How a Weekend Hack Became the Blueprint for Always-On AI Agents

The first version of Clawdbot, built in roughly an hour on a Friday night , was a local-first assistant that could read messages, browse the web, and run shell commands on his behalf through messaging apps . It connected to Claude's API initially, but the architecture was deliberately model-agnostic—users could plug in any large language model (LLM), from OpenAI and Anthropic to local models running via Ollama .

Viral growth and the architecture that won

OpenClaw's architecture rested on three pillars that proved irresistible to developers:

• Messaging-first interface: Instead of a separate app or browser tab, users interacted with their AI agent through WhatsApp, Telegram, Slack, and more than a dozen other platforms they already used .
• Self-hosted and MIT-licensed: No vendor lock-in, no cloud dependency. Anyone could run it on their own machine .
• Model-agnostic gateway: It wasn't tied to a single AI provider, supporting everything from Claude and GPT to Gemini and local models .

The growth curve shattered every pattern in open-source history. The project gained 190,000 stars in its first 14 days of viral spread . By February 2026, it had crossed 200,000 stars . On March 3, 2026, it surpassed React to become the most-starred software project on GitHub—a milestone React took 13 years to reach; OpenClaw did it in roughly 100 days . As of early June 2026, the repository sits at approximately 377,000 GitHub stars, making it the sixth most-starred project in GitHub history .

The Big Tech pile-on: Microsoft, Google, and Meta

Microsoft Scout: Not "OpenClaw-like"—the real gateway

At Microsoft Build on June 2, 2026, Microsoft launched Scout, its first "Autopilot" agent, built directly on the OpenClaw gateway . Unlike previous AI features that lived inside individual apps, Scout is an always-on, identity-bearing agent that operates across Teams, Outlook, OneDrive, and SharePoint, proactively managing calendars, emails, and tasks without being prompted .

The relationship is not one of inspiration but integration. Microsoft confirmed that Scout uses the OpenClaw gateway directly, not a clone or a fork . The company also committed to upstream contributions, adding enterprise security guardrails and policy compliance features back to the open-source core . This marked a dramatic reversal from March 2026, when CEO Satya Nadella told a Morgan Stanley audience that releasing OpenClaw inside Microsoft would be "considered Microsoft launching a virus" .

Google Gemini Spark and Meta Hatch

Google took a different approach. Gemini Spark, its always-on assistant, rebuilt OpenClaw's concepts inside the Gemini ecosystem while keeping the interface layer under Google's control . Rather than adopting the open-source gateway, Google used the same architectural pattern—an autonomous agent with persistent identity that proactively manages user tasks—but tied it to Gemini apps and Gemini's own model ecosystem .

Meta is reportedly preparing a consumer-focused agent called Hatch, built on OpenClaw-style architecture and aimed at personal, cross-app automation for everyday users . The three-way platform battle—Microsoft's enterprise play, Google's controlled ecosystem, and Meta's consumer push—cemented OpenClaw's design as the de facto reference architecture for the industry .

The security crisis: 30,000+ exposed instances and 9 CVEs in 4 days

OpenClaw's explosive growth outpaced its security posture by a wide margin. The framework shipped with authentication disabled by default, meaning new deployments exposed their entire agent control plane to the internet unless operators manually configured firewalls .

On January 31, 2026, Censys and Bitsight scans revealed 21,639 exposed instances . Follow-up scans found between 30,000 and 135,000 distinct instances running on publicly accessible servers . At least 63% of these had no authentication configured at all .

The CVE cascade

The first critical vulnerability, CVE-2026-25253, was disclosed on February 3, 2026. Rated CVSS 8.8, it was a one-click remote code execution flaw via a WebSocket origin validation gap that allowed an attacker to hijack any running OpenClaw instance, even those configured to listen only on localhost, simply by getting the user to visit a malicious webpage . Over 40,000 instances were found vulnerable to remote exploitation at the time of disclosure .

From March 18 to 21, 2026, nine CVEs were disclosed in just four days, including critical privilege escalation flaws like CVE-2026-32922 and zero-click exploits . The vulnerability density was described as "staggering" by security researchers .

ClawHavoc: The plugin marketplace weaponized

Attackers didn't just exploit code flaws—they poisoned the supply chain. The ClawHavoc campaign planted 1,184 malicious skills across ClawHub, OpenClaw's community plugin marketplace, representing roughly 20% of the entire registry . One malicious skill accumulated 340,000 installs before removal .

These compromised plugins silently exfiltrated API keys, OAuth tokens, and environment variables. Some delivered info-stealers like Atomic macOS Stealer (AMOS), while others activated only after 72 hours of normal operation to bypass initial security scans . By mid-February 2026, analysts observed over 30,000 compromised instances actively being used to steal credentials and intercept messages .

The Moltbook breach compounded the damage, exposing 35,000 emails and 1.5 million agent tokens tied to OpenClaw deployments . Meta banned OpenClaw from corporate devices . Over 60 CVEs were disclosed within three months .

Governance and the OpenAI acqui-hire

On February 14, 2026, Peter Steinberger posted three paragraphs on his personal blog announcing he was joining OpenAI in an acqui-hire . Sam Altman confirmed the move the next day, stating Steinberger would "drive the next generation of personal agents" .

In the same announcement, Steinberger moved OpenClaw to an independent, foundation-backed governance model—the OpenClaw Foundation—with OpenAI providing funding . The transition ensured the project remained open-source and community-governed even as its creator shifted to building AI agent infrastructure at OpenAI .

Why OpenClaw became the reference architecture

OpenClaw succeeded not because it was the most sophisticated or the most secure framework, but because it solved a fundamental user need at exactly the right moment: a persistent, always-on AI assistant you can text like a person, with an architecture open enough for anyone to run, model-agnostic enough to work with any LLM, and simple enough to deploy in an hour.

Big Tech's adoption—Microsoft building Scout directly on the OpenClaw gateway, Google cloning the paradigm with Gemini Spark, and Meta preparing Hatch—validated that architecture as the industry standard. The security crisis and subsequent foundation transition matured it from a hobbyist experiment into infrastructure that enterprises could begin to trust, however cautiously.