OpenClaw
v2026.x (rolling; CVE-2026-28466 patched in 2026.2.14)OpenClaw Foundation
Viral MIT-licensed open-source personal AI agent (formerly Clawdbot, then Moltbot) stewarded by the OpenClaw Foundation with OpenAI backing. Runs on the user's own machine and acts through WhatsApp, Telegram, Signal, Discord, and iMessage; it browses, emails, shops, and controls the desktop with any BYO LLM. The fastest repo to ~350K+ GitHub stars and 2026's defining agent-security story: hundreds of CVEs, mass-exposed instances, and malicious ClawHub skills.
Trust Vector Analysis
Dimension Breakdown
๐Performance & Reliability+
Review of documented capabilities and incident reports; accuracy varies with the user-configured model and skills
Architecture review of gateway-to-node invocation model and breadth of working integrations reported by the community
Assessment of long-horizon task orchestration, scheduled jobs, and proactive agent behavior
Review of local persistent memory design and cross-session continuity behavior
Incident review; always-on autonomy without strong guardrails means errors can compound before a human intervenes
Review of multi-agent routing and community multi-agent usage patterns
๐ก๏ธSecurity+
Review of default execution model (unsandboxed, full user privileges) and sandbox-bypass CVE history; Docker isolation is documented but opt-in
Review of authentication CVEs and internet-exposure measurements; two CVSS 9.9 auth-bypass/privilege-escalation flaws plus majority-unauthenticated public deployments
Attack-surface review: untrusted inbound channels plus autonomous tool execution with no robust built-in injection defenses; vendor research confirms in-the-wild exploitation
Data-flow review: single-process access to messaging, email, credentials, and files with skills running in the same context
License, source availability, and advisory-process review; transparency is high even though the security record is poor
๐Privacy & Compliance+
Review of local data persistence model and its practical exposure given the vulnerability history
Compliance posture review; hobbyist-governed foundation project with no formal privacy or compliance framework
Data-flow analysis across model providers and the unvetted skill supply chain
Deployment options assessment including fully local model configurations
๐๏ธTrust & Transparency+
Documentation completeness review against actual configuration surface
Review of logging, transcript visibility, and unattended-operation blind spots
Explainability assessment of autonomous action decisions versus user intent
License and source availability review
Community engagement analysis; star counts conflict between Wikipedia (March) and unofficial June trackers, so both are cited
โ๏ธOperational Excellence+
Setup assessment: quick to install, hard to configure safely (auth, network exposure, skill vetting are on the user)
Architecture review for multi-user and organizational deployment
Pricing model analysis of free software plus variable model-API spend
Monitoring and audit capability review against the risk profile of the deployment
Production maturity assessment from CVE velocity, government restrictions, vendor advisories, and release churn
- +Unprecedented community momentum: fastest-growing GitHub repo ever (247K stars by March 2026, ~355-378K reported by June)
- +Acts where users already are: WhatsApp, Telegram, Signal, Discord, iMessage
- +Fully open source (MIT) with foundation governance and OpenAI financial backing
- +Model-agnostic BYO-LLM design, including fully local models
- +Huge skill ecosystem (ClawHub) covering browsing, email, shopping, and desktop control
- +Self-hosted: no vendor cloud holds user data
- +Rapid patch cadence with public security advisories
- !Worst security record of any agent in this registry: 138+ CVEs by April 2026 and ~413-433 by mid-2026 (sources conflict), including CVSS 9.9 auth bypass (CVE-2026-22172), CVSS 9.9 privilege escalation (CVE-2026-32922), and RCE via approval bypass (CVE-2026-28466 / GHSA-gv46-4xfq-jv58)
- !135,000+ internet-exposed instances measured, ~63% with no authentication (ARMO, March 2026)
- !ClawHub supply chain compromised at scale: 1,100-1,400 malicious skills reported (including macOS infostealers) plus typosquat campaigns; roughly 1 in 12 packages carried malicious payloads in one audit
- !No default sandboxing: runs with full user privileges over shell, files, email, and messages
- !Prompt injection through inbound messages, email, and web content is structurally unsolved
- !China restricted state/government use (March 2026); Palo Alto, Cisco, Tenable, and Kaspersky issued advisories
- !No compliance posture (no DPA, certifications, or consent handling for third-party message data)
Use Case Ratings
research assistant
Genuinely useful always-on assistant for research and errands via chat, if security hardening is applied
content creation
Drafts messages, emails, and posts across channels; output quality depends on the configured model
customer support
Do not expose to untrusted users: majority of internet-facing instances lack auth and injection defenses are weak
financial analysis
Unsuitable: agent-adjacent crypto theft, infostealer skills, and credential aggregation make financial use hazardous