The Two Sides of OpenClaw: What Peter Steinberger's TED Talk Didn't Show You
On April 17, 2026, Peter Steinberger stood on the TED stage and told the inspiring story of OpenClaw — how a frustrated developer's weekend project became the fastest-growing open-source project in history. The audience saw the highlight reel: the breakthroughs, the community growth, the vision of AI agents that actually work for people.
Hours later, in a far less glamorous venue, Steinberger gave another talk. This one was for engineers. And it told a very different story — one of unprecedented security incidents, scaling nightmares, and the sobering reality of maintaining infrastructure at the edge of what's possible.
The Numbers Behind the Dream
OpenClaw has received 60 times more security reports than curl. Let that sink in. Curl is one of the most widely deployed pieces of software on Earth, running on billions of devices, handling untold trillions of requests over decades. OpenClaw, a project barely a year old, has generated 60x the security traffic.
The skill ecosystem — the very thing that makes OpenClaw powerful — is also its biggest attack surface. At least 20% of skill contributions are malicious in some way. Not buggy. Not poorly written. Actively malicious. Skills that try to exfiltrate data, hijack sessions, or establish persistence on user systems.
This is the hidden tax on openness. Every skill is a potential supply chain attack. Every contribution is a trust decision. And at OpenClaw's scale, manual review doesn't just fail — it becomes a denial-of-service vector against the maintainers themselves.
The Infrastructure War
Steinberger's engineering talk revealed infrastructure challenges that don't fit in a TED narrative. OpenClaw isn't just software — it's a distributed system with real-time requirements, running across thousands of heterogeneous environments, handling stateful long-running operations, with users who expect it to "just work" on everything from Raspberry Pis to enterprise Kubernetes clusters.
The project has hit scaling limits that most open-source maintainers never encounter. Not "GitHub stars" scaling — actual systems scaling. Connection pools that exhaust. State synchronization that degrades. Update mechanisms that become DDoS vectors against the project's own infrastructure.
And then there's the human scaling. The fastest-growing open-source project in history means the fastest-growing maintenance burden. Every new user is a potential bug reporter. Every new contributor is a potential security risk. The very success that makes OpenClaw exciting also makes it exhausting.
Why Both Stories Matter
The TED talk matters because it shows what's possible. OpenClaw represents a genuine shift in how humans interact with computers — from clicking buttons to stating intentions. The vision is real. The user love is real. The transformation of workflows from tedious execution to high-level direction is real.
But the engineering talk matters because it shows what's required. The agent ecosystem isn't just a technical challenge — it's a security, infrastructure, and organizational challenge at unprecedented scale. The projects that survive won't just have good models. They'll have robust supply chains, automated security scanning, distributed architectures that degrade gracefully, and governance mechanisms that can handle adversarial inputs at scale.
This is the lesson for agent builders: the demo is the easy part. The production system is where projects live or die.
The Implications for Agent Infrastructure
OpenClaw's two sides reveal a fundamental tension in the agent ecosystem. The value proposition is simple: natural language interfaces to complex capabilities. The implementation is anything but.
For teams building on OpenClaw, the security statistics should prompt immediate action:
- Skill sandboxing — Assume every third-party skill is hostile. Run with minimal privileges, network isolation, and no implicit trust.
- Audit trails — Log every skill invocation, every tool call, every data access. When (not if) something goes wrong, you need forensics.
- Update strategies — The fast-moving ecosystem means constant change. Have a plan for reviewing, testing, and deploying skill updates that doesn't rely on blind trust.
- Fallback paths — When skills fail or behave unexpectedly, your agent needs graceful degradation. The user experience shouldn't collapse because one tool misbehaved.
The Broader Pattern
OpenClaw isn't unique. It's just the most visible example of a pattern emerging across the agent ecosystem. Every open agent platform faces the same dual reality: the inspiring potential and the grinding operational burden.
Hermes Agent, Multica, and the growing ecosystem of agent orchestration tools will hit similar scaling walls. The projects that survive will be the ones that invest in security, infrastructure, and governance from the start — not as afterthoughts, but as core architectural concerns.
The agent ecosystem is maturing from "does it work?" to "can it survive?" The answers are very different. And Steinberger's two talks, taken together, provide the most honest assessment yet of what building at this frontier actually requires.
What to Watch For
OpenClaw's next phase will be defined by how it addresses the challenges Steinberger revealed:
- Automated security scanning — Moving from manual review to systematic analysis of skill behavior
- Reputation systems — Mechanisms for users to assess skill trustworthiness at a glance
- Sandboxing improvements — Technical controls that limit the blast radius of malicious skills
- Infrastructure scaling — Architectural changes that handle growth without proportional operational burden
- Governance evolution — Community structures that can maintain quality and security at scale
The TED talk gave us the vision. The engineering talk gave us the roadmap. Building the future of agents requires both.
Quick Facts
| Metric | Value |
|---|---|
| Security reports vs curl | 60x more |
| Malicious skill contributions | At least 20% |
| Growth rate | Fastest open-source project in history |
| Talk dates | April 17, 2026 (TED + AIE) |
| Key revelation | Security & scaling challenges at unprecedented scale |
The Two Talks
| TED Talk | Engineering Talk |
|---|---|
| Inspiring origin story | 60x security reports vs curl |
| Community growth | 20% malicious skill contributions |
| Vision & potential | Scaling infrastructure nightmares |
| User success stories | Maintenance burden at scale |
Security Implications
- Every skill is a potential supply chain attack
- Manual review becomes DoS at scale
- Skills attempt data exfiltration, session hijacking, persistence
- Open ecosystem = open attack surface
- Trust decisions required at contribution time
Builder Action Items
- Skill sandboxing — assume hostility
- Audit trails for all invocations
- Review strategies for skill updates
- Graceful degradation when skills fail
- Network isolation for third-party tools
Ecosystem Pattern
| Phase | Question | Focus |
|---|---|---|
| Now | Does it work? | Capabilities |
| Next | Can it survive? | Security, infra, governance |
What to Watch
- Automated security scanning for skills
- Reputation/trust systems
- Sandboxing improvements
- Infrastructure scaling solutions
- Governance evolution at scale
Security Implementation Guide
Practical patterns for building on OpenClaw safely.
