The “claw” ecosystem has gone from Peter Steinberger’s personal project into a genuine enterprise battleground in only just about four months. OpenClaw launched in November 2025, became GitHub’s fastest-growing repository in history , attracted hundreds of thousands of users, and got its creator hired by OpenAI.
It wasn’t long till the initial popularity popularity sparked two new major competing frameworks — IronClaw from NEAR AI and NemoClaw from NVIDIA. Both launched within weeks of each other. If you’re trying to figure out which one belongs in your stack and why, here’s what you actually need to know.
OpenClaw: The Lobster That Started It All
OpenClaw is an open-source AI agent framework built around the simple idea of giving a language model persistent memory, access to your tools and services, and letting it operate autonomously. It connects to popular messaging apps and services, it can code, run commands, manage your files, browse the web, and much more. To start working, it just needs a single conversational message.
Created by Austrian developer Peter Steinberger as a one-hour burnout project called Clawdbot in November 2025 (later rebranded to Moltbot, then OpenClaw after trademark pressure from Anthropic ), the project crossed 215,000 GitHub stars by February 2026. It drew two million visitors in a single week, and the developer community started calling deployments simply “raising lobsters.”
Architecturally, OpenClaw runs as a local Node.js server. It uses Skills as the modular building blocks that define what the agent can do. Skills are JavaScript or TypeScript plugins that execute with full access to the host environment. The agent maintains persistent memory across sessions via a local vector store, and multi-agent orchestration is possible through nested skill calls.
The access to tool is handled via MCP servers, making integration with third-party services straightforward. But this also means any MCP server you connect inherits the agent’s full permission set, and that’s exactly the crux of it all.
OpenClaw’s permission model is flat: there’s no capability scoping, no per-skill sandbox, and no distinction between read and write access to connected services. A skill that needs to read your calendar gets the same credential access as one that can send email on your behalf. When a skill is loaded from ClawHub, it executes with those same permissions immediately.
The Security Reckoning
Security researchers scanning the internet found over 30,000 publicly exposed OpenClaw instances, many running without any authentication. Even back when it was still called Clawdbot, a Kaspersky audit of the project identified 512 vulnerabilities in total, eight of them critical.
CVE-2026-25253 , disclosed in February 2026, enabled one-click remote code execution via WebSocket token theft and affected over 17,500 internet-exposed instances. The ClawHavoc campaign, documented by Koi Security, found 341 malicious skills in ClawHub, OpenClaw’s plugin registry, which amounts to roughly 12% of the entire marketplace! Updated scans later pushed that number above 800.
The structural problem is architectural: OpenClaw gives language models direct access to the file system, messaging apps, and web services. When a malicious skill gets loaded — or when prompt injection tricks the agent into executing something it shouldn’t, it inherits all of those permissions. Steinberger himself acknowledged that “achieving complete security with large language models is unattainable” and emphasized the tool was intended for individuals with the technical knowledge to manage those risks.
OpenAI hired Steinberger in February 2026. The project transitioned to an independent foundation with OpenAI’s financial and technical backing. Most known CVEs have been patched in recent releases, but the community consensus is that the architectural tension between usefulness and security hasn’t been resolved.
OpenClaw remains a great choice for power users, enthusiasts, and developers who want maximum flexibility while understanding what they’re taking on. But due to the security issues, it’s a terrible choice for corporate use cases at scale or use with highly-sensitive data. It’s exactly these issues that prompted the creation of IronClaw and NemoClaw.
Ready to grow your business?
Start your free trial today and see results within days.
IronClaw: The Rust-Based Rebuild
IronClaw, developed by NEAR AI and announced in early 2026, is an OpenClaw-inspired agent runtime rebuilt from scratch in Rust with security as the primary design constraint. Its co-founder Illia Polosukhin described it as “an agentic harness designed for security.”
The use of Rust eliminates entire classes of vulnerabilities at compile time — buffer overflows, use-after-free errors, and other memory safety issues. For a system orchestrating dozens of concurrent tool calls and processing large documents in a loop, these properties matter in production.
IronClaw’s core security architecture is built around three mechanisms:
- WASM sandbox isolation: Every tool runs inside its own WebAssembly container with capability-based permissions, approved endpoints, and strict resource limits. External or agent-generated tools can’t touch host resources they haven’t been explicitly granted access to.
- Secure credential layer: API keys, tokens, and passwords are stored in an encrypted vault and injected at the host boundary only for approved endpoints. The language model itself never sees raw credentials. This directly addresses the most dangerous class of prompt injection attacks.
- Prompt injection detection: Active scanning for attempts to override system intent or extract sensitive data.
Each security layer is isolated from the others. Compromising one doesn’t automatically compromise the next. IronClaw also includes iron-verify, a static analysis tool for skills that checks for SQL injection, command injection, path traversal patterns, and capability over-requests. In testing documented by ibl.ai
, it flagged 23 of 25 problematic skills. The overhead is roughly 15ms per skill invocation — negligible for most workflows.
IronClaw deploys on NEAR AI Cloud inside a Trusted Execution Environment (TEE), providing hardware-backed encryption from the start with no extra configuration. It also supports local self-hosting for users who want data to stay entirely on-premises. All data is stored in a local PostgreSQL database with AES-256-GCM encryption, with zero telemetry.
Beyond security, IronClaw is a functional agent framework with multi-channel support (REPL, webhooks, Telegram, Slack, browser), cron-scheduled routines, event triggers, parallel job handling, hybrid full-text and vector search for persistent memory, and MCP protocol support. It supports NEAR AI, OpenAI, Anthropic, Gemini, Mistral, and OpenAI-compatible backends.
The project launched with a free Starter tier including one hosted agent instance on NEAR AI Cloud, with paid tiers for additional agents.
