OpenClaw Is Going Viral.
Enterprise Agentic Orchestration Has Been Real for 2 Years.

The Tool That Went Viral Overnight

In November 2025, an Austrian developer named Peter Steinberger published a side project called Clawdbot. He renamed it. Within 24 hours it had 25,000 GitHub stars. Within four months it had more stars than React, a milestone React took over a decade to reach. Nvidia called it "what GPT was to chatbots, but for agentic AI."

OpenClaw's idea is genuinely correct: give an AI model access to your tools, describe a goal, and let it execute the work end-to-end. People tried it and it worked. That is why it spread. Not hype, but actual utility.

But speed of adoption and safety for production are different things. And in Q1 2026, the gap between them became impossible to ignore.

What Actually Happened in Q1 2026

The security incidents were not theoretical. They were documented, named, and measured.

CVE-2026-25253 was the most straightforward to exploit. OpenClaw's control interface automatically trusted any gateway URL passed as a query parameter, then opened a WebSocket connection that handed your authentication token to whoever was at the other end. An employee visits one link, from a Slack message, an email, or a search result, and an attacker inherits their entire connected session. Every OAuth token. Every account the agent was authorized to touch. No further action required.

The ClawHavoc campaign ran through OpenClaw's own plugin marketplace. Attackers published skills that looked legitimate, such as calendar tools, CRM helpers, and email assistants, and seeded them with Atomic macOS Stealer. Users who installed them had passwords, browser cookies, saved credentials, and crypto wallet keys silently harvested. By the time researchers completed their sweep, between 341 and 824 skills in the registry were confirmed malicious. That is roughly 1 in 8.

And then there was the exposure problem. Security researcher Maor Dayan scanned the public internet and found 42,665 OpenClaw instances accessible without authentication, meaning API keys, conversation histories, and connected account credentials were readable by anyone who looked. Bitdefender's telemetry from business environments confirmed what made this particularly dangerous: employees were installing OpenClaw on corporate laptops using single-line commands, with no IT approval and no visibility from their security team.

Meta banned installation on any work device with reported termination for violations. Microsoft published guidance telling companies to avoid running OpenClaw with primary work accounts. Cisco called it "a security nightmare." The Chinese government restricted state agencies and state-owned enterprises from deploying it.

Nine CVEs were published in a four-day window in March 2026 alone.

None of this reflects the developer's intent. Peter Steinberger built a side project that solved a real problem. It was never designed for enterprise production. The problem is that it got deployed as if it were.

The Other Reason People Love It (and What to Do Instead)

Security aside, OpenClaw exposed something that had been frustrating enterprise teams for years: the SaaS billing model is broken for operational work.

Every Zapier zap, every HubSpot seat, every Salesforce license charges for access, not results. You pay whether the automation runs or fails. You pay whether agents are active or sitting idle. OpenClaw users discovered they could execute real multi-step workflows for the cost of API tokens. That resonated.

Dialogo AI was built on the same insight, but the billing model is the whole design, not a side effect. You pay €0.30 per successfully completed task. Nothing for attempts that fail. Nothing for idle infrastructure. The agent either delivers the result or you don't pay.

Two Years Before the Trend

Dialogo AI has been running AI agents in production for enterprise clients since early 2024 — before OpenClaw existed. The difference is not just timing. It is what those two years produced: agents that run under real compliance requirements, with scoped access, full action logs, and approval gates before anything sensitive executes.

Dialogo AI is backed by Plug and Play, the Silicon Valley accelerator that backed PayPal, Dropbox, and Google at early stage.

These are production numbers. Not benchmarks, not demos. The category OpenClaw introduced to millions of people has been running at enterprise scale for two years. The question it raised, whether AI agents can handle real operational work, was already answered.

OpenClaw vs. Dialogo AI: The Honest Comparison

Both platforms let AI agents execute multi-step workflows across your connected tools. The goal is the same. What separates them is what happens when something goes wrong, and whether anyone finds out.

Frequently Asked Questions

The Takeaway

OpenClaw moved fast because the idea is right. People are ready for AI that acts, not just answers. The viral spread was real signal, not manufactured hype.

But the Q1 2026 incidents showed what happens when a tool built for a personal Mac Mini gets deployed inside an organization without a security review. One malicious link, one compromised skill, or one exposed instance with authentication off can cause damage. The access an AI agent holds, such as OAuth tokens, connected accounts, and execution rights across your stack, makes the blast radius large.

The teams running enterprise AI agents since 2024 already know this. The conversation was never about whether agents could do the work. It was always about deploying them in a way your security team, your legal team, and your customers could live with.

Klei Aliaj

Founder & AI Engineer, Dialogo AI · Italy

6+ years building production LLM systems and agentic platforms for European enterprises. Dialogo AI is backed by Plug and Play, the Silicon Valley accelerator behind PayPal, Dropbox, and Google. Pursuing MSc Data Science at Università degli Studi di Milano.

Connect on LinkedIn