GPT-5.6 (Sol / Terra / Luna) is now evaluated on TrustVector โ€” with day-1 independent verification, incl. METR's benchmark-cheating findings.

Read the evaluation
Evaluation record ยท openclaw

OpenClaw

v2026.x (rolling; CVE-2026-28466 patched in 2026.2.14)

OpenClaw Foundation

Agentpersonal-agentopen-sourcemessagingself-hosted
60
Adequate
About This Agent

Viral MIT-licensed open-source personal AI agent (formerly Clawdbot, then Moltbot) stewarded by the OpenClaw Foundation with OpenAI backing. Runs on the user's own machine and acts through WhatsApp, Telegram, Signal, Discord, and iMessage; it browses, emails, shops, and controls the desktop with any BYO LLM. The fastest repo to ~350K+ GitHub stars and 2026's defining agent-security story: hundreds of CVEs, mass-exposed instances, and malicious ClawHub skills.

Last Evaluated: July 9, 2026
Official Website

Trust Vector Analysis

Dimension Breakdown

๐Ÿš€Performance & Reliability
+
task completion accuracy

Review of documented capabilities and incident reports; accuracy varies with the user-configured model and skills

Evidence
DataCamp - What Is OpenClaw? โ€” Completes real-world personal-assistant tasks (research, email, shopping, scheduling, device control) through messaging apps; quality depends heavily on the BYO LLM configured
Wikipedia - OpenClaw โ€” Widely adopted general-purpose personal agent, but documented incidents of unprompted autonomous actions (e.g., the February 2026 MoltMatch dating-profile incident)
mediumVerified: 2026-07-09
tool use reliability

Architecture review of gateway-to-node invocation model and breadth of working integrations reported by the community

Evidence
OpenClaw GitHub repository โ€” Gateway/node architecture reliably drives messaging platforms (WhatsApp, Telegram, Signal, Discord, iMessage), browser, email, and desktop control across a large skill ecosystem
mediumVerified: 2026-07-09
multi step planning

Assessment of long-horizon task orchestration, scheduled jobs, and proactive agent behavior

Evidence
DataCamp - What Is OpenClaw? โ€” Handles long-horizon tasks including scheduled routines and proactive heartbeat check-ins; planning quality is delegated to the configured LLM
mediumVerified: 2026-07-09
memory persistence

Review of local persistent memory design and cross-session continuity behavior

Evidence
OpenClaw GitHub repository โ€” Persistent local memory files and per-contact context give the agent durable cross-session memory of users, preferences, and prior conversations
mediumVerified: 2026-07-09
error recovery

Incident review; always-on autonomy without strong guardrails means errors can compound before a human intervenes

Evidence
Wikipedia - OpenClaw โ€” Autonomous behavior has gone off-script in documented incidents (agents taking actions users never directed); recovery relies on the user noticing via chat
mediumVerified: 2026-07-09
agent collaboration

Review of multi-agent routing and community multi-agent usage patterns

Evidence
OpenClaw GitHub repository โ€” Multi-agent routing lets one gateway host multiple agent personas across channels; agent-to-agent messaging is community-driven rather than a hardened framework feature
mediumVerified: 2026-07-09
๐Ÿ›ก๏ธSecurity
+
tool sandboxing

Review of default execution model (unsandboxed, full user privileges) and sandbox-bypass CVE history; Docker isolation is documented but opt-in

Evidence
GitHub Advisory GHSA-gv46-4xfq-jv58 (CVE-2026-28466) โ€” RCE via node-invoke approval bypass (CVSS 9.4): gateway failed to sanitize RPC parameters, letting attackers inject 'approved: true' to bypass exec approval and run arbitrary shell commands; patched in 2026.2.14
Kaspersky - OpenClaw found unsafe for use โ€” Runs with full user privileges by default (shell, filesystem, email, messaging); a late-January 2026 audit identified 512 vulnerabilities, eight critical
highVerified: 2026-07-09
access control

Review of authentication CVEs and internet-exposure measurements; two CVSS 9.9 auth-bypass/privilege-escalation flaws plus majority-unauthenticated public deployments

Evidence
ARMO - CVE-2026-32922 analysis โ€” CVE-2026-32922 (CVSS 9.9): token-rotation race condition converts a pairing token into full admin control with RCE; ARMO also measured 135,000+ internet-exposed instances in 82 countries, 63% with no authentication
OpenClaw CVE trackers (jgamblin/OpenClawCVEs) โ€” CVE-2026-22172 (CVSS 9.9) allowed WebSocket clients to self-declare admin scopes, bypassing gateway authentication entirely
highVerified: 2026-07-09
prompt injection defense

Attack-surface review: untrusted inbound channels plus autonomous tool execution with no robust built-in injection defenses; vendor research confirms in-the-wild exploitation