The added security makes IronClaw a great alternative suitable for users and organizations for whom data confidentiality is non-negotiable. IronClaw is also meaningful for power users who want the capability ceiling of OpenClaw but without trusting their production credentials to an agent that can be manipulated.
NemoClaw: NVIDIA’s Enterprise Play
NemoClaw isn’t a standalone framework. It’s an open-source security and governance stack that wraps around OpenClaw. It was announced by Jensen Huang at GTC 2026 on March 16 , with a positioning that few in the room could have missed. Huang compared OpenClaw to Windows and Linux: “OpenClaw is the operating system for personal AI.” NemoClaw is the titanium shell.
NemoClaw installs via a single command as a TypeScript plugin for the OpenClaw CLI alongside a Python blueprint that orchestrates NVIDIA’s OpenShell runtime. OpenShell provides a kernel-level sandbox using Linux security modules that sits between the agent and the operating system.
The security model is inverted from OpenClaw’s defaults. Where OpenClaw is permissive unless you explicitly restrict it, OpenShell blocks everything unless explicitly allowed. Policies are written in YAML, letting organizations define:
- Which network domains and IPs the agent can reach
- Which filesystem paths the agent can read or write
- Which processes the agent can spawn
Blocked actions surface in a terminal UI for human review rather than failing silently. The policy engine runs out-of-process, meaning the agent can’t override it by manipulating its own configuration.
NemoClaw also includes a privacy router that routes complex queries to cloud-based frontier models while keeping sensitive data local on Nemotron models. The Nemotron 3 family, optimized for agentic workloads and featuring a hybrid Mamba-Transformer architecture, becomes the default local inference backend.
NemoClaw is fist and foremost an enterprise venture, with Salesforce, Cisco, Google, Adobe, and CrowdStrike partnerships announced. The project already had 9,000+ GitHub stars within days of launch.
Announced less than a month ago (as of writing this article), NemoClaw is still an alpha preview. Interfaces and behavior may change without notice, and local inference remains experimental on some platforms. More importantly, the hardening process is still underway, as less than a week from launch a cybersecurity researcher identified a configuration bypass.
Futurum Research analysts noted that NemoClaw addresses the deployment end of the agent trust chain well, but argued that security needs to be embedded throughout the development lifecycle, not just at the runtime layer.
There’s also a business model to read here. By default, NemoClaw routes inference requests through NVIDIA’s cloud endpoint. You can configure local Nemotron models for full on-premises deployment, but the default path creates a dependency on NVIDIA’s infrastructure. Whether that’s a problem or a feature depends on your threat model.
NemoClaw is looking to position itself as an alternative for organizations that want OpenClaw’s capabilities with a policy enforcement model their compliance and legal teams can review and sign off on.
Join our newsletter
Get latest tips, trends, and deals for free.
Security TL;DR
IronClaw and NemoClaw fight for the position of the safest option, but the truth is that all three of these systems can cause problems if you give them the wrong tools. The difference is in how much damage is structurally possible, and how much requires an active mistake on your part.
OpenClaw hands the agent full access to everything on your machine. You probably don’t have a complete inventory of what’s installed and accessible on a computer you’ve been using for years. It’s fine for enthusiasts and developers who know what they’re working with. It’s a genuine risk for anyone else.
NemoClaw builds a quality cage around that dangerous animal. The protection lives at the infrastructure layer — OpenShell’s kernel-level sandbox, policy enforcement, and the deny-by-default model. NVIDIA’s backing makes it the most likely to achieve production stability and wide adoption. The money is on this one in the enterprise market, but the default cloud routing are things to monitor.
IronClaw has arguably the most sophisticated security architecture of the three: memory-safe runtime in Rust, WASM isolation per tool, secure credential injection, prompt injection detection, and layered defenses where compromising one layer doesn’t cascade to the next. It’s also the most opinionated about data sovereignty — zero telemetry, local storage, TEE-backed cloud hosting. For use cases where data simply cannot leave the organization’s infrastructure, it’s the only framework here that makes that structurally true rather than a configuration you have to maintain.
None of these fully solve prompt injection. That’s an industry-wide open problem, and any vendor claiming otherwise is overstating the case.
The Claws Come Out
The framing of “which one wins” is a bit of a false question. OpenClaw and its incredible community remain the center of gravity for the ecosystem. NemoClaw and IronClaw are both responding to OpenClaw’s limitations, but with different philosophies.
NemoClaw’s path to dominance is the most obvious. NVIDIA has the enterprise relationships, the distribution, the hardware ecosystem to make adoption frictionless for large organizations. The bet that Huang framed — every company needs an OpenClaw strategy the way every company once needed a Linux strategy, is probably correct, and NemoClaw is positioned to be the default answer to that question in corporate environments.
IronClaw’s value proposition is more specific and more durable in regulated industries. It’s the only framework where data confidentiality is architecturally enforced rather than policy-enforced. Rust-based memory safety and WASM tool isolation are properties of the runtime, not configurations that an admin forgot to set. For legal, healthcare, and financial use cases operating under GDPR, HIPAA, or similar frameworks, that distinction has real compliance value.
OpenClaw itself isn’t going anywhere. Peter Steinberger may be at OpenAI now, but the foundation structure keeps the project independent and community-driven, and its capabilities remain unmatched for individual power users willing to manage the security surface themselves.
The most interesting question isn’t which claw survives it’s how fast NemoClaw matures from alpha and whether its kernel-level approach can keep pace with the continuously expanding attack surface that comes with self-evolving agents. Given NVIDIA’s track record of turning software bets into infrastructure standards, the smart money is that it gets there.
This post was last updated March 2026. The claw ecosystem is moving fast — CVE timelines and feature availability may have changed.
