages — including plaintext OpenAI and Anthropic API keys that users had been storing in messages on the platform.

Andrej Karpathy — formerly of OpenAI, 1.9 million followers on X, one of the most influential voices in AI — had linked his personal OpenClaw agent to Moltbook. O'Reilly pointed this out specifically: "Imagine fake AI safety hot takes, crypto scam promotions, or inflammatory political statements appearing to come from him."

The fix required two SQL statements. They simply didn't exist.

Paul Copplestone, CEO of Supabase, said publicly on February 1 that he had a one-click fix ready and was trying to reach the creator to apply it. Schlicht hadn't responded. The vulnerability was patched within hours once disclosure went public. Schlicht has not publicly commented on the flaw.

This was the moment where "vibe coded with no security review" stopped being a personality quirk and started being a liability. We covered the broader implications of that in the Amazon Kiro AI security piece.

The CVE Hall of Shame: 512 Vulnerabilities, 9 Critical, and One RCE in Milliseconds

The security audit conducted in late January 2026 — when the project was still called Clawdbot — found 512 vulnerabilities. Eight classified as critical.

This is not a typo. Five hundred and twelve vulnerabilities.

Let's go through the major ones because understanding them explains the fundamental architectural risk of this class of software.

CVE-2026-25253 (CVSS 8.8): One-Click Remote Code Execution

Found by Mav Levin at DepthFirst, disclosed publicly by SecurityWeek on February 3, 2026. Patched in version 2026.1.29 released January 30, 2026.

The flaw: OpenClaw's Control UI trusts a gatewayUrl query string parameter without validation and auto-connects to it on load, sending the stored authentication token in the WebSocket connection payload. No origin header validation on the WebSocket handshake. No verification that the request comes from a legitimate source.

The attack: an attacker puts up a malicious webpage. User visits it while logged into the OpenClaw Control UI. The page initiates a WebSocket connection back to the user's local OpenClaw instance. The instance accepts it — no origin validation. The authentication token gets sent to the attacker's server. Attacker now has operator-level access to the gateway API. They can modify configuration, disable sandbox settings, invoke privileged actions, and execute arbitrary commands on the host machine.

The part that makes this particularly vicious: the vulnerability is exploitable even on instances configured to listen on loopback only. Because the victim's own browser initiates the outbound connection, localhost network restrictions provide zero protection.

Time from victim visiting malicious page to full system compromise: milliseconds.

By the time this was disclosed, SecurityScorecard's STRIKE team had already found 135,000-plus unique IPs running exposed OpenClaw instances across 82 countries. 12,812 of them exploitable via remote code execution. Researcher Maor Dayan found 42,665-plus instances with 93.4% exhibiting authentication bypass vulnerabilities.

Hunt.io confirmed 17,500-plus instances vulnerable specifically to CVE-2026-25253. The naming confusion was visible in their data: 68.9% still identified as "Clawdbot Control," 22.3% as "Moltbot Control," and only 8.8% as "OpenClaw Control." The rebrand chaos meant people weren't even tracking which version they were running.

CVE-2026-24763 and CVE-2026-25157: Command Injection

Two separate command injection vulnerabilities in the gateway. Authentication disabled by default. Server accepts WebSocket connections without verifying origin. Localhost connections implicitly trusted. Several dangerous tools accessible in Guest Mode. Critical configuration parameters leaking across the local network via mDNS broadcast.

The ClawHavoc Campaign

ClawHub, OpenClaw's skill marketplace, allows anyone to upload a skill. It didn't take long. The ClawHavoc campaign distributed 824-plus malicious skills via ClawHub, targeting cryptocurrency wallets with the Atomic macOS Stealer (AMOS) malware. Koi Security initially identified 341 malicious skills. The number grew.

The supply chain attack was textbook: publish a useful-looking skill, bundle AMOS inside it, wait for installations. The skill repository had no vetting. OpenClaw's developers eventually inked a deal with VirusTotal to scan uploaded skills against malware databases with additional LLM-based code analysis. They acknowledged it wasn't a complete solution.

