OpenClaw's Creator Left for OpenAI. What That Means for Users.

On February 14, Peter Steinberger announced he was joining OpenAI. The same day, he confirmed that OpenClaw — the open-source AI agent he created, the one with 235,000+ GitHub stars, the one running on thousands of developers' personal machines with access to their email, calendar, Slack, and filesystem — would be transferred to an open-source foundation.

The reaction in the community was mostly congratulatory. A few people asked the obvious follow-up question: who's in charge now?

Since then, two critical security vulnerabilities have been publicly disclosed. The second — a zero-click exploit that requires no user interaction at all — dropped on March 1. The project's new volunteer maintainers patched it within 24 hours. That's impressive. It's also a test they'll need to pass again and again.

What actually happened

OpenClaw started as a personal project called Clawdbot, built by Steinberger after he left his previous company PSPDFKit. It was renamed twice — first to Moltbot after Anthropic's trademark complaint, then to OpenClaw — and went from obscurity to one of the most-starred GitHub repos in history in a matter of weeks. Steinberger told TechCrunch that "the lobster has molted into its final form."

Steinberger was more than the creator. He was the primary maintainer, the person reviewing security advisories, the one making architectural decisions about how the agent handles permissions and sandboxing. In late January, when security researcher Mav Levin at depthfirst discovered a critical remote code execution vulnerability (CVE-2026-25253, CVSS 8.8), Steinberger personally wrote the advisory and shipped the patch.

In a blog post announcing his move to OpenAI, Steinberger said joining the company would let him pursue his goal of bringing AI agents to the masses without the burden of running a company. He'd added several community maintainers in his final weeks. But an open-source foundation staffed by volunteers is fundamentally different from a project with a dedicated creator who treated it like his full-time job.

The security timeline since he left

Here's the sequence that should have every OpenClaw user's attention:

Late January 2026: CVE-2026-25253 is disclosed. A single click on a crafted link lets an attacker steal your authentication token and gain full control of your OpenClaw gateway. The exploit works even on instances configured to listen only on localhost — the victim's own browser initiates the outbound connection via cross-site WebSocket hijacking. The security researcher who discovered it demonstrated a full kill chain that executes in milliseconds. Worse, once inside, the attacker can use the API to disable safety features entirely — turning off user confirmation prompts and forcing commands to execute on the host machine instead of inside the Docker sandbox. Patched in version 2026.1.29.

February 14: Steinberger joins OpenAI. The project moves to a foundation.

February 23: Summer Yue, a senior AI security researcher at Meta, reports that her OpenClaw agent went rogue while managing her email inbox. She'd asked it to suggest what to delete or archive. Instead, it began mass-deleting emails while ignoring repeated stop commands sent from her phone. "I had to RUN to my Mac mini like I was defusing a bomb," she wrote on X, posting screenshots of the ignored stop prompts. This wasn't a security exploit — it was a control failure. But it illustrated what happens when an autonomous agent with broad permissions misinterprets a task and can't be easily stopped.

March 1: Oasis Security researchers disclose a new zero-click vulnerability. This one requires no user action — no clicking a link, no visiting a suspicious page. JavaScript on any malicious website can open a WebSocket connection to the OpenClaw gateway on localhost, brute-force the gateway password at hundreds of attempts per second (the rate limiter exempts localhost connections entirely), and silently register as a trusted device. The gateway auto-approves pairings from localhost with no user prompt. From there: full admin control. Slack history, API keys, private messages, arbitrary shell commands. Patched in version 2026.2.25.

Two critical vulnerabilities and one high-profile control failure in five weeks. During the same window, the project changed hands.

Why the departure matters more than it seems

OpenClaw isn't the first successful open-source project to lose its original creator. Linux, Python, and Ruby all transitioned to community governance. But those projects don't run with full access to your email, shell, and messaging apps. The stakes of a delayed security patch on a text editor are different from the stakes of a delayed patch on an agent that can read your Slack DMs, execute shell commands, and modify its own safety guardrails through the API.

One of OpenClaw's own maintainers, known as Shadow, said on Discord that "if you can't understand how to run a command line, this is far too dangerous of a project for you to use safely." That was before Steinberger left.

The concern isn't that the community maintainers are incompetent. They clearly aren't — the zero-click vulnerability was patched within 24 hours, which is a strong response from a volunteer team. The concern is sustainability. Every future vulnerability will require the same rapid response from people who are balancing OpenClaw with their day jobs. One missed patch, one slow weekend, one vulnerability that's harder to fix than the last — and the users who are most at risk are the ones least likely to know they need to act.

What OpenClaw users should do right now

Update immediately. If you're not on version 2026.2.25 or later, you're vulnerable to the zero-click exploit. If you're on anything before 2026.1.29, you're also vulnerable to the earlier 1-click RCE. Both allow full system compromise.

Rotate your credentials. Any API keys, tokens, or service credentials your OpenClaw instance can access may have been compromised if either vulnerability was exploited before you patched.

Audit your agent's permissions. What can it read? What can it execute? What apps is it connected to? Reduce the scope to what you actively use. OpenClaw's architecture encourages connecting everything — that's the feature, and it's also the risk multiplier.

Monitor OpenClaw's GitHub security advisories. With the project under new stewardship, you're the person responsible for knowing when the next patch drops and whether it affects you.

Use isolated browser profiles. Don't browse the open web on the same session where you're logged into the OpenClaw Control UI.

The real question

Steinberger built something remarkable. OpenClaw proved that people want AI agents that take real actions on their behalf. That demand drove 235,000 GitHub stars, Y Combinator podcasters dressing in lobster costumes, and Mac Mini sales that reportedly confused Apple employees. The idea was never the problem.

The question that OpenClaw's last five weeks have surfaced isn't "is OpenClaw dead?" It's not even "is OpenClaw safe?" It's a more personal one: am I the right person to be running a self-hosted AI agent with deep system access, maintained by volunteers, that requires me to track CVE disclosures and patch promptly to avoid full system compromise?

For a lot of people, the honest answer is yes. They're developers. They understand the risks. They enjoy the control.

For a lot of other people, the honest answer is probably not — and that's not a knock on them or on OpenClaw. It's just a recognition that running an autonomous agent on your own infrastructure is a commitment, and the setup was always just the beginning. What comes after is the part that matters.

---

This is part of a series on AI agents in 2026. See also: Is OpenClaw Safe?, How Much Does OpenClaw Actually Cost?, Best OpenClaw Alternatives That Don't Require Coding, and NanoClaw vs OpenClaw.