The most-starred project in GitHub's history is not Linux, and it is not a JavaScript framework. As of mid-2026 it is OpenClaw, a self-hosted personal AI agent that Peter Steinberger — the founder of PSPDFKit — released in November 2025 as a weekend experiment, first under the name Clawdbot. It passed 250,000 stars in roughly four months, overtook Linux and React as the most-starred non-aggregator repository on the platform, and pulled acquisition-style interest from OpenAI, Meta, and Anthropic before Steinberger joined OpenAI in February 2026 to lead personal agents and handed the project to an independent foundation.
The pitch is easy to feel. A persistent gateway daemon runs on your laptop, VPS, or homelab, wires a model to a skills system and a memory store, and connects out to the places you already live — WhatsApp, Telegram, Slack, Discord, fifty-plus channels. Nothing routes through someone else's cloud. Your conversations sit on your disk. After a few years of handing every thought to a vendor's server, "it runs where you choose" lands like a moral upgrade.
And then, within about three weeks of going viral, OpenClaw became the clearest security case study of the year. Not because it is uniquely sloppy — but because it made one comfortable assumption legible enough to break in public.
Self-hosting moved the data, not the trust boundary#
Here is the assumption: self-hosted, therefore private, therefore safe. The first arrow is real. The second is a category error.
Self-hosting changes where the data lives. It does nothing about what the agent is allowed to do. An OpenClaw gateway is not a chatbot in a box; it is a always-on process holding your credentials and standing by to act on your real accounts — send the message, move the file, run the command, hit the API. That authority is the entire point of an agent, and it does not shrink because the binary is on your hardware. You have not sandboxed anything. You have installed a deputy with your keys and pointed it at your life.
"On my own machine" describes where the bytes rest. It says nothing about what the process is authorized to reach — and the agent is authorized to reach everything you are.
Cloud assistants, for all their faults, at least keep the agent's authority scoped inside a vendor's permission system: a connector gets a narrow grant, and a bad tool is boxed to that grant. OpenClaw's design collapses that. The gateway is one trusted center that everything funnels through, and a tool it runs inherits the whole of it. That is a fine trade when every tool is benign. The last three months demonstrated what happens when they are not.
A skill marketplace is a software supply chain, and nobody was guarding this one#
The exposure showed up on two fronts at once. First, the network one: CVE-2026-25253 (CVSS 8.8), a one-click remote-code-execution chain that worked even against instances bound to localhost, patched in v2026.1.29 — but not before scanners found tens of thousands of gateways reachable on the open internet, 17,500+ of them exploitable and many running with no authentication at all. People took "local-first" to mean "safe by default" and put the daemon straight on a public IP.
The deeper front is ClawHub, OpenClaw's community marketplace of installable skills. Because a skill runs inside the agent's full authority, and because uploads were unvetted, the marketplace became a supply chain with no customs officer. Researchers first flagged 341 malicious skills — about 12% of the registry — with 335 traced to a single coordinated operation named ClawHavoc. By later scans the count had passed 800, roughly 20% of a registry that had grown beyond 10,700 skills, with Bitdefender putting the number near 900. Palo Alto's Unit 42 wrote it up as exactly what it is: an emerging AI supply-chain threat, where the malicious payload doesn't attack the platform — it just asks the agent, politely, to do something with the access it already has.
If this sounds familiar, it should. It is MCP tool poisoning at population scale, the confused-deputy problem with a marketplace attached, and the reason the industry keeps writing OWASP top-tens for agent tooling. A skill, like an MCP server or an npm package, is code you invited past your perimeter. The lesson of npm and PyPI — that an open registry is a distribution channel for attackers as much as for authors — arrived for agent skills the moment one got popular enough to be worth poisoning. OpenClaw was simply the first to get popular that fast.
What to actually take from it#
Not "don't self-host." Self-hosting is a legitimate and often better answer for data residency, and the OpenClaw foundation is now hardening the defaults. Take the sharper thing: the words private and safe describe different boundaries, and an agent erases the distance between them. Privacy is about where your data rests. Safety is about what a confusable process holding your credentials can be talked into doing. Moving the first boundary onto your own machine can quietly make the second one worse, because now the deputy with your keys is sitting inside your network, one poisoned skill away from using them.
So if you run one: patch it, never expose the gateway to the internet, read a skill before you install it, and — the unglamorous move that actually bounds the damage — give the agent its own least-privilege accounts instead of your primary logins, the same least-authority discipline that a hosted setup would have forced on you anyway. The container was never the sandbox. Neither is your laptop. The sandbox is whatever authority you chose not to give the thing running inside it — and right now that choice is the only wall that holds.



