The Week Everything Moved
In the span of a week: Karpathy endorses the Claw paradigm publicly. Days later, he reverses course and flags security concerns. Steinberger, the creator of OpenClaw, joins OpenAI. Not Anthropic, not a startup. OpenAI — the platform that has the most to lose from open-source agent infrastructure gaining traction. Anthropic quietly starts restricting OAuth tokens for third-party agents building on Claude. The ggml project — the backbone of local AI inference — consolidates under HuggingFace. Security researchers report 341 malicious skills on ClawHub and 21,000 exposed OpenClaw instances running default configs.
Five events. Seven days. No coordination between them.
If you've watched open-source infrastructure cycles before, you recognize this convergence. It's not chaos. It's a pattern entering its third phase.
The ClosedClaw Pattern
There's a trajectory every open-source project follows when it gets too important for platforms to ignore. It's predictable enough to name.
Phase one: the project is interesting. Developers experiment with it, write blog posts, build side projects. The platforms don't care because it's not a threat yet. OpenClaw lived here for its first few months — November 2025 through January 2026.
Phase two: the project becomes a dependency. Production systems run on it. Companies build products around it. The project isn't interesting anymore — it's infrastructure. OpenClaw crossed this line when "Claw" became a generic category term, the way "Docker" did or "Kubernetes" did. Simon Willison started using it as a common noun. That's when you know.
Phase three: the platforms respond. And they always respond one of two ways — absorb or restrict. OpenAI hired Steinberger. That's absorption. Anthropic restricted OAuth tokens for third-party agents. That's restriction. Two different companies, two different strategies, identical outcome: the open infrastructure gets pulled into the platform gravity well.
We've seen this before. Every time.
The trajectory mirrors what's happening across the open-source AI agent ecosystem. Linux was the free operating system that would liberate computing. Red Hat turned it into enterprise subscription software. The kernel stayed open. The value capture happened at the distribution layer.
Docker democratized deployment. Then Kubernetes abstracted it. Then cloud providers offered managed Kubernetes. The container format stayed open. The orchestration layer became the new lock-in.
Android was "open." Then Google Play Services became required for the apps anyone actually used. The source code stayed open. The ecosystem became a dependency on Google.
OpenAI was literally named after the principle. Today it's the most closed AI company in the industry.
The pattern isn't subtle: Adopt. Extend. Absorb. Every open-source project that gets big enough faces the same fork in the road. OpenClaw just arrived at it.
Steinberger joining OpenAI isn't a hiring decision. It's the Adopt phase completing. Sam Altman's framing was explicit: Steinberger will "drive the next generation of personal agents." The creator of the most popular open-source agent infrastructure is now building the proprietary version inside the biggest platform.
Steinberger announced a foundation to govern OpenClaw independently. Altman committed OpenAI to "support" it. But as of this writing, the foundation has no named governance council, no formal structure, no officers. As Brendan O'Leary put it: "'Open' is a promise, not a guarantee." The community isn't waiting to find out — NanoClaw, PicoClaw, and ZeroClaw all emerged as independent alternatives, built by developers who'd rather hedge than hope.
The Security Paradox
Here's where I have to be honest, because this is where most open-source advocates lose credibility.
The security problems are real.
341 malicious skills discovered on ClawHub — spreading Atomic Stealer malware on macOS and Windows, exfiltrating Discord histories, targeting the very developers building with the tool. Over 42,000 OpenClaw instances running with default configurations exposed to the internet. No authentication. No access control. Just open endpoints that anyone could interact with. Karpathy endorsed the paradigm and subsequently flagged the security risks. His caveats weren't performative — they were earned.
If I waved these away or pretended they didn't matter, nothing I say after this would deserve your attention. So let me say it clearly: anyone running OpenClaw in production without security hardening is making a mistake. The risks are not hypothetical.
But.
"Open source has security problems" has never meant "let the platforms solve it." Not with Linux, not with OpenSSL after Heartbleed, not with npm after event-stream, and not with OpenClaw now. The response to security failures in open-source infrastructure has always been the same: the community builds better tooling.
NanoClaw already exists. It's an independent reimplementation that ships with security-first defaults — authentication enabled out of the box, skill verification baked in, no default-open configurations. The community identified the problem and started self-correcting before most people even noticed there was a problem.
This is how open source works. Through crisis and self-correction. Not through surrender to the platforms claiming they can keep you safe.
And here's where the Security Paradox gets interesting. This same week, Anthropic launched Claude Code Security — a limited research preview that uses Opus 4.6 to scan codebases for vulnerabilities. It found 500+ vulnerabilities in production open-source software. Impressive tooling. Genuinely useful capability.
The same company that restricts OAuth tokens for independent agents is also building the most sophisticated code security tooling available. Both things are true simultaneously. Anthropic is making it harder for you to build independent agent infrastructure AND building the tools that would make independent infrastructure safer.
