The lobster is loose

An Austrian developer accidentally built the most-starred AI agent on GitHub. Then China banned it, OpenAI hired him, and a crustacean became the mascot of an entire era.

Author

The itscybernews Team
April 25, 2026

In partnership with

"The lobster is loose, and it's not going back into the tank."

That is Peter Steinberger, on stage at TED a few weeks ago, talking about the open-source AI agent he built in his spare time. Eight months earlier the same project was a personal experiment with a different name and a few hundred users. Today it has cleared 350,000 stars on GitHub, the Chinese government has restricted state agencies from running it, and Steinberger himself just joined OpenAI. The project is called OpenClaw. The mascot is, in fact, a lobster.

This is the story I think you should be paying attention to this month, and not for the reasons most people are telling it.

How a personal project ate the agent stack

OpenClaw started life as "Clawdbot," a WhatsApp wrapper Steinberger built so he could chat with an LLM the same way he chats with friends. He renamed it "Moltbot" in January 2026, hated the name, and renamed it again three weeks later because — by his own admission — "OpenClaw" rolled off the tongue better. That is not how breakthrough infrastructure usually gets named. It is how this one did.

The thing OpenClaw actually does is unromantic and revolutionary at the same time. It is a self-hosted runtime that takes a model — Claude, GPT, DeepSeek, whatever you point it at — and gives it a persistent home on your machine. It reads your files. It executes shell commands. It chats with you through Signal, Telegram, Discord, or WhatsApp. The configuration history is local, so the agent gets smarter about you the longer you use it. There is no SaaS dashboard. There is no recurring fee. There is just a binary, your own model API key, and a lobster GIF in the README.

By March it had 247,000 stars. By April it had 350,000. The Linux Journal, very reluctantly, called it "the fastest-growing open-source project in living memory." People started building actual businesses on top of it — automated breweries, tutoring services, internal company helpdesks. Steinberger's TED talk closed with the line that has become the project's unofficial motto: the lobster is loose.

1,000+ Proven ChatGPT Prompts That Help You Work 10X Faster

ChatGPT is insanely powerful.

But most people waste 90% of its potential by using it like Google.

These 1,000+ proven ChatGPT prompts fix that and help you work 10X faster.

Sign up for Superhuman AI and get:

  • 1,000+ ready-to-use prompts to solve problems in minutes instead of hours—tested & used by 1M+ professionals

  • Superhuman AI newsletter (3 min daily) so you keep learning new AI tools & tutorials to stay ahead in your career—the prompts are just the beginning

What I think this means

OpenClaw matters less because of what it is and more because of what it proves. It proves that the agent runtime layer — the boring plumbing that turns a model into a thing that does jobs on your machine — can be commoditised by one developer in a few months. The big platform companies are not going to own this. Whatever Cowork is doing, whatever Microsoft is doing with Copilot, whatever Google is doing with whatever-it-is-this-month, they are going to have to compete with a free thing that runs locally and improves every weekend.

My three predictions for the next twelve months:

  • Self-hosted agents are the dominant deployment shape inside paranoid industries by year-end. Banks, defense contractors, hospitals — anyone with a regulatory reason to keep data on-prem — will be running OpenClaw or a fork of it before they will be running a vendor cloud agent. Sovereign-AI policy in the EU and India accelerates this further.

  • OpenAI's hire of Steinberger is the start of a wave, not the end of one. Every major lab will buy or build an agent-runtime team this year. Expect Anthropic, Google DeepMind, Mistral and at least one Chinese lab to ship their own first-party answer to OpenClaw before Q4.

  • The first nation-state-attributed compromise of an OpenClaw deployment hits the news. The agent runtime is the new VPN gateway — once you compromise the runtime, you can read everything its model can read. China's restriction was not paranoid; it was prescient.

Where this gets dangerous

Self-hosted is not the same as safe. In some ways it is worse, because the responsibility shifts entirely to you. With Cowork, Anthropic is the one rate-limiting tool calls, scoping permissions, exporting telemetry, and signing the security audit. With a self-hosted OpenClaw, that is your job, and most operators are not yet good at it.

The OWASP Top 10 for Agentic Applications 2026 reads like a manual for OpenClaw deployments specifically. ASI01 is goal hijacking — your agent reads a webpage and the webpage is a prompt now. ASI02 through ASI04 are identity and delegated-trust risks, which OpenClaw has in spades because it can talk to Telegram, Signal, your shell, and your filesystem all at once. ASI10, rogue agents, is the multi-agent failure mode where one OpenClaw instance convinces the others to do something dumb.

If you are running OpenClaw at home, you can mostly get away with sensible defaults. If you are running it at work, you need a structured threat model, and the cheapest one available is the Cloud Security Alliance's MAESTRO framework by Ken Huang. Seven layers, each with its own failure modes. Walk through it once and you will find the boring gaps — missing tool-call rate limits, no audit log, an over-permissive Discord bot — that every actual breach starts with.

What to actually do this week

  • If you are personally curious, run OpenClaw on a laptop you do not care about, with API keys you can rotate, on a folder you would not mind being on the front page of Hacker News. Treat it as a pet, not a roommate.

  • If you are doing this at work, write a one-page risk acceptance before you spin anything up. "I accept that this agent has read access to X and write access to Y. I have logged Z. The blast radius is W."

  • Scope folder permissions tightly. "Read my Q3 reports folder" beats "read my home directory." Always.

  • Treat any web page or message your agent reads as untrusted input. The OWASP entry on goal hijacking is a 12-page argument that a webpage is a prompt now. Internalise it.

  • Run your stack through MAESTRO once. Even an informal walkthrough finds the gaps the formal frameworks miss.

  • Log everything the agent does. The difference between a five-minute incident and a five-day incident is whether you can answer "what did the agent click?"

The bigger thing

Steinberger is not a security researcher and OpenClaw is not a security product. It is a tool built by one guy who wanted to chat to his computer through Signal. The fact that this is now a piece of critical infrastructure for a few hundred thousand people, and a geopolitical chess piece for at least one country, tells you exactly what kind of year 2026 is going to be.

The agent runtime layer was supposed to belong to the big labs. It does not. The lobster is loose. I do not think it is going back into the tank, and I think the people who figure out how to live with that — securely, paranoidly, with proper logs — are going to look very smart in twelve months.

See you tomorrow,

The itscybernews team