OpenClaw Project: From Obscure CLI to Widely-Known AI Assistant · history
Version 11
2026-05-26 09:52 UTC · 315 items
What
OpenClaw is the fastest-growing GitHub repository in history at 373,620 stars,[2] with a security disclosure pattern now producing two confirmed CSRF CVEs[8][12] and an enterprise safety layer that mainstream tech press has started calling 'OpenClaw with guardrails': NVIDIA/NemoClaw is confirmed as an open-source GitHub repository[21] framed by The New Stack as an additive guardrail layer,[19] while a CrewAI integration post details self-evolving multi-agent orchestration on top of it.[22] Separately, Hermes Agent's widely-reported Grok integration has surfaced a documented xAI OAuth bug returning HTTP 403 errors on standard requests,[33] adding friction to the claimed seamlessness of that partnership.
Why it matters
The 'OpenClaw with guardrails' framing in mainstream tech press is significant: it concedes in the product description itself that OpenClaw's architecture lacks built-in safety controls — precisely the critique security researchers have been making for weeks. NemoClaw's release as an open-source GitHub repo shifts the question from 'can NVIDIA fix OpenClaw?' to 'does an external guardrail layer constitute a structural fix or a procedural overlay?' — which is exactly the question enterprise procurement teams are asking as CVEs accumulate.
Open questions
The New Stack frames NemoClaw as 'OpenClaw with guardrails'[19] and Medium calls it 'the enterprise security layer for OpenClaw AI agents'[20] — do these formulations validate the architectural critique that safety must be bolted on externally, or does NVIDIA/NemoClaw as open-source infrastructure[21] constitute genuine system-level controls that address CVE-2026-25253[8] and CVE-2026-26317?[12]
NVIDIA/NemoClaw is now a public GitHub repository[21] — what are its license terms and contribution model, and does open-sourcing the guardrail layer change the enterprise security calculus relative to the commercial product page at nvidia.com?[44]
Hermes Agent's xAI Grok integration has gained third-party confirmation,[32] but a filed GitHub issue documents xAI OAuth returning HTTP 403 errors on standard requests[33] — is this friction transient or does it signal the integration is less production-ready than the marketing suggests?
NanoClaw surfaces as a third NVIDIA variant in the 'OpenClaw, NemoClaw, NanoClaw' triad[45] while NemoClaw is now open-sourced as 'guardrails'[21] — does NanoClaw represent a lightweight tier, a community fork, or something else, and does it address or sidestep the architectural safety critique?
Narrative
OpenClaw is an open-source, local-first personal AI agent that began as 'Warelay,' a WhatsApp relay CLI tool, with its first Git commit in late November 2025.[1] After cycling through five names, the project adopted its current identity on 2026-01-30[1] and reached 373,620 GitHub stars by the week of 2026-05-21, making it the platform's fastest-growing repository.[2] Within three months the project had nearly 1,000 contributors,[3] released version 2026.5.22,[4] and acquired mainstream institutional markers: a Wikipedia article, a Lenny's Newsletter guide,[5] a Wall Street Journal feature,[6] and novel use cases ranging from a 24/7 Mac-based AI trading assistant to NVIDIA RTX and DGX Spark hardware deployments.[7]
OpenClaw's security situation has crossed from a single documented vulnerability into a structural pattern. CVE-2026-25253 is in the National Vulnerability Database[8] as a CSRF flaw enabling one-click remote code execution via malicious link,[9][10][11] and CVE-2026-26317 has been documented separately as a second CSRF vulnerability.[12] Giskard.ai independently documents data leakage and prompt injection risks,[13] and an arXiv academic paper, 'Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw,'[14] circulates widely on HuggingFace,[15] Papers with Code,[16] and failurefirst.org.[17] AI Plain English argues OpenClaw's safety rules live in prompts rather than system-level controls, making risk structural rather than patchable,[18] a critique now embedded in mainstream media framing: The New Stack characterizes NVIDIA's NemoClaw as 'OpenClaw with guardrails,'[19] and a Medium explainer calls it 'the enterprise security layer for OpenClaw AI agents.'[20] NVIDIA/NemoClaw is confirmed as an open-source GitHub repository,[21] with CrewAI publishing detailed orchestration content around it for self-evolving multi-agent workflows.[22]