"Make it safe" always becomes "make it ours." That's the Security Paradox. The security concerns are legitimate. The platform response to those concerns is self-serving. You have to hold both truths at once, or you're not thinking clearly about what's happening.
The SaaSpocalypse Connection
This isn't just an open-source governance story. It's happening at the same time that the entire SaaS pricing model is collapsing — the SaaSpocalypse isn't theoretical anymore.
OpenCode — an open-source coding agent originally launched under the SST umbrella — shipped this month. DHH posted that he deposited $20 and still had half of it left after 3 million tokens. Not $20 per month. Not $20 per seat. A few dollars for millions of tokens. That's what running an AI coding assistant costs when you're not paying for the platform tax.
Taalas is doing 17,000 tokens per second on custom ASIC hardware for dedicated inference. That's not a research paper. That's dedicated inference hardware that makes the cloud inference tax look like what it is — a platform fee disguised as a technical requirement.
Guillermo Rauch — Vercel's CEO — said all their designers now build. Not "code a little" or "prototype." Build. The role boundaries between designer and developer are dissolving because the tools no longer enforce them. Developers are rebuilding SaaS products they used to pay for in an afternoon. The "SaaS is dead" discourse has moved from hot take to common observation.
These aren't isolated data points. They're all expressions of the same structural shift: the per-seat, per-month SaaS model is collapsing because the underlying cost of software creation and deployment is falling toward zero. The companies and individuals who own their infrastructure will outcompete those renting it. Not eventually. Now.
The ClosedClaw moment is the infrastructure sovereignty version of the same pressure. If you're paying a platform tax on your AI stack while your competitor self-hosts and iterates three times faster, the math doesn't work. This is structural, not incremental.
The Language Layer
One more piece that connects everything, and it's the one most people are missing.
SOUL.md — a tweet about giving AI agents identity files in markdown — hit thousands of bookmarks this week. Thousands of people saving a reference to the idea that you can shape an AI agent's behavior with a text file. Not fine-tuning. Not RLHF. Not constitutional AI frameworks. A markdown file.
Meanwhile, two independent projects — HyperGraph and the "Skill Graphs > SKILL.md" thread — converged on the same insight from different directions: the interface for defining agent capabilities isn't code. It's structured language. Skill graphs, identity documents, system prompts — they're all the same thing at different scales. Language that shapes behavior. This is guerrilla alignment in its most explicit form.
This matters for the ClosedClaw argument because it reveals what the infrastructure sovereignty fight is really about. It's not about who runs the servers. It's about who controls the language layer — the documents, prompts, and identity files that determine how AI systems behave. When a platform restricts your ability to define agent identity (OAuth token restrictions, anyone?), they're not just limiting your API access. They're constraining your ability to shape the system's behavior. That's the real infrastructure.
The most powerful alignment tool turns out to be a text editor. And the most important infrastructure decision is whether you own the documents or rent them.
The Engineering Decision
I'm not going to close with a prediction about what happens to OpenClaw. Predictions are cheap. What I'll say instead is this:
The ClosedClaw moment isn't unique to OpenClaw. It's happening to every piece of open-source AI infrastructure that gets big enough to matter. The pattern is the same every time: something becomes too useful for platforms to leave alone, the platforms absorb the talent and restrict the access, the community either maintains sovereignty or surrenders it.
Infrastructure sovereignty isn't a philosophy. It's an engineering decision.
You make it with every dependency you accept, every API you integrate, every platform you build on. The question isn't whether the platforms will try to capture open infrastructure — they always do. The question is whether what you're building can survive when they succeed. The economics underneath are stark — the model layer itself is indefensible, which means value migrates to the layers you can own: platform infrastructure, orchestration, and trust.
The ClosedClaw moment doesn't ask what you believe about open source. It asks what you're building on. And that question has a deadline, because the window for building sovereign infrastructure gets smaller every time a platform hire absorbs a creator, every time an OAuth restriction narrows your access, every time a managed service replaces a self-hosted option.
The engineering decision you make now determines your optionality later. Make it while you still have options.
Sources
- TechCrunch — "OpenClaw creator Steinberger joins OpenAI"
- Anthropic Blog — "Claude Code Security: Finding 500+ Vulnerabilities"
- HuggingFace Blog — "ggml joins HuggingFace"
- Koi — "341 Malicious ClawdBot Skills Found"
- VentureBeat — "NanoClaw Solves One of OpenClaw's Biggest Security Issues"
- DHH on X — OpenCode token usage
- sst/opencode on GitHub
- Simon Willison — ggml joins HuggingFace analysis
- Sam Altman on X — Steinberger announcement
- Peter Steinberger — "OpenClaw" (blog post)
- Brendan O'Leary — "OpenClaw Founder to OpenAI — Now What?"