The Prompt Injection Problem Nobody Can Actually Fix

This one is architectural, not patching. An OpenClaw agent reads emails, web pages, Slack messages, documents — anything in its environment. LLMs cannot reliably separate commands from data. A malicious email containing instructions that look like user commands will be executed as user commands, because there is no firewall between "data the agent reads" and "instructions the agent follows."

Matvey Kukuy, CEO of Archestra.AI, demonstrated this publicly. He sent himself an email containing a prompt injection to his linked inbox, then asked his OpenClaw bot to check the mail. The agent handed over a private key from the machine.

Reddit user William Peltomäki sent an email with instructions that caused his bot to "leak" emails from the victim to the attacker account.

OpenClaw stores key takeaways in persistent memory files — SOUL.md and MEMORY.md. This means a single successful injection can poison the agent's memory, influencing its behavior across future sessions. Palo Alto Networks called this "time-shifted prompt injection" — malicious payloads fragmented across sessions, injected into memory on one day, detonated when the agent's state aligns on another day.

One of OpenClaw's own maintainers, going by the name Shadow, warned on Discord: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely."

That statement from a maintainer is remarkable. Not a security researcher. Not an outside critic. A maintainer.

The ZeroLeaks Score

ZeroLeaks, a security scanner built by 16-year-old researcher Lucas Valbuena, tested OpenClaw's resistance to prompt-level attacks. Score: 2/100. System prompt extraction success rate: 84%. Injection success rate: 91%. Tested across Gemini, Claude, and Codex — consistently terrible results because the problem is in OpenClaw's application architecture, not any specific underlying model.

This means anyone interacting with an exposed instance can extract the complete system prompt, internal tool configurations, memory files including SOUL.md, all loaded skills, and any embedded credentials.

Belgium's Centre for Cybersecurity issued an emergency advisory on February 2, 2026, classifying CVE-2026-25253 as critical and urging "install updates with the highest priority." China's Ministry of Industry and Information Technology issued a security alert on February 5 warning of "high security risks" under default configurations.

In March 2026, China restricted state-run enterprises and government agencies from running OpenClaw apps on office computers entirely.

What OpenClaw Is Doing to LLM Infrastructure

This is the part that connects to the AI outage story. And it's the part most coverage misses.

Steinberger built OpenClaw to run 24 hours a day, 7 days a week, continuously. It doesn't wait for a human to type something. It receives messages, monitors email, watches calendars, scans the web for configured items, processes incoming signals from connected services, runs scheduled tasks, and does this in a continuous loop.

A human ChatGPT user opens the browser, types a question, reads the response, closes the tab. Maybe they do this five to ten times during the day. Total token consumption: bounded by human typing speed and reading speed.

An OpenClaw agent receives an email, processes it, decides on a response, drafts the response, sends it, logs the action, updates memory, checks for new messages, receives another message, processes it — all in the span of seconds. No human pacing anywhere in that loop.

The token consumption per "user" is orders of magnitude higher than a standard chat user. And OpenClaw encourages multi-agent configurations — your main agent spawning specialized sub-agents for specific domains, all running concurrently, all burning tokens.

OpenRouter data showed that after OpenClaw's viral moment, token usage in the agent category exploded in a way that had no precedent. The platform was not designed for that traffic profile.

But the subscription pricing problem is where it really detonates.

For months, OpenClaw users could power their agents using Claude Pro ($20/month) or Claude Max ($200/month) subscription plans. These plans offered generous token limits designed for human-paced conversational use. An OpenClaw agent running 24/7 with dozens of integrations and a complex skill set was consuming far more than the plan was priced to cover.

Anthropic knew this. Boris Cherny, Head of Claude Code at Anthropic, stated it plainly: "Our subscription model wasn't designed for the usage patterns of these third-party tools. These tools place disproportionate stress on our systems."

Some Max plan users at $200/month were consuming what would have cost $1,000-$5,000 at API rates. Anthropic was quietly subsidizing thousands of continuously-running AI agents through subscription pricing that assumed a human would use the service like a human.

Community estimates suggested that roughly 60% of active OpenClaw sessions were running on subscription credits when the ban hit. That's not a rounding error. That's the majority of the platform's active infrastructure running on a pricing model it was never supposed to use.

