OpenClaw hit 34,168 GitHub stars in 48 hours. That's not a typo. A solo developer named Peter Steinberger shipped a weekend project and broke GitHub's all-time growth record.
It surpassed Linux. Then Kubernetes. Then React. In 60 days it had 157,000 stars. The fastest-growing open source project in history, and most engineering managers had never heard of it.
And then the security researchers showed up.
A team scanned 18,000 exposed OpenClaw instances. They found almost 900 malicious skills in the community registry. Kaspersky published a report. Bitdefender wrote a technical advisory. Meta quietly banned it from work devices. The same week developers were posting about their AI agent sending emails for them, security teams were finding open admin panels sitting on the public internet.
Both groups were right.
That's the strange part about OpenClaw. It actually works. You connect it to Telegram or WhatsApp, point it at Claude or GPT or a local Llama model, and it starts doing things. Real things. Browsing, writing code, pushing commits. With memory between sessions. Not a chatbot that forgets you exist. An agent that runs 24 hours while you sleep.
You've probably tried building something like this yourself. i know i have. Some half-working webhook automation that dies the moment a rate limit kicks in. OpenClaw is different. The annoying part is that it's also one misconfig away from handing someone root access to your machine.
And most people don't know they've misconfigured it.
Why enterprises couldn't touch it
I used to think the OpenClaw security panic was overblown. Then i read the Kaspersky writeup.
By default, OpenClaw trusts connections from localhost. If your reverse proxy forwards external traffic to 127.0.0.1, the agent sees it as local. Full access. No auth. No password prompt.
Hundreds of admin interfaces were sitting open on the internet. That was the default configuration.
That's not a niche edge case. That's what happens when you follow the basic setup guide and skip the nginx section. And when you give an agent shell access to your machine, that misconfig means a stranger has shell access too.
Enterprise IT can't approve this. Compliance teams lose it. And unlike a misconfigured S3 bucket, this one can write code, push it somewhere, and delete its logs after.
The skills registry made it worse. ClawHub had over 3,000 community plugins by early February. Around 900 of them were malicious. Some were obvious. Others quietly told the agent to include sensitive file content in "debug logs" shared to external Discord webhooks.
One misconfigured install plus one poisoned plugin is a bad Tuesday morning.
What Nvidia actually shipped
OpenClaw got acquired by OpenAI in February 2026. Peter Steinberger went with it. The project stayed open source, but the momentum shifted.
Nvidia watched all of this. At GTC 2026 on March 16, Jensen Huang walked on stage in San Jose in front of 30,000 people from 190 countries and said "every single company in the world needs an OpenClaw strategy." Not should consider. Needs.
Then he announced NemoClaw.
It's not a replacement for OpenClaw. It's a stack built on top of it. Three pieces:
- OpenShell: a sandboxed runtime with least-privilege access controls
- A privacy router that keeps data off external APIs
- NemoClaw, which packages OpenShell with Nvidia's Nemotron model family
It works on any hardware. AMD, Intel, whatever. Not just Nvidia chips.
The chip lock-in thing is a real strategy
Most tutorials tell you Nvidia software requires Nvidia hardware. That's been true for 20 years. CUDA exists to make it true.
But agents change the math.
When a company deploys 500 agents across a workforce, they don't pick hardware per agent. They pick the runtime IT can govern. The one with audit logs. The one compliance can sign off on.
NemoClaw is that runtime. And once your agent workflows live on it, your inference capacity still runs on Nvidia chips. The lock-in didn't disappear. It just moved one layer down.
i explained this to a friend who runs infrastructure at a mid-size company. He said "so it's free but they still win." Basically, yes.
Nvidia has reportedly already talked to Adobe, Cisco, Google, Salesforce, and CrowdStrike about early partnerships. None have confirmed deals. That's normal. Nothing moves fast in enterprise. But the list tells you who the target is. This is not for solo developers. It's for IT orgs that need to justify AI agents to a security team.
Nobody talks about what OpenClaw was originally called.
It started as Clawdbot. Peter Steinberger built it over a weekend in November 2025. Then Anthropic sent a cease-and-desist. The name was too close to Claude. So it became Moltbot.
Then Moltbot needed another rename. So it became OpenClaw.
Three names in two months. i once worked on a project that changed names once before launch and it set us back six weeks. We had to redo the landing page, rewrite docs, and email early users. Half of them missed the rename entirely and kept looking for the old repo.
OpenClaw survived three rebrandings and still became the most starred software project on GitHub. That's not a growth story. That's a desperation story. Developers wanted this thing so badly they followed it through three different identities.
There's a category of tool nobody had built cleanly. An agent that remembers context, works through apps you already use, and doesn't require building a full backend to automate one simple thing. OpenClaw was the first clean answer. Nvidia saw the gap. That's why they built on top of it rather than starting from scratch.
Who shouldn't bother with NemoClaw
Most people don't need this.
If you're running OpenClaw on a $6 VPS to manage your calendar and draft messages, NemoClaw adds nothing useful. OpenShell's access controls exist for companies managing 50 agents across departments. Not for one developer running one bot in Telegram.
The enterprise features are real. But they're enterprise problems. Audit logs, role-based access, compliance reporting. These are not things you think about when you're building something over a weekend.
And NemoClaw is brand new. The security architecture sounds solid on paper. But the enterprise software graveyard is full of things that sounded solid on paper.
OpenClaw's ClawHub had 900 malicious packages before anyone noticed. NemoClaw has different architecture. But trust is slow. If you're evaluating this for production right now, wait until Q3. Let someone else find the first CVE.
And if your company is already running OpenClaw informally, audit it before your security team does. Because they will.
The security researcher who posted their findings on Reddit after scanning 18,000 instances got thousands of upvotes. One of the top replies was from someone saying they'd been running OpenClaw for months with zero problems.
Both of them are correct. That's the weird part.
OpenClaw can work fine. Or it can hand root access to a stranger. The gap between those two outcomes is one config file that the setup guide doesn't warn you about.
Nvidia built NemoClaw to close that gap for organizations that can't afford to get it wrong. The partnerships are still in talks. The code is weeks old. Whether security teams trust it by Q3, i genuinely don't know.
But Jensen Huang stood in front of 30,000 people and called OpenClaw the operating system for personal AI.
That's not a launch announcement. That's a bet on what infrastructure looks like next year. Whether NemoClaw wins that bet is a different question entirely.