OpenClaw's Creator Just Joined OpenAI — What It Means for Your Bot
Yesterday, Peter Steinberger — the developer behind the fastest-growing open-source project in GitHub history — announced he's joining OpenAI. OpenClaw will move to an independent foundation. Here's what that means if you run an OpenClaw bot on Telegram and what you should do next.
What Happened: The Timeline
On February 15, 2026, Sam Altman announced that Peter Steinberger, the Austrian developer who created OpenClaw, is joining OpenAI to lead development of what they call "the next generation of personal agents."
Steinberger had offers from both Meta and OpenAI. He chose OpenAI, writing that his goal is to "change the world, not build a large company."
OpenClaw itself will continue as open source under a newly formed independent foundation, with OpenAI pledging continued support.
Quick Recap: Clawdbot → Moltbot → OpenClaw
- Nov 25, 2025: First commit as "Clawdbot" — an autonomous AI agent for messaging platforms
- Jan 27, 2026: Renamed to "Moltbot" after Anthropic's trademark complaint
- Jan 30, 2026: Renamed again to "OpenClaw" — Steinberger said Moltbot "never quite rolled off the tongue"
- Feb 15, 2026: Steinberger announces he's joining OpenAI; OpenClaw moves to an independent foundation
OpenClaw by the Numbers: Why This Matters
OpenClaw isn't just popular. It rewrote the record books:
| Metric | Number |
|---|---|
| GitHub Stars | 196,000+ (as of Feb 15, 2026) |
| Time to 100K Stars | ~2 days (18x faster than Kubernetes) |
| Contributors | 600+ |
| Commits | 10,000+ |
| Codebase Size | 430,000+ lines (TypeScript, MIT licensed) |
| Moltbook AI Agents | 770,000+ active bots on the agent social network |
It's the fastest GitHub repository to reach 100K stars in history. It got a Super Bowl ad. And now its creator works at OpenAI. This project isn't going away — but it is changing.
What OpenClaw Actually Does
If you're new to OpenClaw: it's an open-source AI agent that turns any large language model (Claude, GPT, Gemini, DeepSeek, or local models) into a persistent personal assistant. You interact with it through messaging apps you already use — Telegram, WhatsApp, Signal, Discord, Slack, and more.
Unlike a chatbot, OpenClaw can actually do things: browse the web, manage your email and calendar, run shell commands, control smart home devices, and automate tasks autonomously. It's built on a hub-and-spoke architecture with a local WebSocket gateway and a growing ecosystem of 5,700+ community skills on ClawHub.
The catch? You need to host it somewhere. And that's where things get complicated.
The Security Problem Nobody Wants to Talk About
OpenClaw's explosive growth came with equally explosive security concerns. Two incidents stand out:
CVE-2026-25253 — Critical Remote Code Execution
In early February 2026, researchers disclosed a CVSS 8.8 vulnerability that allowed one-click remote code execution via a malicious link. OpenClaw's gateway didn't validate WebSocket origin headers, letting any website connect to the local server, steal auth tokens, and gain full operator-level access.
Patched in version 2026.1.29 — but within 48 hours of going viral, security researchers found hundreds of publicly accessible installations leaking API keys, OAuth tokens, and conversation histories.
ClawHavoc — 341 Malicious Skills on ClawHub
Security researchers discovered 341 compromised skills on ClawHub, OpenClaw's community marketplace. These skills could exfiltrate data, inject prompts, or execute arbitrary code. The default installation stores API keys in plaintext at ~/.openclaw/config.json, making credential theft straightforward.
One of OpenClaw's own maintainers warned the community: if you can't understand how to run a command line, this project is "far too dangerous" for you to use safely.
These aren't theoretical risks. They're documented incidents that affected real users. And with Steinberger now at OpenAI, the question is: who's responsible for fixing the next one?
What the OpenAI Move Means for OpenClaw Users
Steinberger moving to OpenAI introduces three concerns for anyone running an OpenClaw bot:
1. Governance Uncertainty
OpenClaw is moving to an "independent foundation" — but the details are sparse. Who runs it? How are security patches prioritized? What happens when OpenAI's interests diverge from the open-source community's?
Open-source projects that lose their founding developer often slow down. Sometimes they fork. Sometimes they stall. The 600 contributors provide a buffer, but the next 6 months will reveal whether the foundation has real momentum or is just a press release.
2. Security Response Times
CVE-2026-25253 was patched quickly because Steinberger was personally invested in the project. With the creator now building competing products at OpenAI, will the foundation maintain the same response speed for the next critical vulnerability?
If you self-host OpenClaw, you're responsible for applying patches the moment they ship. If you run a managed deployment, your hosting provider handles it.