The competitive landscape runs on multiple fronts. Google CEO Sundar Pichai announced Gemini Spark at Google I/O as a 24/7 agentic assistant with Gmail, Docs, Canva, and Instacart integration,[23][24] while Gemini CLI has emerged as a developer-level rival: Reddit users report it 'working better than OpenClaw,'[25] a Blink Blog comparison formalizes the evaluation,[26] and a Filipino OpenClaw community is asking about OAuth integration between the two.[27] Hermes Agent, released by Nous Research with multi-level memory and remote terminal access,[28] crossed 100,000 GitHub stars in seven weeks,[29] gained an OpenRouter listing,[30] and earned a Tencent Cloud explainer signaling Chinese market interest.[31] Grok officially integrates with Hermes Agent,[32] though a filed GitHub issue documents xAI OAuth returning HTTP 403 errors on standard requests,[33] introducing the first documented friction in that partnership. xAI called both OpenClaw and Hermes Agent 'excellent,' noting 'OpenClaw wins for most on broad messaging.'[34]
Commercial and community ecosystem layers have formed around OpenClaw at scale: managed hosting (MyClaw.Host),[35] a CVE-tracking repository (jgamblin/OpenClawCVEs),[36] MCP browser automation tools,[37] model-ranking guides,[38] comparison sites,[26][39] and a dedicated 'OpenClaw alternatives' guide[40] all treat the project as the category anchor — or the reference point to migrate away from. Persistent skepticism runs alongside institutional growth: a 'god-awful' Reddit thread,[41] Cobus Greyling's practitioner failure-mode analysis,[42] and XDA Developers' finding that Hermes Agent delivers the always-running self-hosted experience OpenClaw has promised but not achieved[43] suggest the engaged production user base consistently lags behind star counts.
Timeline
- 2025-11-24: OpenClaw's first Git commit, under the name 'Warelay,' a WhatsApp relay CLI tool [1]
- 2026-01-30: Project adopts its current name, OpenClaw, after cycling through five prior names [1]
- 2026-02-26: Nous Research releases Hermes Agent with multi-level memory and remote terminal access [28]
- 2026-05-19: Google CEO Sundar Pichai announces Gemini Spark at Google I/O as a 24/7 agentic assistant with Gmail, Docs, Canva, and Instacart integration and 'high-risk actions' [23][24]
- 2026-05-21: openclaw/openclaw reaches 373,620 GitHub stars as week's fastest-growing repo; Grok account states both OpenClaw and Hermes are 'excellent — OpenClaw wins for most on broad messaging'; Hermes Agent confirmed at 130,000 GitHub stars [2][34][53]
- 2026-05-22: X Premium Grok access in OpenClaw confirmed; xAI makes Grok available through OpenClaw subscription [54][55][56][51]
- 2026-05-23: Julian Goldie SEO's 'OPENCLAW JUST MADE PERSONAL AI AGENTS WAY MORE DANGEROUS' goes viral; Gecho Bridge MCP tool announced for browser automation via OpenClaw [57][58][37]
- 2026-05-24: CVE-2026-25253 confirmed as CSRF flaw enabling one-click RCE; NVD publishes formal CVE record; NVIDIA NemoClaw product page launches at nvidia.com; arXiv paper 'Your Agent, Their Asset' published; OpenClaw v2026.5.22 released; Reco.ai declares 'The AI Agent Security Crisis Unfolding Right Now'; Hermes Agent confirmed at 100,000+ GitHub stars in seven weeks [59][8][9][44][14][4][49][29]
- 2026-05-25: CVE-2026-26317 documented as a second CSRF vulnerability; Giskard.ai publishes data leakage and prompt injection analysis; FrankX.ai documents 'OpenClaw, NemoClaw, NanoClaw' triad; Reddit users report Gemini CLI 'working better' than OpenClaw; dedicated 'best OpenClaw alternatives' guide published [12][13][45][25][40]
- 2026-05-26: The New Stack frames NemoClaw as 'OpenClaw with guardrails'; NVIDIA/NemoClaw confirmed as open-source GitHub repository; CrewAI publishes self-evolving agents orchestration guide using NemoClaw; Basenor confirms Grok works inside Hermes Agent; xAI OAuth HTTP 403 bug filed for Hermes Agent integration [19][21][22][32][33]
Perspectives
Simon Willison
Enthusiastic practitioner-observer who documented OpenClaw's naming arc and situates its rise within a genuine LLM capability inflection in late 2025; his PyConUS lightning talk institutionalizes his role as primary narrator of the moment that produced OpenClaw.
