OpenClaw went from a weekend project to the most-starred software repo on GitHub in under five months, accumulating over 346,000 stars. That number has become a proxy for how fast the appetite for personal AI agents is moving. But "most stars on GitHub" and "safe to give your team's Slack access to" are different sentences.
This week's v2026.7.1 release is a useful moment to look at both things honestly.
What v2026.7.1 actually ships
OpenClaw's major v2026.7.1 release brings a revamped Control UI, easier onboarding, updated iOS, Android, and macOS apps, broader model support, and stronger Codex and connected coding-agent workflows.
The release pulls together 3,063 contributions from 532 contributors.
The Slack-relevant changes are concrete. Slack threads, cards, progress, identity, reactions, and duplicate prevention improve, while longer conversations avoid more unnecessary waits. But the more meaningful part for engineering teams is the coding-agent story.
The openclaw attach command gives Claude Code temporary access to a selected session; Codex delegation and native subagents return tracked results more reliably; and long-running sessions and goals are easier to resume.
There is also a new feature worth noting specifically:
coding-agent memory can now be imported from Codex and Claude Code into the Control UI.
The openclaw-code-agent plugin, which targets this release, fills in the workflow details.
It runs Claude Code, Codex, and experimental OpenCode as managed background coding sessions from OpenClaw chat, adding plan approval, session lifecycle, wake routing, worktree isolation, merge/PR follow-through, and explicit goal loops on top of the agent backends.
The default loop is plan-first:
Claude Code, Codex, and OpenCode produce a plan before implementation; the plan can be approved, revised, or rejected through buttons, or with plain-text Approve, Revise, or Reject in the same thread.
In practice, that means you can send a message in Slack or Discord, OpenClaw starts a coding session in an isolated worktree, presents a plan for review, and waits. You approve from the same thread. The agent merges, opens a PR, or surfaces a diff. A teammate like Beagle operates on a similar draft-and-approve model - the human stays in the loop on every consequential action.
The 2026.7.2 release, already in beta, pushes this further. Remote coding sessions can run on cloud workers, and Codex and Claude Code catalog sessions open in terminals on their owning hosts. The direction is clear: coding sessions launched from chat, tracked in chat, resolved with one approval.
The security situation is not hypothetical
The productivity story is real. So is the risk history, and it matters before you wire anything into a team Slack workspace.
The project launched in November 2025, hit 9,000 GitHub stars in its first 24 hours, and surpassed 214,000 stars by February 2026 - faster growth than Docker, Kubernetes, or React ever saw.
That speed created security gaps. CVE-2026-25253 was publicly disclosed with a CVSS score of 8.8; the same day, OpenClaw issued three high-impact security advisories including a one-click RCE vulnerability and two command injection vulnerabilities, with researchers confirming the attack chain takes "milliseconds" after a victim visits a malicious webpage.
Censys identified 21,639 exposed instances publicly accessible on the internet; the United States had the largest share of exposed deployments, followed by China, where an estimated 30% ran on Alibaba Cloud. Misconfigured instances were found leaking API keys, OAuth tokens, and plaintext credentials.
The supply-chain angle is also documented. A supply-chain attack called ClawHavoc uploaded 341 malicious skills to ClawHub, installing the Atomic macOS Stealer malware that harvests cryptocurrency wallets, browser data, and credentials.
Security audits have found that 12 to 20% of ClawHub skills are malicious, depending on the study.
The CVE is patched. The skill ecosystem risk is structural. Anyone with a GitHub account older than one week can publish to ClawHub; the low barrier has made it a target for supply chain attacks, with multiple coordinated malware campaigns documented since late January 2026.
What "ready for teams" actually requires
The best enterprise path is governed agent platforms that deliver OpenClaw's autonomy while replacing its ambient-authority privilege model. After 135,000+ exposed instances, CVE-2026-25253, and the ClawHavoc supply-chain campaign, most CISOs are no longer asking whether to ban OpenClaw - they are asking what to deploy instead.
That framing is too binary for most teams. The real question is: what deployment shape closes the gap?