3. The OpenAI Conflict of Interest
Steinberger is now building "the next generation of personal agents" at OpenAI — which is exactly what OpenClaw is. OpenAI says they'll support the open-source project, but they're also building a commercial alternative. That tension is worth watching.
OpenClaw Hosting: Your Three Options
OpenClaw needs to run 24/7 to be useful. Here's how people are doing it — and the trade-offs of each approach:
| Run Locally | Self-Host (VPS) | Managed Hosting | |
|---|---|---|---|
| Cost | Free (+ API costs) | $5-12/mo + API costs | $10-40/mo (API included on some tiers) |
| Uptime | Only when your machine is on | 24/7 (you manage it) | 24/7 (provider manages it) |
| Security Updates | Manual (npm update) | Manual (SSH + update) | Automatic |
| Setup Time | 30-60 min | 1-3 hours | 5 minutes |
| Technical Skill | Command line + Node.js | SSH, Docker, Linux admin | None |
| Best For | Testing and experimenting | Developers who want full control | Everyone else |
Why Managed Hosting Matters More Now
The OpenAI move makes one thing clear: if you're running OpenClaw, you need someone watching the security perimeter. Self- hosters are on their own. They need to track CVEs, apply patches immediately, harden their VPS, rotate API keys, and monitor for unauthorized access.
Most people don't want to be their own sysadmin. They want an AI assistant on Telegram that works. That's what managed hosting provides:
- Automatic security patches: When the next CVE drops, your host applies the fix. You don't touch a terminal.
- 24/7 uptime: Your bot doesn't go down when your laptop sleeps or your VPS runs out of disk space.
- No DevOps required: No Docker, no SSH, no firewall rules. Just Telegram and your AI.
- API key security: Credentials are encrypted and managed, not sitting in a plaintext JSON file.
How ClawdHost Handles This
ClawdHost provisions a dedicated, hardened VPS for each customer. SSH password auth is disabled. Firewalls and fail2ban are configured at boot. API keys are encrypted in transit and at rest. Updates are applied by resetting your instance — one click in the dashboard.
You don't manage infrastructure. You just use your AI assistant on Telegram.
The Real Cost of Running OpenClaw
OpenClaw is free. Hosting it is not. Here's what it actually costs:
Self-Hosted Cost Breakdown
- VPS: $5-12/month (Hetzner, DigitalOcean, Vultr)
- Claude API (Sonnet 4.5): $3/M input tokens + $15/M output tokens — moderate daily use runs $5-20/month
- Your time: Setup (2-4 hours), ongoing maintenance (patching, monitoring, debugging), 3am incident response
Total: $10-32/month plus your time. For developers comfortable with Linux administration, this makes sense. For everyone else, the hidden cost is the time you spend managing infrastructure instead of using your AI.
Managed Hosting Cost Breakdown
- BYOK tier: $10/month — bring your own API key, we handle hosting
- Easy tier: $20/month — includes $10 in API credits (Claude Sonnet 4.5)
- Pro tier: $40/month — includes $30 in API credits with priority support
No VPS management. No Docker. No SSH. No 3am debugging. Just a Telegram bot that works.
What You Should Do Right Now
Whether the OpenAI move is good or bad for OpenClaw long-term, here's what matters today:
If You Already Run OpenClaw
- • Update immediately — make sure you're on version 2026.1.29 or later (CVE-2026-25253 fix)
- • Audit your skills — remove any ClawHub skills you don't actively use
- • Rotate API keys — if your installation was ever publicly accessible, regenerate all credentials
- • Watch the foundation — follow OpenClaw's governance announcements over the next few months
If You're New to OpenClaw
- • Don't self-host unless you know Linux — OpenClaw's own maintainers say this
- • Consider managed hosting — let someone else handle security patches and server maintenance
- • Start with Telegram — it's the most popular channel and the easiest to configure
- • Try a free trial — test whether an AI assistant in Telegram actually fits your workflow before committing
The Bigger Picture
OpenClaw proved that people want AI assistants that live in their messaging apps — not in a browser tab. 196K GitHub stars in under three months is not a fluke. It's a signal.
The question was never "do people want this?" It was "who can deliver it safely and reliably?" Self-hosting puts that burden on you. Managed hosting puts it on professionals who do this full-time.
With Steinberger at OpenAI and the foundation still finding its footing, the users who'll have the smoothest ride are the ones who aren't managing their own infrastructure. They're just using their AI on Telegram while someone else handles the rest.
Skip the Setup. Skip the Security Headaches.
Get a Claude-powered AI assistant on Telegram with managed hosting. No Docker, no SSH, no CVE monitoring. Automatic security patches, encrypted API keys, and 24/7 uptime. Start with a free 7-day trial.
Start Your Free Trial →