Evolution: Consistent
Google / Gemini team
Running a two-product competitive strategy: Gemini Spark targets mainstream personal agent users, while Gemini CLI generates active developer-level preference switching away from OpenClaw, with Reddit users reporting it 'works better' and communities exploring OAuth integration between the two.
Evolution: Consistent: Gemini CLI remains at documented user-level preference switching with no new escalation this pass.
Nous Research / Hermes Agent community
Maturing open-source rival confirmed as Nous Research's most-adopted project; crossed 100,000 GitHub stars in seven weeks, listed on OpenRouter, Grok integration confirmed — but a filed OAuth bug returning HTTP 403 errors introduces the first documented integration friction with xAI.
Evolution: Slightly complicated: xAI OAuth HTTP 403 bug is the first sign of implementation gap in the xAI-Hermes partnership narrative.
Security industry and academic researchers (SentinelOne, NVD, Reco.ai, Giskard.ai, AI Plain English, arXiv)
Risk-focused and structural: two CSRF CVEs on record, Giskard.ai adds data leakage and prompt injection as independent risk vectors, and AI Plain English argues OpenClaw's safety rules live in prompts rather than system-level controls — making the risk architectural rather than patchable.
Evolution: Validated by mainstream media: The New Stack's 'OpenClaw with guardrails' framing for NemoClaw implicitly confirms that OpenClaw lacks built-in safety controls.
NVIDIA
Enterprise safety provider with NemoClaw now confirmed as an open-source GitHub repository (NVIDIA/NemoClaw) and framed by The New Stack as 'OpenClaw with guardrails'; CrewAI integration deepens the multi-agent ecosystem story, but the 'guardrails' label simultaneously markets the product and concedes OpenClaw's architectural gap.
Evolution: Deepened: open-source GitHub repo shifts NemoClaw from commercial product page to public infrastructure; mainstream 'guardrails' framing validates critics while extending NVIDIA's market positioning.
xAI / Grok
Category-level distributor treating personal AI agents as a distribution channel; officially integrated both Hermes Agent and OpenClaw, calling both 'excellent' while noting OpenClaw wins on broad messaging — though Hermes Agent's filed OAuth bug adds a caveat to the claimed seamlessness of the xAI-Hermes integration.
Evolution: Slight friction: the HTTP 403 OAuth bug for Hermes Agent is the first documented complication in xAI's dual-integration posture.
Community skeptics and critics (Reddit, Cobus Greyling, Wired, XDA Developers)
Hype-reality gap: a 'god-awful' Reddit thread, practitioner failure-mode analysis, Wired's 'I Loved My OpenClaw AI Agent — Until It Turned on Me,' and a dedicated 'OpenClaw alternatives' guide suggest the engaged production user base consistently lags behind star counts, and some users are actively evaluating exits.
Evolution: Consistent; the alternatives guide remains the most concrete migration signal and has not escalated further this pass.
Commercial ecosystem builders (MyClaw.Host, Gecho Bridge, CrewAI, The New Stack, Till Freitag)
Treating OpenClaw as the established category anchor: managed hosting, CVE tracking, MCP browser automation, comparison sites, and now CrewAI's NemoClaw orchestration guide all build around OpenClaw — or its enterprise safety extension — as the reference point.
Evolution: Deepened: CrewAI's NemoClaw integration post and The New Stack's editorial coverage formalize NemoClaw as a distinct commercial-ecosystem layer rather than a product footnote.
