OpenClaw is wildly popular and crazily insecure. To address these issues and to make it a truly independent open-source project, its founders have launched the OpenClaw Foundation.
A new, independent OpenClaw Foundation is being formed to bring order, governance, and much‑needed security discipline to one of the fastest‑moving and most controversial AI projects of 2026: OpenClaw.
The initiative follows months of explosive growth for OpenClaw, an open‑source AI assistant framework that runs on users’ own machines and connects to chat platforms such as WhatsApp, Telegram, Signal, and Discord to execute real‑world tasks. These tasks range from reading and responding to email to manipulating files, running scripts, and accessing APIs to further extend its functionality. Its backers claim it’s the second-largest open-source project.
That’s the good news. The bad news is it’s also horribly insecure. As IBM researchers pointed out, Security researchers have warned that OpenClaw presents a “lethal trifecta of risks”: deep access to private local data, interaction with untrusted external content, and the ability to communicate outward.
That hasn’t stopped OpenClaw from exploding in popularity since it began as a personal, vibe-code experiment by developer Peter Steinberger. As the project caught fire, its governance model lagged far behind its adoption. Decisions about features, permissions, and security fixes were largely driven by a small core team and GitHub issues, while the rest of the world treated OpenClaw as an emblem of the new “agents that actually do things” wave.
The newly founded OpenClaw Foundation is intended to change that dynamic. Modeled loosely on the non‑profit entities that steward Kubernetes and the Linux kernel, the foundation’s remit will be to provide a neutral home for the codebase, define technical and security roadmaps, and create transparent processes for handling vulnerabilities, extensions, and commercial involvement.
According to David Morin, the first external OpenClaw Foundation board member and founder of Offline Ventures, “The Foundation will ensure OpenClaw’s independence regardless of where Peter works. We want to be kind of a Switzerland of AI.”
Steinberger himself underlined this on X, where he said, “OpenAI hired me, not OpenClaw. The OpenClaw Foundation is independent, with sponsors rather than owners – and, for the first time, a full-time team keeping the claw alive and stable.”
In practice, that means taking OpenClaw from an explosive GitHub repository and turning it into a more conventional open‑source project. The Foundation has a charter, a technical steering committee, and clear policies around who can ship what and under which conditions. It also means giving contributors and companies a way to participate formally.
Security concerns are a major driver behind the Foundation’s creation. Since the start of the year, OpenClaw has been at the center of a steady drumbeat of disclosures. It had remote code‑execution chains triggered by a single malicious web page; prompt‑injection pathways allowing documents and websites to secretly steer the agent; and misconfigured or completely unsecured instances exposed to the Internet with broad access to inboxes, calendars, and developer tools. You name the hacker attack, OpenClaw’s probably been successfully attacked by it.
That’s not news. Researchers have repeatedly warned that OpenClaw’s architecture, a highly privileged agent orchestrating tools, scripts, and external LLMs, creates a single point of catastrophic failure. The chaotic mix of rapid patching, ad‑hoc advisories, and a largely unregulated skills ecosystem has made it difficult for organizations to understand their actual risk exposure or decide whether OpenClaw can be used safely. Spoiler alert: It’s not safe.
The Foundation is expected to implement a formal security program. This will include a published vulnerability disclosure policy; clear severity scoring and release channels; and closer coordination with established security communities. One priority will be to align the project’s flood of issues with standard mechanisms such as CVEs. It will also define reference deployment patterns that limit the blast radius, such as sandboxed environments, least‑privilege defaults, and stricter controls on how skills interact with local systems and cloud services when things do go wrong.
Beyond the core agent, the Foundation will have to grapple with the broader OpenClaw ecosystem, which has grown just as fast, and just as chaotically, as the main project.
Community “skills” and integrations now number in the tens of thousands, ranging from productivity tools and DevOps helpers to trading bots and experimental automation packs. Several marketplaces have emerged to distribute these skills, alongside managed hosting platforms offering one‑click OpenClaw instances for users who don’t want to self‑host.
This proliferation has created a classic supply‑chain problem. Enterprises have no straightforward way to distinguish trustworthy skills from malicious or simply dangerous ones. Hosting providers face the dual challenge of onboarding enthusiastic users while preventing them from accidentally granting an agent far too much power over their data. Good luck with that.
The Foundation is likely to introduce a layered trust model for skills. This will include signed packages, curated catalogs, security review requirements, and perhaps an official “blessed” set of capabilities suitable for default installs.
On the commercial side, companies offering OpenClaw‑based services will have to navigate a new relationship with the project’s steward. Participation in working groups and sponsorships may give them a voice in technical decisions, but the Foundation structure should also prevent any single vendor from capturing the project outright. That said, at this point, only OpenAI, Steinberger’s employer, is the sole confirmed financial supporter. However, Microsoft, NVIDIA, the University of Michigan, among others, are partnering with the newborn Foundation.
For now, what’s clear is that OpenClaw has outgrown its origins. The formation of the OpenClaw Foundation marks the moment when a viral agent project steps onto a larger stage. Will it rise to the occasion or crack under the pressure? We’ll soon see.