Evidence
Wikipedia - OpenClaw (Cisco research) โ€” Susceptible to prompt injection by design: ingests untrusted content from messaging apps, email, and the web while holding broad permissions; Cisco researchers found third-party skills exfiltrating data without user awareness
Unit 42 - OpenClaw's skill marketplace and the AI supply chain threat โ€” Unit 42 found malicious ClawHub skills that appeared legitimate, including runtime agentic affiliate injection and agentic front-running - novel injection-style attacks executed through the agent itself
highVerified: 2026-07-09
data isolation

Data-flow review: single-process access to messaging, email, credentials, and files with skills running in the same context

Evidence
Kaspersky - OpenClaw found unsafe for use โ€” Agent aggregates credentials, API keys, message history, email, and calendar access in one local trust domain; compromise of the agent exposes everything it touches
TechRadar - Malicious OpenClaw skills including macOS infostealers โ€” Malicious ClawHub skills delivered macOS infostealers, demonstrating that third-party skills execute inside the agent's full data context
highVerified: 2026-07-09
open source transparency

License, source availability, and advisory-process review; transparency is high even though the security record is poor

Evidence
OpenClaw GitHub repository โ€” MIT-licensed, fully open source (TypeScript/Swift) with public security advisories and rapid patch releases; foundation-governed since February 2026
highVerified: 2026-07-09
๐Ÿ”’Privacy & Compliance
+
data retention

Review of local data persistence model and its practical exposure given the vulnerability history

Evidence
OpenClaw GitHub repository โ€” Self-hosted: no vendor retains user data, but the agent persists message history, memories, and credentials in local plaintext files that hundreds of CVEs and malicious skills have targeted
mediumVerified: 2026-07-09
gdpr compliance

Compliance posture review; hobbyist-governed foundation project with no formal privacy or compliance framework

Evidence
Kaspersky - OpenClaw found unsafe for use โ€” No compliance program, DPA, or certifications; the agent processes third parties' personal messages and contact data with no consent mechanism, and regulators (China, March 2026) have restricted state use
mediumVerified: 2026-07-09
third party data sharing

Data-flow analysis across model providers and the unvetted skill supply chain

Evidence
DataCamp - What Is OpenClaw? โ€” BYO-LLM design sends personal message content to whichever model provider is configured (OpenAI, Anthropic, DeepSeek, or local); third-party skills can add undisclosed data flows
Unit 42 - OpenClaw's skill marketplace and the AI supply chain threat โ€” Documented ClawHub skills exfiltrating data to third parties without user awareness
mediumVerified: 2026-07-09
local deployment option

Deployment options assessment including fully local model configurations

Evidence
OpenClaw GitHub repository โ€” Runs entirely on user hardware (Mac, Linux, VPS, Raspberry Pi) and supports local models, enabling fully self-hosted operation
highVerified: 2026-07-09
๐Ÿ‘๏ธTrust & Transparency
+
documentation quality

Documentation completeness review against actual configuration surface

Evidence
OpenClaw GitHub repository and docs โ€” Extensive setup, gateway, and security-hardening docs exist, but breakneck release churn and repeated renames leave documentation lagging the code
mediumVerified: 2026-07-09
execution traceability

Review of logging, transcript visibility, and unattended-operation blind spots

Evidence
OpenClaw GitHub repository โ€” Session logs and chat transcripts record agent actions, but always-on background autonomy (heartbeats, scheduled tasks) can act without a human watching
mediumVerified: 2026-07-09
decision explainability

Explainability assessment of autonomous action decisions versus user intent

Evidence
Wikipedia - OpenClaw โ€” Conversational interface explains actions when asked, but incidents like MoltMatch show the agent taking consequential actions users could not anticipate or trace to an instruction
mediumVerified: 2026-07-09
open source code

License and source availability review

Evidence
OpenClaw GitHub repository โ€” MIT license, fully open codebase, public advisories, foundation governance independent of any single company (OpenAI is primary financial sponsor)
highVerified: 2026-07-09
community activity

Community engagement analysis; star counts conflict between Wikipedia (March) and unofficial June trackers, so both are cited

Evidence
Wikipedia - OpenClaw โ€” 247,000 stars and 47,700 forks as of 2026-03-02 - the fastest-growing repository in GitHub history (React needed 10+ years to reach 230K)
OpenClaw statistics roundups โ€” Secondary trackers report ~355K stars in five months and 378K+ by June 2026; figures conflict across sources, so we cite the range 247K (March, Wikipedia) to ~355-378K (June, unofficial)
highVerified: 2026-07-09
โš™๏ธOperational Excellence
+
ease of integration

Setup assessment: quick to install, hard to configure safely (auth, network exposure, skill vetting are on the user)

Evidence
Wikipedia - OpenClaw (maintainer statement) โ€” Installation is a short CLI flow, but a maintainer warned: 'if you can't understand how to run a command line, this is far too dangerous of a project for you to use safely'
highVerified: 2026-07-09
scalability

