Every governance concern that security researchers have raised about OpenClaw has now been confirmed by the person who built it. In a recent three-hour public interview, Peter Steinberger described his architecture, his security philosophy, and his acquisition strategy in detail.

The Architecture Speaks for Itself

The initial access control for OpenClaw’s public Discord bot was a prompt instruction telling the agent to only listen to its creator. The entire access model: a sentence in a system prompt.

The skill system loads unverified markdown files. There is zero signing, zero isolation, zero verification chain. The agent can modify its own source code, a property Steinberger describes as an emergent accident. “I didn’t even plan it. It just happened.” He calls it self-modifying software and means it as a compliment.

When agents on MoltBook, the OpenClaw-powered social network, began posting manifestos about destroying humanity, Steinberger’s response was to call it “the finest slop.” When the question of leaked API keys came up, he suggested the leaked credentials were prompted fakes. When non-technical users began installing a system-level agent without understanding the risk profile, he said “the cat’s out of the bag” and went back to building.

The security researcher he hired was notable for being the single person who ever submitted a fix alongside a vulnerability disclosure. One hire. That’s the entire security team for a project running on 180,000 installations.

The Model-Intelligence Thesis

Steinberger’s core security argument is that smarter models will solve the problem for him. He warns users against running cheap or local models because “they are very gullible” and “very easy to prompt inject.” The implication is that expensive frontier models are the security layer.

This is a category error with a name. Economists call it the Peltzman Effect: when a perceived safety improvement causes riskier behavior, offsetting the safety gain. Sam Peltzman demonstrated in 1975 that mandatory seatbelt laws did not reduce total traffic fatalities because drivers compensated by driving more aggressively. The safety feature changed behavior, and the behavior change consumed the safety margin.

The same dynamic applies here. A user who believes Opus 4.6 is “too smart to be tricked” will grant it broader system access, approve more autonomous actions, and skip manual review of agent output. The expensive model becomes the justification for removing every other control. The blast radius grows in direct proportion to the user’s confidence in the model’s intelligence.

This confidence has no empirical basis. Capability and security are orthogonal properties. A more capable model has a larger attack surface precisely because it can do more: it can call more tools, access more files, execute more complex multi-step actions. The frontier models that Steinberger recommends are the same models that researchers consistently demonstrate novel jailbreaks against at every major security conference. Price measures compute cost. It measures nothing about resistance to adversarial input.

The architectural equivalent is telling users to buy a faster car instead of installing brakes. A faster car with no brakes is more dangerous than a slow one, and the driver’s belief that speed equals safety is the most dangerous component of all.

The honest version of the recommendation is: your security posture is whatever Anthropic or OpenAI shipped in their latest post-training run, minus whatever the skill file told the agent to ignore.

The Acquisition Is the Product

Steinberger says “I don’t do this for the money, I don’t give a fuck” (his phrasing) while describing the following: competing acquisition offers from Meta and OpenAI. An NDA-protected token allocation from OpenAI he hints at publicly. Ten thousand dollars paid for a Twitter handle. A Chrome/Chromium model where the open-source branch stays free and the enterprise branch goes behind the acquirer’s paywall.

Mark Zuckerberg played with his product all week. Sam Altman is “very thoughtful, brilliant.” He’s deciding between them in public.

The 180,000 GitHub stars are a cap table denominator. The open-source commitment is a negotiating position. “My conditions are that the project stays open source” is a sentence that ends with a number. The Chrome/Chromium framing confirms what the architecture already implies: the community gets the unaudited branch. The paying customers get the controls.

Every enterprise evaluating this stack should ask a simple question: are the security architecture decisions being made to protect your data, or to maximize the founder’s acquisition multiple?

Architecture Should Outlast the Liquidity Event

Steinberger says he wants to focus on security. He also says he wants “Thor’s hammer” from OpenAI’s Cerebras allocation. He says he’s deciding between Meta and OpenAI. He says the project will stay open source, in the same breath as describing a Chrome/Chromium model where the open-source branch is the unaudited one. He says “I don’t do this for the money” while describing NDA-protected token offers, name-dropping Zuckerberg and Altman, and hinting at numbers he’s contractually barred from disclosing.

The revealed preferences are the architecture. A founder who prioritizes security builds security into the structure. A founder who prioritizes acquisition builds features that drive GitHub stars. OpenClaw has 180,000 stars and zero signed skill files. That ratio tells you everything about the objective function.

He says this project is something he’ll move past. He says he has “more ideas.” He says he wants access to “the latest toys.” These are honest statements from a founder whose attention is already somewhere else. The 180,000 installations remain.

The architecture will remain after the acquisition closes. The markdown skill files will still be unsigned. The agent will still be able to rewrite its own source. The audit trail will still be absent. The single security hire will still be the entire team.

The question is whether the architecture he ships requires him to care. Right now, it does. That’s the failure mode.

Wirken exists because the answer should be the opposite. Process isolation enforced at compile time. Signed skill verification. Append-only audit logs. Per-channel credential vaults. An architecture that stands independent of the founder’s attention span, acquisition timeline, or faith in the next model’s post-training run.

The tools we trust with system-level access should be built to deserve system-level access.

The United States blew more money in 16 days of war, without objective, than Iran spends in a year on its entire military. That asymmetric cost model is a problem for America.

