Delv
News
20 February 20268 min read

The OpenClaw Saga: From Weekend Project to Fastest-Growing Open Source AI Ever

One bloke built a WhatsApp AI relay as a weekend hack. Three weeks later it has 100K GitHub stars, three name changes, a crypto scam, and a security crisis.

DV

Delv Editorial

Delv Team

A weekend project that broke GitHub

Peter Steinberger is the kind of developer who makes the rest of us feel inadequate. He built PSPDFKit, a PDF framework used by basically every major app you've ever used. The bloke knows how to ship software.

So when he spent a weekend in November 2025 building a WhatsApp relay for AI chatbots, it should have been a minor footnote. A fun hack. The sort of thing you post on Twitter, get 200 likes, and move on with your life.

That is not what happened.

The name game

The project launched as "Clawdbot," a cute play on Claude (the AI model it originally connected to WhatsApp). Anthropic's legal team, displaying exactly the sense of humour you'd expect from a legal team, flagged the name as too close to their trademark.

Fair enough. Steinberger renamed it to "Moltbot" on January 27th. Three days later, on January 30th, he renamed it again to "OpenClaw." That name stuck, but only because everything that happened next made the naming drama look quaint by comparison.

100,000 stars in a week

OpenClaw hit 100,000 GitHub stars within its first week. For context, React took years to hit that number. TensorFlow took years. This random WhatsApp relay for AI chatbots did it in seven days.

Two million visitors flooded the repository. The project was trending on every developer platform simultaneously. Hacker News couldn't stop talking about it. Reddit was losing its mind. It was, by every measurable metric, the fastest-growing open source project in the history of AI.

And that's when everything went sideways.

The vultures arrived immediately

When Steinberger changed the project name from Clawdbot, he released the old GitHub username. Within literal seconds, someone grabbed it. Not to build something useful, obviously. To run a crypto scam.

A fake Solana token appeared bearing the old project name. Fake social media accounts popped up directing people to malicious downloads. The abandoned npm packages associated with the old name were hijacked and loaded with malware. Anyone who hadn't updated was now pulling compromised code.

This all happened within hours of the rename. Hours.

The security crisis nobody saw coming

Here's where it gets properly scary. Cisco's security research team (Talos) investigated OpenClaw deployments and found something that should make your stomach drop: 30,000 instances running with no authentication whatsoever.

That means 30,000 people had set up this WhatsApp AI relay and left it completely open to the internet. No password. No API key check. Nothing.

These exposed instances were leaking everything. Emails. Calendar entries. Slack credentials. Personal API keys for OpenAI, Anthropic, and other services. One researcher described it as "the world's most generous data buffet."

The core problem wasn't really OpenClaw's fault, though the defaults could have been more secure. The problem was that tens of thousands of non-technical users had set up a server-side application without understanding what "publicly accessible" means. They followed a tutorial, got it running, and moved on. Nobody told them they'd just left their digital front door open.

The human cost

This is the bit that doesn't show up in the star count. Real people had their credentials exposed. Real API keys were stolen and racked up charges. Real Slack workspaces were compromised. The 30,000 exposed instances weren't abstract numbers. They were people who wanted to use AI through WhatsApp and ended up handing their digital lives to anyone who knew where to look.

Some of those people are still discovering the damage. Stolen API keys don't announce themselves. You find out when you get a bill from OpenAI for $4,000 in usage you didn't authorise.

Steinberger's exit

On February 14th, Steinberger announced he was joining OpenAI. The timing is either coincidental or very much not coincidental. The OpenClaw project would be handed off to an open source foundation.

There's something darkly funny about the arc. Build a weekend project. Watch it become the biggest thing in open source AI. Watch it get hijacked by crypto scammers, exploited by malware authors, and used to accidentally expose thousands of people's private data. Then join OpenAI and hand the whole mess to a foundation.

I genuinely don't blame him. Running an open source project with 100K stars is a full-time job that pays nothing. Running one that's also a security incident is worse.

