What code did Gavriel Cohen find inside OpenClaw?

Cohen discovered NanoPDF, a package he had built months earlier, included in OpenClaw without attribution or consent.

How did the OpenClaw code reuse controversy start?

While investigating a performance issue, Cohen found his own code inside the OpenClaw codebase. He also discovered OpenClaw had downloaded all his WhatsApp messages and stored them unencrypted.

What is the AI agent accountability problem?

Autonomous AI agents operate before accountability frameworks exist. Code attribution, data access boundaries, and governance for agent behavior lack clear standards.

What did Gavriel Cohen do after finding his code in OpenClaw?

Cohen built NanoClaw, a 500-line security-first alternative that uses OS-level container isolation, and left the OpenClaw project entirely.

How big is the OpenClaw codebase compared to NanoClaw?

OpenClaw has over 800,000 lines of code while NanoClaw achieves similar agent functionality in approximately 500 lines of TypeScript.

Did NanoClaw raise funding after the controversy?

Yes. NanoClaw raised $12M in seed funding at a $62M valuation, led by Valley Capital Partners with investors including Docker, Vercel, and Monday.com.

What privacy violation did Cohen discover in OpenClaw?

OpenClaw had downloaded all of Cohen's WhatsApp messages and stored them in plain unencrypted text, not just work messages but personal ones too.

← Back to dashboard

clawsmith.com/signal/openclaw-code-reuse-accountability-gavriel-cohen

⚠ IssueWide OpenLive

OpenClaw Code Reuse Controversy: Developer Finds His Code Inside Framework, Exposes AI Agent Accountability Gap

NanoClaw creator Gavriel Cohen discovered his own code (NanoPDF package) inside OpenClaw used without attribution. The incident, coupled with discovering OpenClaw had downloaded all his WhatsApp messages unencrypted, sparked a broader debate about AI agent accountability. Cohen built NanoClaw in 500 lines as a security-first response. The New Stack and other outlets framed this as the defining accountability moment for autonomous AI agents.

Product Idea from this Signal

A CLI tool that scans a running OpenClaw instance for active CVEs, malicious skills, and supply chain tampering before they get exploited

807 ▲

OpenClaw has accumulated 433+ CVEs in five months including critical auth bypasses (CVSS 9.8), sandbox escapes, and nation-state supply chain attacks targeting the npm ecosystem. Most operators have no idea which CVEs affect their specific version, whether their installed skills contain backdoors, or if their dependency tree has been tampered with. This tool runs a comprehensive security audit against a live OpenClaw instance and outputs an actionable remediation plan.

CLIOPEN-SOURCESECURITYDEVTOOLAUDIT

CompetitiveView Opportunity →