OpenClaw makes sense when you want an agent that lives in Slack, Teams, Telegram, or WhatsApp rather than a browser tab; when you need local-first control and data sovereignty; and when your team can enforce a security policy for channels, tools, and skills.
The v2026.7.1 release does make governance meaningfully easier. This stable release is mainly about making long-running agents easier to see, recover, and govern.
Passwords and tokens stay out of more logs, sensitive controls remain limited to approved users, device pairing is clearer, and unsafe downloads, files, and network requests are blocked earlier.
But the gap between "individual developer running this on a personal machine" and "team relying on it for coding workflows in a corporate Slack workspace" still involves several deliberate choices:
- Bind the Gateway to loopback only (
gateway.bind: "loopback"in config) and route remote access through SSH tunnels or Tailscale - Run in Docker or a dedicated VPS, never on a primary workstation with corporate credentials
- Treat every ClawHub skill as untrusted executable code - review source before install, pin versions, avoid anything with obfuscated shell commands
- Scope OAuth tokens to the minimum required, and rotate them; the
MEMORY.mdandSOUL.mdfiles store context in plaintext by default - Use MCP isolation (now in 2026.7.1 as
#106359) to scope MCP server connections to their requesting session only
The non-obvious insight here: OpenClaw's value proposition for teams is less about the model and more about the channel. IDEs, CLIs, GitHub issues, Slack, mobile apps, and cloud environments are becoming connected surfaces. OpenClaw is the only fully open-source project that treats those surfaces as first-class. That is genuinely different from Cursor or Codex CLI, which are primarily local tools. The tradeoff is that the attack surface is wider because the permissions scope is wider.
Engineering teams use OpenClaw as a coding agent to automate first-pass code reviews, run test suites, generate changelogs, and triage GitHub issues; one team reported a 40% reduction in code review turnaround time after deploying an agent to handle initial reviews. The result is plausible - the workflow is well-designed. The 40% figure comes from a single self-reported case, so treat it as directional rather than a benchmark.
OpenClaw as an open-source coding agent: common questions
What did OpenClaw 2026.7.1 ship for coding workflows?
The release gives Claude Code temporary session access via openclaw attach, makes Codex delegation more reliable, and makes long-running sessions and goals easier to resume.
The companion openclaw-code-agent plugin adds plan-approval gates, worktree isolation, and merge/PR follow-through, all triggered from a chat message.
Is OpenClaw safe to use in a team Slack workspace?
With deliberate configuration, it is viable for developer teams comfortable operating self-hosted infrastructure. It is not safe in a default install on a corporate device. Bind the Gateway to loopback, run in an isolated environment, audit every skill, and scope credentials. The agent market is converging on governed tool access: current AI-agent security discussion keeps returning to MCP gateways, tool poisoning, least privilege, secret handling, and approval gates because agents are now acting inside real systems.
How does OpenClaw's coding agent differ from Cursor or Claude Code?
The 2026 stack is not "IDE replaces CLI" or "cloud replaces local" - it is a three-layer stack: IDE for real-time collaboration, CLI for local execution, cloud agents for asynchronous delegation. OpenClaw sits in the third layer and adds something the other two don't: chat-native triggering and observability. You start a coding session from Telegram and check its status from Slack. Cursor and Claude Code require you to be in the editor.
What is the plan-approval loop in OpenClaw's coding agent?
The default review loop is plan-first. Claude Code, Codex, and experimental OpenCode feed the same approval UX: the plugin blocks implementation until approval, then continues the same session after the plan is approved. This is the right default for team use - it keeps a human in the loop before any code is written to a branch.
What are the realistic alternatives for teams that need enterprise controls?
OpenAI Workspace Agents, announced April 22, 2026, are Codex-powered agents that run continuously in OpenAI's cloud and plug directly into Slack, Salesforce, Microsoft 365, and Google Drive; they inherit ChatGPT Enterprise's tenant isolation, SOC 2 Type II, ISO 27001, HIPAA BAAs, and SSO/SCIM controls. The tradeoff is cost and lock-in. OpenClaw stays free and self-hosted - which is exactly the reason 346,000 developers starred it.