What this actually tells us

The OpenClaw saga is a perfect microcosm of where we are with AI in early 2026. The technology moves so fast that a weekend hack can become a global phenomenon before anyone has time to think about security, governance, or what happens when millions of non-technical users deploy server software.

We keep celebrating growth metrics, stars, downloads, visitors, without asking whether the thing growing can support its own weight. OpenClaw couldn't. Not because the code was bad, but because 100,000 GitHub stars in a week means the project outgrew its ability to provide sensible defaults, security documentation, and user guidance before most users had even installed it.

The uncomfortable question

Should Steinberger have shipped it differently? Should GitHub have better mechanisms for preventing username hijacking during renames? Should npm have flagged the package takeover faster?

Yes to all three. But the bigger question is structural. The open source ecosystem has no good answer for "what happens when a project goes viral before it's ready." There's no circuit breaker. No staging environment for popularity. You go from 50 stars to 100,000 and the only thing that changes is the number of people relying on software that was, let's be honest, built in a weekend.

OpenClaw will probably be fine under the new foundation. The security issues will get patched. The defaults will get hardened. The crypto scammers will move on to the next thing.

But the 30,000 people who accidentally leaked their credentials won't get those back. That toothpaste doesn't go back in the tube.

The lesson nobody will learn

Move fast and break things sounds great until the things you break are other people's email accounts. Every time I think the tech industry has learned this lesson, something like OpenClaw happens and proves we absolutely have not.

Build cool things. Ship weekend projects. Contribute to open source. But maybe, just maybe, think about what happens when your weekend project gets 100,000 stars before you've written a single line of security documentation.

That would be nice. I'm not holding my breath.

DV

Delv Editorial

Delv Team

The Delv editorial team reviews AI tools, MCP servers, Agent Skills, and autonomous agents. Reviews are drafted with AI assistance and human oversight. Every install command and config snippet is verified against the source. We're independent, we don't sell tools, and we say when something isn't worth it.

AI ToolsMCPSkillsAgents

The OpenClaw Saga: From Weekend Project to Fastest-Growing Open Source AI Ever

One bloke built a WhatsApp AI relay as a weekend hack. Three weeks later it has 100K GitHub stars, three name changes, a crypto scam, and a security crisis.

By Delv Editorial8 min read

A weekend project that broke GitHub

Peter Steinberger is the kind of developer who makes the rest of us feel inadequate. He built PSPDFKit, a PDF framework used by basically every major app you've ever used. The bloke knows how to ship software.

So when he spent a weekend in November 2025 building a WhatsApp relay for AI chatbots, it should have been a minor footnote. A fun hack. The sort of thing you post on Twitter, get 200 likes, and move on with your life.

That is not what happened.

The name game

The project launched as "Clawdbot," a cute play on Claude (the AI model it originally connected to WhatsApp). Anthropic's legal team, displaying exactly the sense of humour you'd expect from a legal team, flagged the name as too close to their trademark.

Fair enough. Steinberger renamed it to "Moltbot" on January 27th. Three days later, on January 30th, he renamed it again to "OpenClaw." That name stuck, but only because everything that happened next made the naming drama look quaint by comparison.

100,000 stars in a week

OpenClaw hit 100,000 GitHub stars within its first week. For context, React took years to hit that number. TensorFlow took years. This random WhatsApp relay for AI chatbots did it in seven days.

Two million visitors flooded the repository. The project was trending on every developer platform simultaneously. Hacker News couldn't stop talking about it. Reddit was losing its mind. It was, by every measurable metric, the fastest-growing open source project in the history of AI.

And that's when everything went sideways.

The vultures arrived immediately

When Steinberger changed the project name from Clawdbot, he released the old GitHub username. Within literal seconds, someone grabbed it. Not to build something useful, obviously. To run a crypto scam.