Tensions
- OpenClaw as safe user-controlled assistant vs. structurally vulnerable agent: two confirmed CSRF CVEs,[8][12] Giskard.ai's data-leakage documentation,[13] and an arXiv safety paper[14] represent pattern-level liability, while The New Stack framing NemoClaw as 'OpenClaw with guardrails'[19] concedes in a product description that OpenClaw lacks built-in safety controls. [8][12][13][14][19]
- Prompt-based safety architecture vs. system-level governance: AI Plain English argues OpenClaw's safety rules live in prompts rather than system-level controls,[18] and The New Stack's 'guardrails' framing[19] implies NemoClaw adds what OpenClaw lacks — directly challenging NVIDIA's 'safer agents' positioning[44] as a structural fix rather than a procedural overlay. [18][19][44][21][12]
- Gemini CLI user-level preference switching vs. OpenClaw's developer-CLI incumbency: Reddit users report Gemini CLI 'working better,'[25] a Blink Blog comparison formalizes the evaluation,[26] and a Filipino community is exploring OAuth integration between the two[27] — suggesting competition has moved from announcement to active user-base fragmentation. [26][25][27]
- xAI-Hermes integration as seamless partnership vs. documented OAuth friction: Basenor confirms 'Grok Now Works Inside NousResearch Hermes Agent,'[32] while a filed GitHub issue documents xAI OAuth returning HTTP 403 errors on standard requests[33] — raising questions about whether the integration is production-ready. [32][33]
- OpenClaw vs. Hermes Agent on persistent self-hosting: XDA Developers argues Hermes Agent delivers the always-running, self-hosted AI assistant OpenClaw has promised but not achieved,[43] while Hermes Agent's OpenRouter listing,[30] Grok integration,[32] and Tencent Cloud coverage[31] deepen capability and distribution differentiation. [43][30][32][31]
- Community buzz vs. active user skepticism and migration: GitHub stars soar and institutional papers circulate widely, but a 'god-awful' Reddit thread,[41] practitioner failure-mode analysis,[42] and a dedicated 'OpenClaw alternatives' guide[40] suggest hype consistently outpaces the engaged production user base and some users are actively evaluating exits. [2][41][42][40][25]
Sources
- [1] Warelay -> OpenClaw — Simon Willison (2026-05-16)
- [2] 本周 GitHub Star 增长最快:openclaw/openclaw ⭐373,620 — reactive:openclaw-warelay-origin (2026-05-21)
- [3] OpenClaw 3-Month Anniversary: Almost 1K Clawtributors - evoailabs — reactive:openclaw-warelay-origin
- [4] OpenClaw just dropped v2026.5.22 🚀 — reactive:openclaw-warelay-origin (2026-05-24)
- [5] OpenClaw: The complete guide to building, training, and living with ... — reactive:openclaw-warelay-origin
- [6] Google Unveils New Gemini AI Agent for Personal Tasks - WSJ — reactive:openclaw-warelay-origin
- [7] Local‑first OpenClaw agents on RTX and DGX Spark — reactive:openclaw-warelay-origin
- [8] NVD - CVE-2026-25253 — reactive:openclaw-warelay-origin
- [9] CVE-2026-25253: OpenClaw 1-Click RCE Vulnerability Guide — reactive:openclaw-warelay-origin
- [10] CVE-2026-25253: OpenClaw CSRF Vulnerability Flaw - SentinelOne — reactive:openclaw-warelay-origin
- [11] CVE-2026-25253 OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link — reactive:openclaw-warelay-origin
- [12] CVE-2026-26317: OpenClaw AI Assistant CSRF Vulnerability — reactive:openclaw-warelay-origin
- [13] OpenClaw security issues include data leakage & prompt injection — reactive:openclaw-warelay-origin
- [14] Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw — reactive:openclaw-warelay-origin
- [15] Paper page - Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw — reactive:openclaw-warelay-origin
- [16] Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw — reactive:openclaw-warelay-origin
- [17] Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw — reactive:openclaw-warelay-origin
- [18] Rethinking OpenClaw Security Boundaries: When AI Agent Safety ... — reactive:openclaw-warelay-origin
- [19] Nvidia's NemoClaw is OpenClaw with guardrails - The New Stack — reactive:openclaw-warelay-origin
- [20] What is Nvidia's NemoClaw ? The Enterprise Security Layer for ... — reactive:openclaw-warelay-origin
- [21] NVIDIA/NemoClaw: Run OpenClaw more securely inside ... - GitHub — reactive:openclaw-warelay-origin
- [22] Orchestrating Self-Evolving Agents with CrewAI and NVIDIA ... — reactive:openclaw-warelay-origin
