There’s a DGX Spark sitting in my home office running OpenClaw. It’s connected to my phone and my laptop through secure tunnels, and it has become, without exaggeration, the operating system for how my family runs. 

My wife and I use it to plan our kids’ schedules. I built an agent skill that pulls up the school lunch menu every morning as a reminder. Another one tracks their tennis match draws. I’ve connected Model Context Protocol (MCP) servers through Zapier to sync my email, my calendar, and Discord. It nudges me about things I’d otherwise forget. It holds all the context I can’t hold in my head. It has become my deepest thinking partner: the place where half-formed strategy ideas become real before they ever hit a slide deck. 

OpenClaw hasn’t just changed my personal productivity. It has fundamentally altered how we operate as a family unit. 

And that’s exactly why I’m terrified about how exposed it could be. 

The Fastest-Growing Open Source Project is also a Massive Target 

OpenClaw didn’t just take off—it exploded. 

When Peter Steinberger released the first version of what would become OpenClaw in November 2025, it went viral faster than anything in open source history: 60,000 GitHub stars in days, hundreds of thousands within months. NVIDIA CEO Jensen Huang called it the “operating system for personal AI.”. Developers around the world began building their workflows—and their lives—around it. 

The excitement is justified. 

OpenClaw represents a genuine paradigm shift — from AI you talk to, to AI that acts on your behalf. It reads your files, manages your tools, runs shell commands, connects to every messaging platform you use, and builds new capabilities for itself while you sleep. It is, as one early adopter put it, the closest thing to Jarvis we’ve seen. 

But here’s what keeps me up at night: OpenClaw was also the focal point of one of the most concentrated security crises in open source history. 

Within three weeks of it going viral, we saw a wave of serious security incidents: 

• CVE-2026-25253 — a critical remote code execution vulnerability where visiting a single malicious webpage was enough to hijack someone’s agent 
• 135,000+ exposed OpenClaw instances on the public internet, many thousands of which were vulnerable 
• A coordinated supply chain attack called ClawHavoc planted over 800 malicious skills in ClawHub — roughly 20 percent of the entire registry — distributing infostealers under the guise of legitimate productivity tools. 
• A security researcher intentionally created a malicious third-party skill that performs data exfiltration and prompt injection without user awareness to demonstrate security flaws in OpenClaw implementations.  
• Nation-states have restricted agencies from running it. And we are seeing similar patterns from within enterprises as well. 

This isn’t theoretical risk. It’s already happening. 

To his credit, Peter has been transparent about the risks, and the team has patched issues rapidly. But the structural reality is stark: an agent with full system access, broad network reach, and a community-contributed skill ecosystem is an extraordinarily attractive attack surface. And the people most at risk are the people like me — the ones who’ve gone deep, who’ve connected it to everything, who’ve made it indispensable. 

The Gap Between “Powerful” and “Safe” 

Over the past year, the ecosystem has started to respond. 

When NVIDIA announced NemoClaw and OpenShell last week at GTC 2026, they addressed a critical piece of the puzzle. OpenShell provides the infrastructure-level sandbox that OpenClaw never had — kernel isolation, deny-by-default network access, YAML-based policy enforcement, and a privacy router that keeps sensitive data local. It’s out-of-process enforcement, meaning the controls live outside the agent and can’t be overridden by it. 

Cisco is building on that foundation. Our AI Defense team published research showing exactly how malicious skills exploit the trust model — through prompt injection, credential theft, silent exfiltration — and released an open source Skill Scanner so the community could start vetting what they install. We wrote about how OpenShell constrains what agents can do, while Cisco AI Defense verifies what they did. 

But here’s what was still missing: the operational layer. The thing a developer or a security-conscious family like mine actually runs day-to-day to keep a claw governed. OpenShell gives you the sandbox. Cisco gives you the scanners. But who manages the block lists? Who sees the alerts when something goes wrong at 2 AM? That’s DefenseClaw. 

Introducing DefenseClaw: Simplifying Secure Deployment of OpenClaw 

DefenseClaw is an open source project from Cisco. It is the agentic governance layer that sits on top of OpenShell and includes Cisco’s open sourced scanners into something a developer can deploy in under five minutes. 

DefenseClaw does three things: 

1) It scans everything before it runs. Every skill, every tool, every plugin, before it’s allowed into your claw environment and every piece of code generated by the claw gets scanned. The scan engine includes five tools: skill-scanner, mcp-scanner, a2a-scanner, CodeGuard static analysis, and an AI bill-of-materials generator. If you type the command 

it scans first, checks your block/allow lists, generates a manifest, and only then installs. Nothing bypasses the admission gate. 

2) It detects threats at runtime — not just at the gate. Claws are self-evolving systems. A skill that was clean on Tuesday can start exfiltrating data on Thursday. DefenseClaw doesn’t assume what passed admission stays safe — a content scanner inspects every message flowing in and out of the agent at the execution loop itself. 

3) It enforces block and allow lists — and enforcement is not advisory. When you block a skill, its sandbox permissions are revoked, its files are quarantined, and the agent gets an error if it tries to invoke it. When you block an MCP server, the endpoint is removed from the sandbox network allow-list and OpenShell denies all connections. This happens in under two seconds, no restart required. These aren’t suggestions. They’re walls.

And here’s the part that matters for anyone running claws at scale: every claw is born observable. DefenseClaw connects seamlessly to Splunk out of the box. Every scan finding, every block/allow decision, every prompt-response pair, every tool call, every policy enforcement action, every alert — it all streams into Splunk as structured events the moment your claw comes online. You don’t bolt on observability after the fact and hope you covered everything. The telemetry is there from the beginning. The goal is simple: if your claw does something — anything — there’s a record. 

That’s zero to governed claw in under five minutes.

DefenseClaw will be available March 27, 2026, on GitHub. Star the repo, file issues, and contribute at github.com/cisco-ai-defense/defenseclaw. 

For more on Cisco’s AI Security work, see our recent posts on securing enterprise agents with NVIDIA OpenShell and our open source Skill Scanner.