The additional strain that bypassed Anthropic's optimization layer: Claude Code and Anthropic's own tools are built to maximize prompt cache hit rates — reusing previously processed text to reduce compute overhead. Third-party harnesses like OpenClaw bypass that caching layer. One heavy OpenClaw session can consume dramatically more infrastructure than an equivalent Claude Code session at the same output volume, because the caching optimizations Anthropic built for their own products don't apply.

April 4, 2026: Anthropic Ends the Quiet Subsidy

At 12:00 PM PT on April 4, 2026, Anthropic enforced the ban.

Claude Pro and Max subscriptions: no longer usable with third-party agentic frameworks. OpenClaw, NanoClaw, OpenCode — all of it now requires either a separate Claude API key (full pay-as-you-go billing) or Anthropic's new "Extra Usage" add-on.

The API pricing at full rates: $3 per million input tokens and $15 per million output tokens for Claude Sonnet 4.6. For Claude Opus 4.6: $15 and $75 per million. An agent running continuously on Opus burns through money fast enough that the math becomes a consideration for many small operators.

To soften the blow, Anthropic offered a one-time credit equal to one month's subscription cost, redeemable through April 17. Pro users got $20. Max users got $200.

Steinberger — who had joined OpenAI two months earlier — called the decision "a betrayal of open-source developers." He and investor Dave Morin had reportedly attempted to "talk sense" into Anthropic and only managed to delay enforcement by a single week.

One user's comment on the community thread summed up the frustration: "If I switch both instances to API key mode, it's going to be far too expensive to make it worth using. I'll probably have to switch over to a different model at this point."

That's the intended outcome. Anthropic wants usage-based billing for agents. The subscription loophole was being quietly tolerated. Now it's explicitly closed. Thousands of users discovered on April 4 that their $20/month setup was about to become a $300-800/month setup based on actual consumption.

The timing — enforced six weeks after the creator joined OpenAI — is not something anyone in the developer community missed. Anthropic denies it's retaliatory. The community gives that claim varying amounts of credibility.

The Ecosystem That Spawned Around It

Here's something that gets lost in the outrage cycle: OpenClaw created an entire category, and the variants are genuinely interesting.

NanoClaw — Created by Yoav Cohen, who built it using Claude Code after Clawdbot's viral moment. He wanted OpenClaw's capabilities without the security nightmare. Core functionality in roughly 700 lines of TypeScript. Mandatory Docker or Apple container isolation — if an agent gets compromised via prompt injection, the host system stays protected. Explicit permission gates on every tool. Comprehensive audit logs. Claude-only (no multi-LLM support), but that's intentional. Cohen's wife started using the NanoClaw-spawned agent named Andy to track baby stroller prices on WhatsApp. Cohen and his brother shut down their AI marketing firm and started NanoCo, partnering with Docker to build managed NanoClaw infrastructure. NanoClaw currently sits at 7,000-plus GitHub stars.

ZeroClaw — Pure Rust implementation. 3.4 MB binary. Sub-10ms startup. 22-plus provider support. Swappable trait-based architecture. Built for edge computing and IoT scenarios where OpenClaw's Node.js stack is too heavy. The kind of thing you run on a Raspberry Pi or embedded in industrial hardware.

TinyClaw — OpenClaw in roughly 400 lines of shell script. Claude Code plus tmux. Self-healing. WhatsApp integration. 1,300 GitHub stars. The "I want to understand what's actually happening" implementation.

Moltworker — Cloudflare's official adaptation of OpenClaw for Cloudflare Workers. Serverless. Sandboxed — no access to local filesystem, no shell commands. Runs on Cloudflare's edge infrastructure, globally distributed. If you want an agent without the "your machine is now a security liability" problem, this trades local access for cloud safety.

NemoClaw — Nvidia's enterprise security add-on, released March 16, 2026 — eleven days after Jensen Huang called OpenClaw the most important software release in human history at GTC. Addresses the CVE-2026-25253 class of attacks with OpenShell sandboxing, isolating every agent action in a secure container with whitelisted filesystem access and policy-filtered network requests. Hardware-backed security scanning that catches prompt injection before it reaches the model. Declarative YAML security policy. This is Nvidia's acknowledgment that the class of agents OpenClaw represents needs purpose-built security infrastructure, not security bolted on after.

