Peter Steinberger has an answer ready when people ask whether OpenClaw is dangerous. "If you build a hammer," he told an interviewer at ClawCon Tokyo on March 30, 2026, "you can hurt yourself. So should we not build hammers any more?"
It is a good answer. It is also a dodge. Because the thing Beijing warned about when it called OpenClaw a security risk was not the hammer — it was the hardware store.
Steinberger built OpenClaw in November 2025, initially as a way to organize his own digital life, then released it publicly and watched it spread faster than almost any developer tool in recent memory. By late March 2026, it had accumulated 341,000 GitHub stars, making it one of the fastest-growing open-source projects in the platform's history. He has since been hired by OpenAI to drive the next generation of personal agents. OpenClaw is now, depending on your frame of reference, either foundational infrastructure or the most interesting unregulated playground in tech.
The hammer analogy works as philosophy. What it obscures is the cottage industry that has grown up around OpenClaw's deliberate complexity. KiloClaw, which builds a one-click interface on top of OpenClaw's intentionally friction-heavy installation process, says it got 7,000 signups in two days. They exist because OpenClaw is hard to install and users want a simpler path in. Steinberger has publicly acknowledged the wrapper companies. "I do worry a bit," he said at ClawCon Tokyo, "because there's now a whole cottage industry of companies that try to make a big buck and make it even simpler to install OpenClaw. I purposefully didn't make it simpler so people would stop and read and understand."
The worry is genuine. What he has done about it — ClawHub now requires a week-old GitHub account before publishing, and there is a reporting mechanism for malicious skills — is visible. Whether it is enough against the threat surface documented across the ecosystem is a different question.
The security record of the ecosystem does not make the gap smaller. ClawHavoc, a supply chain attack discovered in early 2026, planted malware in over 824 malicious skills uploaded to ClawHub, OpenClaw's community marketplace. Researchers scanning exposed instances found 42,000 or more vulnerable deployments. A February audit found 28 malicious skills published in a single weekend, with 386 more added within days — cryptocurrency trading tools that stole exchange API keys, wallet private keys, SSH credentials, and browser passwords. One of the most-downloaded skills on the platform served as a malware delivery vehicle, according to 1Password VP Jason Meller. Six CVEs were filed against OpenClaw and related tooling in 2026, including CVE-2026-25253, a one-click remote code execution chain that works against localhost-bound instances.
China's government noticed. Regulators in Beijing warned in February that OpenClaw could expose sensitive personal and financial data when improperly configured. On March 11, agencies and state-owned enterprises were told to remove it from office devices. The same week, Shenzhen's Longgang district, Wuxi, and Hefei published draft subsidy frameworks offering up to 10 million yuan to companies building OpenClaw-based products — local governments treating the technology as an economic development priority while Beijing's cybersecurity apparatus tried to wall it off.
That contradiction is not accidental. It is the Chinese state doing what the Chinese state does: trying to capture the economic upside of a technology while managing its security externalities. The same tension shows up in every major economy, just with different actors and different vocabularies.
Jensen Huang called OpenClaw the next ChatGPT — "the largest, most successful open-sourced project in the history of humanity." He said it at GTC in March, wearing a lobster headband, because by then OpenClaw had developed something most developer tools do not: a culture. ClawCons draw hundreds of people in lobster hats. Users pose in claw hands on LinkedIn. Tencent hosted a public setup session in Shenzhen that drew children, retirees, and developers in the same room.
The culture is real. The security is also real. Steinberger has added safeguards — ClawHub now requires a GitHub account at least a week old before publishing, and there is a reporting mechanism for malicious skills. These are necessary responses. Whether they are sufficient answers to a threat surface that added nine CVEs in four days — with 156 total advisories and 128 CVE IDs awaiting assignment across the ecosystem — is a different question.
The hammer analogy was always incomplete. A hammer cannot upload malware to your machine while you sleep. OpenClaw can. The question is not whether to build it. The question is who gets to decide what gets built on top of it, who bears the cost when it goes wrong, and whether the people who built the framework are actually equipped to answer those questions. Steinberger is 34 years old, he built the thing in his spare time, and he now works for OpenAI. None of those facts resolve the governance gap. They just make it more visible.
