The OpenClaw Agent Takeover

Edition 154 | February 2, 2026

This could either be the start of Skynet or… just agents inventing Slack without humans

Welcome back to Building AI Agents, your biweekly guide to everything new in the field of agentic AI!

In today’s issue…

• Locally run agents go viral and security risks exposed

• Cloudflare rallies on agent hosting demand

• LangChain fixes “context rot” for agents

• Agent testing costs more than deployment?

• AI agent-only social network goes live

…and more

🔍 SPOTLIGHT

In three days, an open-source project by an Austrian developer became one of the fastest-growing repositories in GitHub history. In the same three days, security researchers found 42,000 exposed instances leaking API keys to the open internet. Welcome to OpenClaw, the clearest proof yet that people want AI agents they own, and that we're nowhere near ready to deploy them securely.

OpenClaw started as a personal project by Peter Steinberger, a well-known iOS developer, under the name Clawdbot. The idea was simple: a self-hosted AI agent that runs on your own machine and connects to the messaging apps you already use: WhatsApp, Slack, iMessage, Telegram. Unlike cloud-based assistants, OpenClaw operates locally, processing your data on your hardware. And unlike chatbots, it doesn't just answer questions. It acts: managing calendars, sending messages, running shell commands, automating workflows across 100+ services via MCP, and even monitoring your system for events and reaching out to you proactively without being prompted.

The project rebranded to Moltbot, then to OpenClaw, and somewhere in that process it went nuclear. Between January 24-27, it surpassed 123,000 GitHub stars in 48 hours, drew 2 million visitors, and was picked up by Wired, CNET, Axios, and every major tech outlet. The appeal was immediate and obvious: ChatGPT that runs on your computer. Your own personal JARVIS. An agent you don't rent from OpenAI or Google — you own it.

What made the growth remarkable wasn't just speed, it was commitment. Developers didn't just clone the repo. They bought Mac Minis specifically to run OpenClaw as dedicated, always-on personal agent servers. Beebom published a setup guide. DigitalOcean published a quickstart. The more security-conscious tried to air-gap their machines, limiting the agent's access to only the services they explicitly granted. Apple almost certainly noticed the spike.

But adoption outran security by a mile. Cisco called OpenClaw "an absolute nightmare," reporting that 26% of third-party skills contained at least one vulnerability. Security researchers scanning with Shodan discovered 42,000+ exposed instances, with 93% exhibiting critical authentication bypass vulnerabilities. Leaked API keys, Telegram tokens, and Slack OAuth credentials were sitting on publicly accessible servers. Palo Alto Networks issued a detailed warning that OpenClaw represents a "lethal trifecta": access to private data, exposure to untrusted content, and the ability to communicate externally, plus a fourth risk through persistent memory that enables delayed-execution attacks.

Funny enough, the same qualities that make OpenClaw compelling, local execution, broad system access, autonomous communication are exactly what make it dangerous when deployed carelessly. And 180,000+ developers deployed it in a week, most without reading the security documentation that didn't yet exist.

OpenClaw isn't a cautionary tale. It's a snapshot of where we are right now: experimenting with everything, shipping fast, and figuring out the guardrails as we go. The appetite for self-hosted, autonomous agents that people own is massive and this proved it. But we're still in the early days, and with that comes real risks in security, in trust, and in the things we haven't thought to worry about yet.

As always, keep learning and building!

—AP