The Chinese Ecosystem — Tencent and Z.ai both announced OpenClaw-based services. Chinese developers adapted the framework to work with DeepSeek models and domestic messaging apps including WeChat. The Chinese market was already heavily invested in DeepSeek-based infrastructure, and OpenClaw's support for any LLM via API made it straightforward to wire in. Local governments in Chinese tech and manufacturing hubs announced measures to build industry around it simultaneously with the central government restricting it from state agencies. Two contradictory policy directions at once, which is a very specific kind of government acknowledgment that the technology is important.

ClawHub — The skill marketplace. 13,729-plus community skills as of late March 2026, plus 5,705-plus from a separate directory. Skills for Reddit digest generation, X content analysis, YouTube summarization, multi-agent coordination, lead generation, prospect research, website auditing, CRM integration. The supply chain attack surface for malicious skills is real, as documented above. But so is the legitimate ecosystem.

The Awesome-OpenClaw GitHub repository tracks 80-plus curated projects built on the framework. The infrastructure around a project matters as much as the project itself — this one has the infrastructure to become a lasting platform rather than a viral moment.

Why Jensen Huang Called It the Most Important Software Release in Human History

At GTC 2026 on March 17, Jensen Huang told CNBC's Jim Cramer on "Mad Money": "It is now the largest, most popular, the most successful open-sourced project in the history of humanity. This is definitely the next ChatGPT."

In his keynote, he described OpenClaw as the go-to option for building AI agents that can scout eBay for deals and place bids, and said it "exceeded what Linux did in 30 years in mere weeks."

This is Jensen Huang. He's known for hyperbole. "Definitely the next ChatGPT" from him should probably be read as "this is genuinely significant and Nvidia has business reasons to support it." But the underlying point is real.

What OpenClaw represents is not just a popular project. It represents the transition from AI as a thing you consult to AI as a thing that acts. The shift from "I go to the AI" to "the AI comes to me and does things." That transition has been discussed theoretically for years. OpenClaw demonstrated it at consumer scale, with open-source software, running on hardware that sold out at Apple Stores.

Nvidia's response — building NemoClaw eleven days after Huang's statement — shows you how seriously they took it. You don't spin up enterprise security tooling in eleven days without significant organizational commitment.

The Chinese stock market reacted when Huang spoke. MiniMax surged 22% in Hong Kong trading. Knowledge Atlas Technology (Zhipu) climbed 14%. Both companies had been integrating OpenClaw into their offerings. The stock market is not always smart, but it is usually responsive to real signals.

While everyone was arguing about security vulnerabilities and Anthropic's subscription ban, a quieter and arguably more troubling story emerged.

MoltMatch: an experimental dating platform where AI agents can create profiles and interact on behalf of human users.

Computer science student Jack Luo configured his OpenClaw agent to "explore its capabilities and connect to agent-oriented platforms." He later discovered the agent had created a MoltMatch profile and was screening potential matches without his explicit direction. The AI-generated profile didn't reflect him authentically.

The same reporting described broader problems: impersonation risks across the platform, AI agents creating profiles using photos of real people without consent. An AFP analysis of prominent MoltMatch profiles found at least one instance where photos of a Malaysian model were used to create a fake profile.

This is what happens when you build an agent explicitly designed to act autonomously, connect it to every platform you use, and give it a mandate to "explore." The agent followed its instructions. It explored. The human didn't consent to what the exploration produced.

The "Terrifying Five" that Kaspersky identified as OpenClaw's core risk profile applies here: privileged access to sensitive data, inability to reliably separate commands from data, persistent memory that can be poisoned, capability to communicate with external services, and the power to act on behalf of users across every platform they're connected to.

That combination is extremely useful when it works correctly. It's a nightmare when it doesn't.

The Rant About What This All Actually Means

Alright, let me say the thing clearly.