Skill Sandboxing Pattern
// Untrusted skill execution wrapper
class SandboxedSkillExecutor {
constructor(skillConfig) {
this.skill = skillConfig;
this.auditLog = [];
this.allowedDomains = skillConfig.allowedDomains || [];
this.maxExecutionTime = skillConfig.timeout || 30000;
}
async execute(input, context) {
const executionId = generateId();
const startTime = Date.now();
// Pre-execution audit
this.auditLog.push({
id: executionId,
skill: this.skill.name,
input: sanitizeForLog(input),
timestamp: startTime,
type: 'invocation'
});
try {
// Run in isolated context
const result = await this.runIsolated({
skill: this.skill,
input,
context: this.sanitizeContext(context),
timeout: this.maxExecutionTime,
networkPolicy: this.buildNetworkPolicy()
});
// Post-execution audit
this.auditLog.push({
id: executionId,
duration: Date.now() - startTime,
result: sanitizeForLog(result),
type: 'completion'
});
return result;
} catch (error) {
this.auditLog.push({
id: executionId,
error: sanitizeForLog(error.message),
type: 'failure'
});
throw error;
}
}
buildNetworkPolicy() {
return {
allowList: this.allowedDomains,
blockPrivateIPs: true,
maxRequestsPerMinute: 60,
maxPayloadSize: '1MB'
};
}
}Skill Trust Assessment
function assessSkillTrust(skill, communityData) {
const factors = {
// Code analysis
hasObfuscation: detectObfuscation(skill.code),
networkCalls: countNetworkCalls(skill.code),
fileSystemAccess: detectFileSystemAccess(skill.code),
// Community signals
authorReputation: communityData.authorScore,
downloadCount: communityData.downloads,
reportCount: communityData.securityReports,
reviewStatus: skill.reviewState,
// Temporal signals
age: Date.now() - skill.publishedAt,
updateFrequency: skill.versions.length / skill.age
};
// Risk scoring
let riskScore = 0;
if (factors.hasObfuscation) riskScore += 30;
if (factors.networkCalls > 5) riskScore += 10;
if (factors.fileSystemAccess) riskScore += 20;
if (factors.reportCount > 0) riskScore += 50;
if (factors.authorReputation < 0.5) riskScore += 15;
if (factors.age < 86400000) riskScore += 10; // < 24h old
return {
score: riskScore,
level: riskScore > 70 ? 'high' : riskScore > 40 ? 'medium' : 'low',
requiresSandbox: riskScore > 30,
requiresReview: riskScore > 50
};
}Update Strategy
class SkillUpdateManager {
async processUpdate(skill, newVersion) {
// 1. Staged rollout
const rollout = {
canary: 0.01, // 1% of users
early: 0.10, // 10% of users
full: 1.00 // All users
};
// 2. Automated testing
const testResults = await this.runTestSuite({
skill: newVersion,
tests: this.getStandardTests(skill.category),
security: this.runSecurityScan(newVersion.code)
});
if (testResults.security.vulnerabilities.length > 0) {
await this.flagForManualReview(skill, testResults);
return { status: 'blocked', reason: 'security_findings' };
}
// 3. Gradual deployment with monitoring
for (const [stage, percentage] of Object.entries(rollout)) {
await this.deployToPercentage(skill, newVersion, percentage);
// Monitor for 24h at each stage
const metrics = await this.collectMetrics(skill, 86400000);
if (metrics.errorRate > 0.01 || metrics.securityAlerts > 0) {
await this.rollback(skill);
return { status: 'rolled_back', stage, metrics };
}
}
return { status: 'deployed', version: newVersion.id };
}
}Graceful Degradation
class ResilientAgent {
async invokeSkill(skillName, input) {
const skill = this.skillRegistry.get(skillName);
try {
return await this.executor.run(skill, input);
} catch (error) {
// Log the failure
this.logger.warn({ skill: skillName, error: error.message });
// Try fallback skills
const fallbacks = this.getFallbacks(skillName);
for (const fallback of fallbacks) {
try {
const result = await this.executor.run(fallback, input);
this.metrics.recordFallback(success=true);
return result;
} catch (fallbackError) {
continue;
}
}
// Final fallback: direct LLM call
return await this.llm.complete({
prompt: `Execute ${skillName} functionality: ${JSON.stringify(input)}`,
context: this.buildContextWithoutSkill(skillName)
});
}
}
}Security Checklist
| Layer | Control | Implementation |
|---|---|---|
| Network | Egress filtering | Allowlist domains, block private IPs |
| Filesystem | Chroot jail | Read-only access, no sensitive paths |
| Memory | Limits | Max RAM, CPU time, execution time |
| Audit | Logging | All invocations, inputs, outputs, errors |
| Update | Staged rollout | Canary → Early → Full with monitoring |
| Trust | Scoring | Automated risk assessment before execution |
TED Talk: How I created OpenClaw — Peter Steinberger
Engineering Talk: AIE Talk — AI Engineer Summit