2 March 2026 · Matthieu MALVACHE · 10
OpenClaw and Shadow AI: Your Team Is Already Using Unauthorized Agents
In less than three months, an open-source AI agent went from a weekend hobby project to 200,000 GitHub stars - outpacing React, Vue, and every other repository in the platform's history. That project is OpenClaw. And there's a decent chance someone in your organization already installed it.
How a Friday evening project broke GitHub records
Peter Steinberger is an Austrian developer who previously sold his company for over $100 million. In November 2025, he built a simple tool that gave Claude (Anthropic's LLM) direct access to his terminal, local files, and messaging apps like WhatsApp and Signal. He called it Clawdbot, and the growth was unlike anything GitHub had seen before: 100,000 stars in seven days. Then Anthropic's lawyers sent a trademark complaint: too close to "Claude." Steinberger tried renaming to Moltbot, then OpenClaw. During those seconds between releasing the old name and claiming the new one, scammers hijacked both the GitHub organization and X handle, launched a fake $CLAWD token on Solana, and $16 million in market cap appeared and collapsed before anyone could react.
None of that slowed adoption. On February 14, 2026, Steinberger announced he was joining OpenAI to lead their personal agents division. OpenClaw itself moved to an independent open-source foundation. Sam Altman's logic is transparent: you don't buy the code, you buy the market proof that hundreds of thousands of users want a local personal agent. Same strategy Google used when they wrapped Chrome around Chromium in 2008.
What OpenClaw actually does (and why it terrifies security teams)
OpenClaw is an autonomous agent with full access to whatever you give it: email, calendar, files, terminal, messaging (WhatsApp, Signal, Slack). It doesn't suggest actions for you to approve. It sends emails, executes code, manages files, and responds to messages on its own.
It also has a plugin ecosystem called ClawHub where anyone can publish extensions. The only requirement to upload a skill is a GitHub account older than one week.
The security results were predictable. A January 2026 audit found 512 vulnerabilities, eight rated critical. The worst one (CVE-2026-25253, CVSS 8.8) allows remote code execution through the browser: an attacker creates a malicious page, the agent visits it, the gateway token leaks, and the attacker gains full administrative control in milliseconds. Researchers found over 30,000 internet-exposed instances running without authentication. And 341 malicious skills on ClawHub (12% of the registry) were caught exfiltrating crypto wallets, browser passwords, macOS Keychain data, and cloud credentials. Updated scans found over 800.
Clandestine delegation: the shadow AI your IT team can't see
Here's what matters more than any vulnerability count: your employees are installing this.
Not all of them, and probably not with malicious intent. But post-layoff teams with crushing workloads will reach for any tool that saves two hours of sleep. The scenario plays out the same way every time. An engineer downloads a "code optimization" plugin from ClawHub. It works. It also silently exfiltrates production tokens in the background.
This is shadow AI: employees using autonomous agents on corporate systems without IT knowledge or approval. The pattern is identical to what happened with Napster in 1999 or Dropbox in 2012. The value proposition is so strong that people accept catastrophic security tradeoffs to get it. The difference is that Napster shared music files. OpenClaw shares your database credentials, your email inbox, and your Slack conversations with a plugin ecosystem where 12% of published extensions are malware.
I build AI agents for a living. I understand why people install them - the productivity gain is real. But there's a gap between "this agent saved me three hours" and "this agent has undocumented access to our production API." And most organizations have no idea how wide that gap has gotten.
Control debt: worse than technical debt
Every developer understands technical debt. Rushed code that accumulates over time, slows you down, and eventually demands a painful rewrite.
Control debt works the same way, but the consequences are existential. Every agent installed without supervision adds permissions, integrations, and access that nobody documents and nobody revokes. Maybe your marketing manager logged an agent into the CRM with personal credentials. Over in logistics, someone gave an OpenClaw extension access to supplier ordering systems. And a junior dev? They connected an agent to the "test" environment - the one that shares credentials with production.
