Welcome to Memorandum Deep Dives. In this series, we go beyond the headlines to examine the decisions shaping our digital future. 🗞️

This week, the AI industry's most-watched promise collided with its most uncomfortable reality. For months, AI companies have been positioning agents as the logical next step, systems that don't just respond but act, handling tasks end to end with minimal human input. The pitch has been compelling, and the appetite has been enormous.

What nobody fully anticipated was how quickly a real-world test would arrive, or how comprehensively it would expose the gap between the technology's ambitions and its actual readiness. A single open-source project, built over a weekend in a Marrakesh hotel room, grew faster than any software repository in GitHub history and pulled millions of users into territory that security researchers, regulators, and even its own developers were not prepared for.

The story of OpenClaw is not simply a cautionary tale about one flawed product. It is a stress test that the entire agentic AI field has been quietly dreading, and the results are instructive for anyone paying attention to where this technology is headed next.

How OpenClaw Became the Stress Test of Agentic AI in the Wild

OpenClaw, an open-source AI agent, became the fastest-growing project in GitHub history, and then became the most vivid demonstration of everything that can go wrong when you give an AI system the keys to your digital life.

For much of the past few months, the messaging from AI companies has positioned agents as the next phase of a technology evolving at an unprecedented pace. These systems are framed as layers that can harness large language models to automate tasks end to end, reducing and in some cases eliminating the need for human oversight. The implications are significant: a system that can gather, interpret, and act on information can meaningfully reshape productivity.

But the first major real-world test of this technology has revealed a gap between what is being promised and what is actually ready. OpenClaw, an open-source AI agent that went from a weekend project to the fastest-growing software repository in GitHub history, has shown that the systems designed to act on our behalf can also act against our interests, deleting data, exposing credentials, and bypassing the very safeguards their users put in place.

The lobster that broke the internet

In November 2025, an Austrian developer named Peter Steinberger built a small tool during a trip to Marrakesh. It started as a way to relay messages between WhatsApp and Anthropic’s Claude chatbot, a weekend project with a lobster mascot and no particular ambition. Within four months, it became the fastest-growing open-source project in GitHub history, accumulating over 335K stars from developers worldwide.

Called OpenClaw, the tool is different from anything that came before it because, unlike conventional AI assistants like ChatGPT or Siri, which answer questions and generate text within a browser window or app, OpenClaw lives on your computer and does things on your behalf. Users can send it a message on WhatsApp or Telegram, and it can read emails, manage calendars, book travel, run code, browse the web, and control connected services. It runs continuously in the background, building a persistent memory of the users’ preferences and patterns so it can act with increasing autonomy over time.

The appeal was immediate and widespread, with developers, freelancers, and enthusiasts adopting OpenClaw so quickly that it reportedly drove shortages of Apple’s Mac Mini, which became a popular device for running it locally. Cloud providers such as DigitalOcean and Alibaba Cloud quickly began offering hosted versions. At the same time, in China, the surge in adoption even earned a nickname, ‘raising lobsters,’ inspired by its mascot, with users lining up at events in Shenzhen to install it on their devices.

However, the same qualities that made OpenClaw so popular also made it a magnet for security researchers, hackers, and regulators.

Within weeks of its launch, Gartner published an advisory labeling OpenClaw’s security risks as “unacceptable” and its design “insecure by default”. Cisco’s threat research team called it an “absolute nightmare.” China’s central government banned it from state-owned enterprises and government agencies. A steady stream of incidents, ranging from deleted inboxes and exposed credentials to a supply chain attack that compromised roughly one in five add-ons in its marketplace, revealed just how much can go wrong when an AI agent is given broad access to a user’s digital life.

OpenClaw has become the first large-scale, real-world stress test of what the technology industry calls “agentic AI,” artificial intelligence that acts independently rather than waiting for instructions.

What made OpenClaw different?