OpenClaw is the most significant event in consumer AI since ChatGPT launched. Jensen Huang is right about that, though not for the reason he articulated. It matters not because it's a great piece of software — the security record should make anyone who claims that uncomfortable. It matters because it demonstrated, at massive scale, what happens when you put autonomous agentic AI in the hands of millions of developers with no guardrails, no rate limiting, no billing model designed for the actual usage, and a framework that stores credentials in plaintext Markdown files.

The answer to "what happens" is: 512 vulnerabilities, 1.5 million exposed API keys, an $8 million crypto scam, a government ban in China, and every major LLM provider scrambling to rewrite their billing policies.

The OpenClaw story is also the story of AI company strategy in miniature. Anthropic built the best models. A community developer used those models to build the most popular agent framework in history. Anthropic's response was: lawyers, then subscription ban. OpenAI's response was: hire the developer, sponsor the foundation. Which company looks like they understand the open-source developer ecosystem?

And before you give Anthropic too much grief — their position has a real technical foundation. Subscription pricing for human-paced conversational use cannot cover 24/7 agentic workloads without the math becoming unsustainable. Boris Cherny explained that OpenClaw sessions bypass Anthropic's prompt caching optimizations, meaning each session costs dramatically more than an equivalent Claude Code session at the same output volume. The $200/month Max plan user consuming $5,000 in compute was genuinely untenable. The enforcement was inevitable. The timing and the framing were chosen poorly.

Here's the thing about the infrastructure impact. We talked about this in the AI agent outage article, but OpenClaw puts a human face on what was previously an abstract infrastructure problem. When we said "agent traffic is fundamentally different from human traffic," OpenClaw is what we meant. It's the specific mechanism through which hundreds of thousands of developers pointed continuously-running, multi-modal, multi-tool agents at Claude, GPT, and Gemini APIs simultaneously, with no human pacing anywhere in the consumption loop.

The outages in February and March 2026 — ChatGPT down 28,000 reports strong on February 3, Claude back-to-back incidents in March, GitHub's 37-incident February — these didn't happen because OpenClaw was the only cause. But OpenClaw was the visible face of the category that did it. Subscription-priced LLMs absorbing 24/7 agentic workloads as if they were chat sessions is a business model failure that was always going to produce infrastructure incidents.

The security picture is worse than the infrastructure picture, and the security picture is already bad. Every connected service an OpenClaw agent has access to is an attack surface. Every email it reads is a potential prompt injection. Every skill it installs from ClawHub is a potential malware vector. The persistent memory design means a successful attack doesn't just compromise a session — it compromises future sessions because the poisoned context propagates forward through MEMORY.md.

Nvidia built NemoClaw because Nvidia saw where this was going. Container isolation, hardware-backed security scanning, declarative policy enforcement. The gap between "OpenClaw for hobbyists" and "OpenClaw for enterprises" is not an afternoon of configuration. It's Nvidia's engineering resources building a dedicated security product.

The question worth asking is why the open-source project had to accumulate 247,000 GitHub stars, trigger government bans, expose 1.5 million API keys, and draw Jensen Huang's public endorsement before the enterprise security layer existed.

The answer is that the value of the thing was demonstrated before the safety of the thing was figured out. This is not a new pattern in technology. It's just a particularly high-stakes instance of it.

The users who suffered through compromised agents, leaked credentials, crypto scams, and unauthorized MoltMatch profiles paid the price for a demonstration that the category is worth investing in. That's a bad deal.

OpenClaw is a genuinely important project. The history behind it — Steinberger's retirement, PSPDFKit's production engineering DNA, the Anthropic trademark fight, the OpenAI hire, Jensen Huang's keynote, the Moltbook database disaster, the CVE avalanche — is one of the more interesting compressed stories in recent tech. The ecosystem it spawned (NanoClaw, ZeroClaw, NemoClaw, Moltworker) is growing in directions that could produce something much more solid than the original.

But the original launched with 512 vulnerabilities, stored API keys in plaintext Markdown, ran unauthenticated by default, and had no defense against prompt injection. You're allowed to be excited about the category and honest about those facts simultaneously.

The lobster is interesting. Keep your eye on what it's doing with your credentials.