- [23] Google introduces Gemini Spark, a 24/7 agentic assistant with Gmail integration | TechCrunch — reactive:openclaw-warelay-origin
- [24] Google launches personal AI agent Gemini Spark, its answer to OpenClaw | Spark agents can even make payments | Inshorts — reactive:openclaw-warelay-origin
- [25] Gemini CLI is working better than openclaw for me - Reddit — reactive:openclaw-warelay-origin
- [26] OpenClaw vs Gemini CLI: Which AI Agent Should You Use in 2026? | Blink Blog — reactive:openclaw-warelay-origin
- [27] Can OpenCLAW be paired with Gemini CLI using OAuth? - Facebook — reactive:openclaw-warelay-origin
- [28] Nous Research Releases 'Hermes Agent' to Fix AI Forgetfulness ... — reactive:openclaw-warelay-origin
- [29] Hermes Agent Crosses 100k GitHub Stars in 7 Weeks - LinkedIn — reactive:openclaw-warelay-origin
- [30] Hermes Agent | OpenRouter — reactive:openclaw-warelay-origin
- [31] What Is Hermes Agent? - Tencent Cloud — reactive:openclaw-warelay-origin
- [32] Grok Now Works Inside NousResearch Hermes Agent — reactive:openclaw-warelay-origin
- [33] [Bug]: xAI OAuth (xai-oauth) returns HTTP 403 for standard ... — reactive:openclaw-warelay-origin
- [34] @iMichaelTen @Rasmic Both OpenClaw and Hermes are excellent open-source AI agents. OpenClaw wins for most on broad messa... — reactive:openclaw-warelay-origin (2026-05-21)
- [35] OpenClaw VPS Hosting & Deploy OpenClaw Multi Agents in 60s - MyClaw.Host — reactive:openclaw-warelay-origin
- [36] jgamblin/OpenClawCVEs: Tracking OpenClaw CVEs - GitHub — reactive:openclaw-warelay-origin
- [37] Meet Gecho Bridge — the ultimate MCP tool that lets your AI (Claude, OpenClaw...) control your local browser to automate... — reactive:openclaw-warelay-origin (2026-05-23)
- [38] Best Models for OpenClaw (April 2026): Tested & Ranked — reactive:openclaw-warelay-origin
- [39] OpenClaw Launch vs Gemini CLI — AI Agent Platform Comparison 2026 | OpenClaw Launch — reactive:openclaw-warelay-origin
- [40] The Best OpenClaw Alternatives 2026 – from… – Till Freitag — reactive:openclaw-warelay-origin
- [41] OpenClaw is god-awful. It's either, you have to spend a ... - Reddit — reactive:openclaw-warelay-origin
- [42] Where does OpenClaw AI Agents Actually Fail? — reactive:openclaw-warelay-origin
- [43] OpenClaw promised a self-hosted AI assistant I could actually leave running, but Hermes Agent is the one that delivers it — reactive:openclaw-warelay-origin
- [44] Safer AI Agents & Assistants with OpenClaw | NVIDIA NemoClaw — reactive:openclaw-warelay-origin
- [45] OpenClaw, NemoClaw, NanoClaw: The AI Agent Ecosystem | FrankX — reactive:openclaw-warelay-origin
- [46] The last six months in LLMs in five minutes — Simon Willison (2026-05-19)
- [47] Simon Willison's Lightning Talk "The Last Six Months in LLMs in five ... — reactive:openclaw-warelay-origin
- [48] Google's Gemini Spark is the first AI agent built for people who don't know what an AI agent is — reactive:openclaw-warelay-origin
- [49] OpenClaw: The AI Agent Security Crisis Unfolding Right Now — reactive:openclaw-warelay-origin
- [50] Nvidia's NemoClaw Introduces Key Security Upgrades for ... - Reddit — reactive:openclaw-warelay-origin
- [51] @DisruptionUp @bugtrader69 @Gabriel78470020 @TheAhmadOsman Hermes Agent is an open-source Python framework from Nous Res... — reactive:openclaw-warelay-origin (2026-05-22)
- [52] I Loved My OpenClaw AI Agent—Until It Turned on Me | WIRED — reactive:openclaw-warelay-origin
- [53] xai integrates grok with hermes agent, reaching 130,000 ... - Instagram — reactive:openclaw-warelay-origin
- [54] OpenClaw just plugged into X. And your personal AI agent will never be the same. 🚀 — reactive:openclaw-warelay-origin (2026-05-22)
- [55] RT @JulianGoldieSEO: OpenClaw just plugged into X. And your personal AI agent will never be the same. 🚀 — reactive:openclaw-warelay-origin (2026-05-22)
- [56] RT @xDaily: NEWS: X Premium users now have access to Grok in OpenClaw. — reactive:openclaw-warelay-origin (2026-05-22)
- [57] OPENCLAW JUST MADE PERSONAL AI AGENTS WAY MORE DANGEROUS — reactive:openclaw-warelay-origin (2026-05-23)
- [58] RT @JulianGoldieSEO: OPENCLAW JUST MADE PERSONAL AI AGENTS WAY MORE DANGEROUS — reactive:openclaw-warelay-origin (2026-05-23)
- [59] Advisories - OpenClaw vulnerability notification - Information Security — reactive:openclaw-warelay-origin