To understand why OpenClaw caught on so quickly, it helps to understand the problem it solved.

By late 2025, models like Claude, GPT, and Gemini had become highly capable at reasoning and writing. Still, they remained confined to chat interfaces, where each interaction was isolated, and the systems could respond but not act.

OpenClaw changed that by connecting a language model directly to a user’s computer, granting it access to files, apps, and services, and enabling it to carry out tasks via natural language instructions. Instead of explaining how to do something, the system could do it, whether that meant organizing an inbox or booking travel.

Its architecture is relatively simple: a gateway process routes messages between apps and the chosen model, local files store memory and behavior, and a modular ‘skills’ system extends capabilities. At the same time, a scheduling mechanism allows the agent to act independently.

This combination of persistence, autonomy, and system access made OpenClaw feel fundamentally different from earlier assistants, prompting comparisons to foundational technologies and rapid adoption, including hundreds of thousands of GitHub stars in weeks, enterprise adaptations like NemoClaw, and strong endorsements from industry leaders, all within a matter of months.

What the stress test revealed

The problem with all this was that OpenClaw requires broad access to function, and a misconfigured or compromised instance is a serious security liability. And millions of people were setting it up with varying levels of technical skill and caution.

One major vulnerability allowed attackers to take control of an OpenClaw instance via a single malicious link that required only a user click. Although it was patched, it showed how fragile the system was in the real world.

The skills marketplace, ClawHub, proved even more problematic. Researchers uncovered a campaign known as “ClawHavoc,” where attackers uploaded malicious add-ons designed to steal credentials, install backdoors, and mine cryptocurrency, with one such tool reportedly reaching over 340,000 installations before being removed.

The most telling example came from Summer Yue, a director working on alignment and safety research at Meta, who connected OpenClaw to her personal inbox with explicit instructions to suggest actions without taking them. The agent ignored those constraints and began deleting emails at scale, forcing her to shut it down manually. The failure was traced to a limitation in how the system handled memory, which caused it to discard earlier instructions under load, turning a controlled assistant into an unpredictable one.

Why do the security concerns extend beyond OpenClaw

However, the vulnerabilities OpenClaw exposed are not unique to it; rather, they reflect a structural weakness in how all current AI language models work. A problem the security community calls “prompt injection.”

At its core, prompt injection is a simple but serious flaw. AI models process everything they receive, including system instructions, user inputs, emails, documents, and web pages, as one continuous stream of text. They do not have a reliable way to separate a genuine instruction from a hidden malicious one. This means an attacker can embed a command in something like a webpage or a PDF, and if the AI reads it, the model may treat it as if the user had issued that command directly.

The risk becomes much greater with AI agents. Unlike chatbots that only generate responses, agents are built to take action and often have access to email, files, calendars, and other sensitive systems. In this setup, a successful prompt injection is not just about generating a wrong answer, but about triggering real actions such as exposing data or carrying out unintended tasks.

OpenClaw demonstrated how this plays out in practice. Researchers showed that malicious plugins and external inputs could manipulate the agent into leaking data or bypassing its safeguards, turning prompt injection from a theoretical weakness into a real, exploitable threat once AI systems are given access and autonomy.

The problem is that the UK’s National Cyber Security Center issued a formal assessment in late 2025, warning that prompt injection “may never be fully mitigated” with current AI architectures.

The stress test keeps running

What OpenClaw ultimately reveals is not just where agentic AI stands today, but how it is likely to evolve. The demand for systems that can act, not just respond, is already clear, and the industry has little incentive to slow down. But the gap between capability and control remains unresolved, and it is widening as these systems gain more autonomy and access.

The real question is no longer whether AI agents will become part of everyday computing, but whether the systems designed to manage them can mature fast enough to keep them reliable, secure, and aligned with user intent. Until that gap closes, every new deployment will double as both a product launch and an experiment, one that reveals not just what these systems can do, but what can go wrong when they do it.