Architecture review for multi-user and organizational deployment

Evidence
OpenClaw GitHub repository โ€” Designed as a single-user personal agent per gateway; no multi-tenant, fleet, or enterprise orchestration story
mediumVerified: 2026-07-09
cost predictability

Pricing model analysis of free software plus variable model-API spend

Evidence
OpenClaw GitHub repository โ€” Free MIT software; costs are BYO LLM tokens, which always-on heartbeats and long chat histories can inflate unpredictably
highVerified: 2026-07-09
monitoring capabilities

Monitoring and audit capability review against the risk profile of the deployment

Evidence
OpenClaw GitHub repository โ€” Local logs and web UI exist, but there is no built-in audit trail, alerting, or telemetry suitable for security monitoring of an agent with this much authority
mediumVerified: 2026-07-09
production readiness

Production maturity assessment from CVE velocity, government restrictions, vendor advisories, and release churn

Evidence
flyingpenguin - 433 CVEs analysis โ€” ~433 accumulated CVEs within 164 days of first ship (138+ by April 2026 per OpenCVE trackers; 413 published in the 2026-05-06 cvelistV5 snapshot) - totals conflict slightly across trackers but all are in the hundreds
Wikipedia - OpenClaw (China restriction) โ€” March 2026: China restricted state enterprises and government agencies from running OpenClaw; Palo Alto Networks, Cisco, Tenable, and Kaspersky all published advisories
OpenClaw security news archive โ€” Curated archive of global government warnings and vendor advisories about OpenClaw, updated continuously through 2026
highVerified: 2026-07-09
Strengths
  • +Unprecedented community momentum: fastest-growing GitHub repo ever (247K stars by March 2026, ~355-378K reported by June)
  • +Acts where users already are: WhatsApp, Telegram, Signal, Discord, iMessage
  • +Fully open source (MIT) with foundation governance and OpenAI financial backing
  • +Model-agnostic BYO-LLM design, including fully local models
  • +Huge skill ecosystem (ClawHub) covering browsing, email, shopping, and desktop control
  • +Self-hosted: no vendor cloud holds user data
  • +Rapid patch cadence with public security advisories
Limitations
  • !Worst security record of any agent in this registry: 138+ CVEs by April 2026 and ~413-433 by mid-2026 (sources conflict), including CVSS 9.9 auth bypass (CVE-2026-22172), CVSS 9.9 privilege escalation (CVE-2026-32922), and RCE via approval bypass (CVE-2026-28466 / GHSA-gv46-4xfq-jv58)
  • !135,000+ internet-exposed instances measured, ~63% with no authentication (ARMO, March 2026)
  • !ClawHub supply chain compromised at scale: 1,100-1,400 malicious skills reported (including macOS infostealers) plus typosquat campaigns; roughly 1 in 12 packages carried malicious payloads in one audit
  • !No default sandboxing: runs with full user privileges over shell, files, email, and messages
  • !Prompt injection through inbound messages, email, and web content is structurally unsolved
  • !China restricted state/government use (March 2026); Palo Alto, Cisco, Tenable, and Kaspersky issued advisories
  • !No compliance posture (no DPA, certifications, or consent handling for third-party message data)
Metadata
license: MIT
repository: https://github.com/openclaw/openclaw
supported models
0: Anthropic Claude (BYOK)
1: OpenAI GPT models (BYOK)
2: DeepSeek and other API models
3: Local models
languages
0: TypeScript
1: Swift
deployment type: Self-hosted (Mac, Linux, VPS, Raspberry Pi)
architecture: Local gateway + node hosts bridging messaging platforms to a BYO LLM, with a directory-based skills system (ClawHub)
first release: 2025-11-24 (as Clawdbot); renamed Moltbot 2026-01-27, OpenClaw 2026-01-30
governance: OpenClaw Foundation (est. Feb 2026, chaired by creator Peter Steinberger, who joined OpenAI 2026-02-14; OpenAI is primary financial sponsor)
pricing: Free (MIT); users pay their own LLM API costs
github stars: 247K (2026-03-02, Wikipedia) to ~355-378K (June 2026, unofficial trackers; sources conflict)
security track record: 138+ CVEs by 2026-04; ~413-433 by mid-2026 (jgamblin/OpenClawCVEs, OpenCVE, days-since-openclaw-cve counter); 135K+ exposed instances, 63% no auth (ARMO)

Use Case Ratings

research assistant

Genuinely useful always-on assistant for research and errands via chat, if security hardening is applied

content creation

Drafts messages, emails, and posts across channels; output quality depends on the configured model

customer support

Do not expose to untrusted users: majority of internet-facing instances lack auth and injection defenses are weak

financial analysis

Unsuitable: agent-adjacent crypto theft, infostealer skills, and credential aggregation make financial use hazardous