A fake Solana token appeared bearing the old project name. Fake social media accounts popped up directing people to malicious downloads. The abandoned npm packages associated with the old name were hijacked and loaded with malware. Anyone who hadn't updated was now pulling compromised code.

This all happened within hours of the rename. Hours.

The security crisis nobody saw coming

Here's where it gets properly scary. Cisco's security research team (Talos) investigated OpenClaw deployments and found something that should make your stomach drop: 30,000 instances running with no authentication whatsoever.

That means 30,000 people had set up this WhatsApp AI relay and left it completely open to the internet. No password. No API key check. Nothing.

These exposed instances were leaking everything. Emails. Calendar entries. Slack credentials. Personal API keys for OpenAI, Anthropic, and other services. One researcher described it as "the world's most generous data buffet."

The core problem wasn't really OpenClaw's fault, though the defaults could have been more secure. The problem was that tens of thousands of non-technical users had set up a server-side application without understanding what "publicly accessible" means. They followed a tutorial, got it running, and moved on. Nobody told them they'd just left their digital front door open.

The human cost

This is the bit that doesn't show up in the star count. Real people had their credentials exposed. Real API keys were stolen and racked up charges. Real Slack workspaces were compromised. The 30,000 exposed instances weren't abstract numbers. They were people who wanted to use AI through WhatsApp and ended up handing their digital lives to anyone who knew where to look.

Some of those people are still discovering the damage. Stolen API keys don't announce themselves. You find out when you get a bill from OpenAI for $4,000 in usage you didn't authorise.

Steinberger's exit

On February 14th, Steinberger announced he was joining OpenAI. The timing is either coincidental or very much not coincidental. The OpenClaw project would be handed off to an open source foundation.

There's something darkly funny about the arc. Build a weekend project. Watch it become the biggest thing in open source AI. Watch it get hijacked by crypto scammers, exploited by malware authors, and used to accidentally expose thousands of people's private data. Then join OpenAI and hand the whole mess to a foundation.

I genuinely don't blame him. Running an open source project with 100K stars is a full-time job that pays nothing. Running one that's also a security incident is worse.

What this actually tells us

The OpenClaw saga is a perfect microcosm of where we are with AI in early 2026. The technology moves so fast that a weekend hack can become a global phenomenon before anyone has time to think about security, governance, or what happens when millions of non-technical users deploy server software.

We keep celebrating growth metrics, stars, downloads, visitors, without asking whether the thing growing can support its own weight. OpenClaw couldn't. Not because the code was bad, but because 100,000 GitHub stars in a week means the project outgrew its ability to provide sensible defaults, security documentation, and user guidance before most users had even installed it.

The uncomfortable question

Should Steinberger have shipped it differently? Should GitHub have better mechanisms for preventing username hijacking during renames? Should npm have flagged the package takeover faster?

Yes to all three. But the bigger question is structural. The open source ecosystem has no good answer for "what happens when a project goes viral before it's ready." There's no circuit breaker. No staging environment for popularity. You go from 50 stars to 100,000 and the only thing that changes is the number of people relying on software that was, let's be honest, built in a weekend.

OpenClaw will probably be fine under the new foundation. The security issues will get patched. The defaults will get hardened. The crypto scammers will move on to the next thing.

But the 30,000 people who accidentally leaked their credentials won't get those back. That toothpaste doesn't go back in the tube.

The lesson nobody will learn

Move fast and break things sounds great until the things you break are other people's email accounts. Every time I think the tech industry has learned this lesson, something like OpenClaw happens and proves we absolutely have not.

Build cool things. Ship weekend projects. Contribute to open source. But maybe, just maybe, think about what happens when your weekend project gets 100,000 stars before you've written a single line of security documentation.

That would be nice. I'm not holding my breath.

Delv Editorial - Delv Team

The Delv editorial team reviews AI tools, MCP servers, Agent Skills, and autonomous agents. Reviews are drafted with AI assistance and human oversight. Every install command and config snippet is verified against the source. We're independent, we don't sell tools, and we say when something isn't worth it.