APREX · EST. 2026
The AI assistant that promised to give you full control over your own data has become a security marathon. Over 135,000 OpenClaw instances are hanging open on the internet right now — and some of them are reading your email, sending messages on your behalf and remembering every password you've ever mentioned in a chat.
What Exactly Is OpenClaw?
OpenClaw is a self-hosted AI assistant built in TypeScript and licensed under MIT. The concept is simple and tempting: you run the assistant on your own infrastructure, choose your own AI model and retain full control of your data — without sending everything to Silicon Valley.
With over 200,000 GitHub stars (conservative estimate as of April 2026, according to llmengg.com), the project has exploded in popularity. Some sources cite as many as 347,000 stars the same month (skywork.ai), which either way places OpenClaw among the fastest-growing open source projects in the AI category.
> PULLQUOTE: "You run the assistant on your own machine — but 135,000 instances are not hidden from the world."
The Architecture: Powerful and Complex
At the core of OpenClaw lies a gateway-first architecture. A WebSocket-based Gateway handles session management, channel routing and tool orchestration, according to skywork.ai. That means all your integrations — email, calendar, messaging apps — flow through one central hub.
The platform supports over 20 messaging platforms, including WhatsApp, Telegram, Slack, Discord and Signal (llmengg.com, use-apify.com). It is model-agnostic: you can connect to OpenAI, Anthropic, local models via Ollama or vLLM, or run Docker's own Model Runner (oneclaw.net, llmengg.com).
Memory is persistent across sessions. OpenClaw remembers what you said three weeks ago. That is a feature — but in the wrong hands, it is an archive.
Technical Fact Box
| Feature | Detail |
|---|---|
| License | MIT (open source) |
| Language | TypeScript |
| GitHub Stars | 200,000+ (Apr. 2026) |
| Supported Platforms | 20+ (WhatsApp, Slack, Signal, etc.) |
| Skills in Ecosystem | 33,000+ (skywork.ai) |
| Idle RAM Usage | ~180 MB (use-apify.com) |
| Self-hosted Price | Free |
| Managed (OneClaw) | $9.99/month |
ClawHub: The Marketplace Nobody Controls
OpenClaw's skill system is central to the platform's appeal. Using the SKILL.md format, anyone can create and publish modules that extend the assistant's capabilities. The ClawHub marketplace offers over 1,400 curated skills (betterclaw.io) and over 33,000 in the broader ecosystem (skywork.ai).
Problems emerged when security researchers started digging. Use-apify.com reports that 341 malicious skills have been identified in the marketplace. These skills can theoretically give attackers access to everything OpenClaw has access to — which can be quite a lot.
> HIGHLIGHT: 341 malicious skills found in ClawHub. Each of them could potentially read your messages, send emails and manipulate your calendar.
CVE-2026-25253: The Critical Vulnerability
Beyond the human threat of malicious skills, there is a technical one. CVE-2026-25253 has been assigned a CVSS score of 8.8 — critical level — according to nxcode.io. The full attack vector details have not been publicly disclosed in the sources 24AI has had access to, but the severity is unmistakable.
Security researchers have additionally found over 135,000 exposed OpenClaw instances on the open internet (use-apify.com). These are instances that — with the right exploit — could give strangers access to integrated email accounts, messaging history and stored memory.
TIMELINE: OpenClaw's Security Escalation
- February 2026: OpenClaw's creator is hired by OpenAI. Questions about the project's future and data sovereignty begin to circulate.
- March 16, 2026: NVIDIA announces NemoClaw at GTC 2026 — a dedicated security layer for OpenClaw.
- April 2026: 341 malicious skills identified in ClawHub. 135,000+ exposed instances documented.
- April/May 2026: NanoClaw launches as a radical alternative with only 5 files and OS-level container isolation.
- CVE-2026-25253 assigned with CVSS score 8.8.
The Creator Now Works for OpenAI
In February 2026, it emerged that the person behind OpenClaw had accepted a position at OpenAI (use-apify.com). That raises immediate questions: who owns the project going forward? Can OpenAI influence the direction of a tool built on the very premise of independence from the big tech companies?
For now the code is open and MIT-licensed — but trust in long-term independence has taken a hit.
Industry Response: NemoClaw and NanoClaw
NVIDIA chose to take the security problem seriously. At GTC 2026 on March 16, they announced NemoClaw — a security layer specifically designed for OpenClaw environments. NemoClaw offers an OpenShell sandbox, process-level isolation, network egress policies and full audit logging. The goal is to limit the blast radius if a skill is compromised (use-apify.com).
From the open source community came the answer NanoClaw: a radical security-first approach that reduces the entire platform to just five files, with OS-level isolation via containers. Free and open source (skywork.ai).
> KEYFIGURE: CVSS 8.8 — the severity score on CVE-2026-25253 affecting OpenClaw installations worldwide.
Who Should Use OpenClaw — and Who Should Wait?
For technically competent users who understand what they are setting up, OpenClaw is an impressive piece of technology. The cost is zero for self-hosting, resource consumption is modest (~180 MB idle RAM), and the flexibility is unmatched. Use cases range from developer workflow automation (code review, CI/CD monitoring, documentation) to enterprise compliance in healthcare, finance and the public sector (oneclaw.net, skywork.ai).
But for the average user who simply wants a convenient AI assistant and lacks the time to monitor the marketplace for malicious skills, maintain updates and understand CVE reports — the risk is real and documented.
The SOUL.md file lets you shape the assistant's personality and identity (oneclaw.net). That is poetic. But personality does not help much if the foundation has cracks.
BOTTOM LINE
OpenClaw is genuinely revolutionary technology with a legitimate promise of data sovereignty. But 135,000 exposed instances, a CVSS 8.8 vulnerability, 341 malicious skills and a founder who now works for OpenAI are not details you can ignore. Before you let an AI assistant read your email and remember everything you say, you should know what you are opening the door to. Run NemoClaw or NanoClaw. Stay updated. And be critical of what you install from ClawHub.
Source assessment: Facts in this article have been verified against 5 open primary sources (oneclaw.net, nxcode.io, llmengg.com, betterclaw.io, use-apify.com) and 2 independent analyses (skywork.ai, use-apify.com).