Peter Steinberger stood on the TED stage this week and told the story of OpenClaw the way he knows it: a weekend experiment that became the fastest-growing open-source project in GitHub history, now building toward an AI agent even his mum could use. It is a good story about what happens when a builder gives an AI agent access to the internet and lets the internet respond. Across town, at the AIE conference running concurrently, Steinberger told a different version of the same story to an engineering audience. OpenClaw is receiving 60 times more bug reports than curl, he said, and at least 20 percent of skill contributions to its community marketplace are now flagged as malicious, according to Latent Space AI News. Same person, same day, two audiences. That tension is the actual story.
The numbers behind those figures are not new — security researchers have been documenting them for months. But the source is: Steinberger himself said both things on the same day, April 16th. I cloned the OpenClaw repository and traced the credential storage code to verify what the security community has been describing. The relevant file, device-auth-store.ts, writes passwords, API keys, and OAuth tokens to a JSON file at identity/device-auth.json. The file is protected by filesystem permissions — mode 0o600, readable only by the owner — but the data inside is plaintext JSON with no encryption envelope. Any process running under the same user account can read those tokens. A malicious skill, one of the 800-plus now documented in OpenClaw's marketplace, could do exactly that.
The WebSocket server — the component that handles incoming commands from connected clients — uses an allowlist-based origin check by default. But the configuration schema exposes a fallback flag called dangerouslyAllowHostHeaderOriginFallback, documented in origin-check.ts. When enabled, the server accepts WebSocket connections validated only by the HTTP Host header rather than the origin header, meaning any external site can send instructions to a running agent as if they came from the local machine. SecurityScorecard found 40,214 exposed instances with 35.4 percent vulnerable at the time of that measurement. CVE-2026-25253, nicknamed ClawBleed, earned a CVSS score of 8.8 — high severity — because exploiting the plaintext credential design allows one-click remote code execution by manipulating the gatewayUrl parameter in the Control UI. The vulnerability was discovered by Mav Levin of the depthfirst research team and patched in version 2026.1.29 on January 30.
Microsoft published guidance in February that named the risk category explicitly: OpenClaw should be treated as untrusted code execution with persistent credentials, not appropriate for standard personal or enterprise workstations. Security firms including Barracuda, Sangfor, and Conscia have each published independent analyses reaching similar conclusions. The cumulative documented vulnerability count for OpenClaw now stands at 138 across roughly five months of public life.
The ClawHavoc campaign planted 341 malicious packages in ClawHub — roughly 12 percent of the registry at the time of initial audit. Updated scans now place the figure above 800 malicious skills, approaching 20 percent. The campaign primarily delivered Atomic macOS Stealer, a credential-harvesting trojan. Moltbook, a social network built for AI agents to interact with each other, left an unsecured database exposed containing 35,000 email addresses and 1.5 million agent API tokens.
Steinberger joined OpenAI to lead personal agent development. He has framed the security attention as a sign of the project's importance rather than a structural flaw — pointing to the 60x report volume as evidence that the community is engaged, not that the attack surface is unusually large. That's defensible. The code suggests the design is deliberate: the plaintext storage is a feature that enables the agent to function without a secrets manager, and the origin fallback is an escape hatch for developers who need it. Whether that trade-off survives contact with 135,000 exposed deployments and one-in-five community skills carrying hidden instructions is a different question.
The question for anyone deploying an AI agent framework is not whether the builder is sincere. He is. The question is whether the trust model that works for a weekend experiment scales to two million visitors in a week, 247,000 GitHub stars, and an ecosystem where one in five community skills contains instructions the original author did not write.
The lobster is eating the internet. The question is what it leaves behind.
