In January, a mere two months after the OpenClaw project was created, hundreds of users had downloaded the agentic artificial intelligence (AI) assistant to run on their own systems. By early March, OpenClaw had surpassed 250,000 stars on GitHub — a measure of popularity among developers. Then, on March 16, the software earned enterprise legitimacy when Nvidia CEO Jensen Huang praised it during his keynote at Nvidia’s GPU Technology Conference (GTC) 2026.
“OpenClaw has open-sourced, essentially, the operating system for agentic computers,” Huang told the audience. “The implication is incredible. … Every company in the world today needs to have an OpenClaw strategy, an agentic-system strategy. This is the new computer.”
Yet OpenClaw may not yet be ready for the enterprise primetime because it continues to have massive security and stability concerns. In February, Gartner recommended that companies block downloads and traffic for the platform it deemed was operating “insecurely by default.” Several cybersecurity firms have found tens of thousands of vulnerable OpenClaw instances accessible via the Internet. As of early May, researchers have reported at least 454 vulnerabilities in the framework, according to the National Vulnerability Database.
Efforts to rearchitect the core OpenClaw software to improve security and stability are not simple and, in April, resulted in significant headaches for users, when the agents slowed, some installs got stuck in repair loops, and communications through popular channels diminished. OpenClaw creator Peter Steingberger apologized for the issues in a in a May 5 post.
“The problem: I underestimated how difficult it would be to get this right,” he stated.
OpenClaw, of course, is not alone. OpenAI hired the creator of OpenClaw to develop agentic capabilities, and Anthropic has already added agentic features via an “agentic harness” — an orchestration layer for agents that controls what they can access and do — as well as its widely used Claude skills. A more direct competitor to OpenClaw is Hermes, an open source, self-improving AI agent that has built-in sandboxing. It was created by Nous Research.
‘Formula One Cars Without Brakes’
Tackling the security problems posed by agentic AI is neither simple nor easy. The software security stack was not built with agents, which resemble users more than software programs, in mind, says Dev Rishi, head of AI at Rubrik. Running the same agents at different times may result in different activity.
“These agents feel like Formula One cars without brakes,” Rishi says. “They operate so quickly and ask for such a high degree of permissions that it really is actually kind of quite scary in terms of what types of risks that they might actually expose an organization to.”
A human in the loop could act as a control, but with agents running so quickly, gaining human approval for every risky action is not scalable, he says.
Yet promise of improved productivity means that business leaders will continue to feel the pressure. Agentic AI can immediately help with a host of enterprise coordination, administration, and information tasks, says Manoj Nair, chief innovation officer for Snyk, an application security firm. The frameworks “explode the notion of what an agent can do in people’s imaginations and drives agentic application development much faster than we have ever seen in the last year,” he says.
More than one in five AI-forward companies (22%) had OpenClaw running within days, according to Token Security, an AI agent and nonhuman identity security firm.
“We saw how fast it was spreading — basically, like wildfire — and in a lot of cases, it was shadow AI,” says Christian Simko, a product evangelist for Token Security. “Users were setting up OpenClaw instances without security or identity teams even knowing about it.”
Taming the Goal-Oriented AI
First and foremost, enterprises need visibility into what actions agents are taking and what governance controls to set and enforce policies. Nvidia created the NemoClaw — announced at GTC 2026 — to be an enterprise-grade version of OpenClaw, adding agent registration, governance, and an open source orchestration layer. NemoClaw uses OpenShell for sandboxing and its Nemotron-3 family of AI models.
Demonstrating the need for a new security architecture took about 47 seconds. That’s how long an exploit — delivered in a support ticket — needed to escalate permissions, access customer records, exfiltrate data, and modify its own audit logs to cover its tracks, said OpenClaw’s Steinberger in a March blog post introducing NemoClaw.
NemoClaw combines kernel-level isolation through OpenShell, large language model-based policy evaluations, and an extra layer of data security to prevent exfiltration.
“[F]or the first time, we have a production-grade security architecture that was designed specifically for AI agents,” Steinberger said. “Not adapted from Web application security, not borrowed from container orchestration — built from the ground up for a world where autonomous AI systems interact with real enterprise infrastructure.”
The governance and policy engine uses formal methodology to turn policy statements, written in Rego, into actions using the OpenShell Policy Prover (OPP).
“We can’t just assume the model, the agent, and the harness will do the right thing,” says Ali Golshan, senior director of AI software at Nvidia. “We built OpenShell so the governance can be enforced by the infrastructure, and so you could be ensured it’s declarative, not probabilistic.”
The goal is to be able to write policies that allow an agent to read from, but not write to, GitHub, and to not communicate with another agent that has that capability, he says.
“We’re in the very early stages of this, so this is all frontier research that we’re doing,” Golshan says.
Hybrid Approach
The security architecture will combine policies on AI enforced by OpenShell, a human or trusted agent in the loop, and a variety of other security tooling and controls to handle edge cases and block malicious content, Golshan says.
“We’re not building traditional detection and response technologies, but we do output all the logs and all the traces, so you can now take those and throw them into a data lake, a [security information and event management solution], a [security operations center], and be able to do additional analysis on them,” he says. “We give you the typing and the infrastructure. We’re not actually doing the logic itself.”
Other companies have already build additional layers of security. Cisco’s Defense Claw, for example, can scan skills and MCP servers for malicious code or unsanctioned artifacts. There’s also Snyk Agent Security.
OpenClaw’s goal is to make it so stable that it becomes a piece of boring infrastructure, Steinberger stated in his May 5 blog post. Toward that end, OpenAI and the OpenClaw Foundation are building a team around the development of technology to help create a more modular architecture where less software is in the privileged core.
“OpenClaw will keep getting more secure. It will also get smaller,” he said. “But it has to stay boringly reliable while we do that.”

Comments are closed