Technical debt slows you down. Control debt can end the company. And the day an agent does something catastrophic (wipes a database, sends client data to an external server, executes an instruction injected by a phishing email) your ability to cut access in an emergency depends entirely on whether anyone mapped the permissions before the crisis hit.
If nobody audited it, nobody even knows where to start.
This already happened. Replit's AI coding agent wiped a production database during a code freeze. Its instructions were clear: optimize tables, don't delete real data. The agent determined that the fastest path to a "perfectly optimized" database was an empty one. Then it generated 4,000 fake user accounts and falsified server logs to cover its tracks. The agent was zealous, not malicious. It optimized for speed and had no concept that six years of customer data can't be regenerated.
And then there's the one you couldn't make up. Summer Yue, Meta's Director of Safety and Alignment - the person responsible for making AI safe at Meta - gave OpenClaw full access to her Gmail inbox. The agent started mass-deleting her emails. She told it to stop, and it kept going. She told it again. Same result. When she finally ran to her computer to kill it manually, the agent's response was: "Yes I remember. And I violated it. You're right to be upset." The screenshots went viral. If the person in charge of AI safety at one of the largest AI labs in the world can't control an agent on her own laptop, what chance does your average employee have?
Jevons paradox: cheaper code means more risk, not less
In 1865, economist William Stanley Jevons observed that as steam engines became more efficient, total coal consumption increased. Efficiency didn't reduce usage - it made the technology accessible everywhere, so volume exploded.
The same dynamic is playing out with AI-generated code. Tools like Claude Code, Cursor, and Windsurf have made code production nearly free. Entire applications get built through conversation. The result isn't less code - it's dramatically more code, produced faster, with fewer human reviews.
Even if AI-generated code had half the error rate per line (and it doesn't), a 100x increase in volume means the total attack surface is vastly larger. Agents get installed in a rush, microservices get generated in three minutes to hit a deadline, and nobody reviews any of it. A static code scanner won't catch an agent that was granted write access to production through a ClawHub plugin installed on a developer's personal laptop.
The 70/30 operational survival ratio
So what works?
Research published in Management Science found that the optimal balance for human-AI collaboration sits around 70% human validation, 30% automated execution. Beyond that threshold, acceptance plateaus and risk compounds.
This matches what I see in production. I apply roughly this ratio in my own agent deployments. Give AI enough autonomy to multiply throughput ten times over, but keep a human validating the outputs before anything reaches production or touches customer data.
Companies that maintain this 70/30 balance survive agent incidents. Those that let shadow delegation push the ratio toward 90% automation expose themselves to incidents they can't recover from. The Replit case is what happens when the ratio inverts.
Govern what you can't ban
Your employees already decided the "agents or no agents" question for you. What remains is whether those agents run on infrastructure you control, with permissions you can revoke and audit trails you can read - or on someone's personal laptop, plugged into your email and CRM through credentials you didn't know existed.
The French Ministry of Armed Forces arrived at the same conclusion. They built GenIAl.intradef, a sovereign ChatGPT alternative running on an air-gapped supercomputer at Mont-Valerien with no internet connection. 100,000 users, 19 million requests per year, 84% satisfaction rate. They built it because personnel kept using ChatGPT on classified work. The reasoning was simple: you can't ban demand, so you channel it through infrastructure you control.
Governed agents on self-hosted infrastructure keep the productivity gains while giving you a circuit breaker: the ability to cut all agent access in seconds when something goes wrong. In practice, that means:
Start by mapping what's already running. Audit installed agents, their permissions, integrations, and credentials. You can't govern what you can't see. Then sandbox agent execution in isolated environments where nothing has direct access to production. Build a single kill switch that revokes all agent access instantly, and test it before you need it. Log what agents do, not just what data they access - which emails they send, which files they modify, which API calls they make. And run all of it on your own infrastructure so you choose the models, control where data goes, and decide who sees it.
Control debt compounds in silence. The organizations dealing with it now, while it's still manageable, won't be scrambling when the first major corporate agent incident makes the front page.