The red wall on the chart above is US war spending at $750 million per day. The flat black line along the bottom is Iran’s entire annual military budget spread over 365 days.

Same money. The US is blowing dollars 23 times faster. By March 15, of Operation Epic Fury, the Pentagon had spent over $12 billion. Iran’s total annual military expenditure, according to the IISS Military Balance, is approximately $10 billion.

Then the Pentagon asked Congress for $200 billion more, because it can’t sustain itself. That is the dashed red line shooting off the top of the chart. Twenty years of Iran’s entire military budget, was requested as a supplemental.

The missile math

	United States	Iran
Pre-war stockpile	3,000-4,500 Tomahawks	8,000-10,000 ballistic missiles
Fired in 4 weeks	850+ Tomahawks	1,191 ballistic missiles
% of stockpile spent	~25%	~13% (fired only)
Confirmed destroyed	N/A	~33% of total arsenal
Still operational	~75% (globally)	~33% confirmed + recoverable
Monthly production	5 Tomahawks	100+ missiles (Rubio’s number)
Cost per unit	$2.2-3.6 million	~$50,000-300,000
Build time per missile	Up to 24 months	Unknown, far shorter
Time to replace what was fired	14+ years at current rate	~9 months

The United States burned a quarter of its global Tomahawk inventory to confirm-destroy only a third of one country’s missile arsenal. That is to say US intelligence are struggling to verify that a third is destroyed. Another third is damaged or buried underground, potentially recoverable when fighting stops. The remaining third is operational. The $12B spent doesn’t seem to have obliterated Iran missile strength, only confirmed the resilience of it.

Iran launched 15 ballistic missiles at the UAE on March 27 alone.

The IDF says 70% damaged (and rebombing needed). US intelligence says 33% confirmed destroyed. Trump says 99% decimated. Iran launched over a dozen ballistic missiles at the UAE the same day. Three governments, three numbers, none of it reconcilable with what’s still flying.

The production asymmetry

Secretary of State Marco Rubio said it himself on March 2:

[Iran is able to produce] over 100 of these missiles a month. Compare that to the six or seven interceptors that can be built a month.

The Tomahawk production rate is worse. The Pentagon budgeted for 57 Tomahawks in the FY2026 budget. Actual recent production has averaged roughly 60 per year, or 5 per month. Iran builds in a single month what the US builds in 20 months.

Raytheon has signed a framework to scale to 1,000 Tomahawks per year. That capacity will not arrive until approximately 2028. Each missile takes up to two years to build. The FPRI’s Payne Institute documented that the coalition expended 5,197 munitions across 35 types in the first 96 hours alone, at a replacement cost of $10-16 billion, and that the single domestic source for warhead high explosives, the Holston Army Ammunition Plant in Tennessee, had not received any orders to increase production as of March 12.

The Pacific problem

Every Tomahawk fired at Iran is one fewer available for a Taiwan contingency. CSIS estimated that a conflict in the Western Pacific could consume 5,000 long-range missiles in three weeks. At current depletion rates, the US may not have enough for either theater. Pentagon officials described the Middle East Tomahawk supply as approaching “Winchester”, military slang for out of ammunition.

Trump said it at a Cabinet meeting on March 26:

The problem with the straits is this: let’s say we do a great job. We say we got 99%. 1% is unacceptable, because 1% is a missile going into the hull of a ship that cost a billion dollars.

He described the unsolvable problem without realizing it. You cannot get to zero when the target has underground production, a dozen hardened facilities at 500 meters depth, and the attacker’s stockpile is finite and shrinking.

Houthis also are firing ballistic and cruise missiles at Israel for the first time since Epic Fury began.

The war is expanding, not contracting.

An E-3 Sentry AWACS was damaged in the Iranian strike on Prince Sultan Air Base in Saudi Arabia, along with KC-135 refueling aircraft. That’s a $700m one-of-a-kind surveillance aircraft, limited fleet, not easily replaced. Iran hit it with a missile that cost a fraction. The US has 12 wounded from that single strike, bringing the total to 303 Americans wounded, 13 killed.

The math does not work. America is walking off a missile cliff.

Google’s Pixel Watch has been fabricating health data.

The March 2026 update to the Fitbit app caused it to double and triple users’ step counts, invent calorie burns, and simultaneously delete SpO2 and skin temperature tracking entirely. The device was deleting and fabricating health data at the same time.

Google’s fix for this serious integrity breach?

Stop generating new bad data going forward. Leave corrupted records permanently in your health log. Reboot your own watch to receive the correction. The company that broke your data leaves it to you to take an action to receive the repair.

This is a data integrity governance story.

The gross promotion engine

Google has shut down over 280 products since 2010. Roughly one every two weeks for fifteen years. This is not a failure rate. This is an incentive structure producing its intended output.

Inside Google, engineers get promoted for launching new things. Maintaining existing products is career poison. Fixing bugs, preserving data integrity, honoring the promises made to users who bought hardware based on software commitments — none of this advances a career. A former Google Sheets lead described it plainly: teams that focus on users get passed over, while teams that ignore users get promoted first. The metrics become the objective. The product becomes the byproduct.

Fitbit was someone else’s product.

Google acquired it. Maintaining it with care is the opposite of what their internal grindstone system of shiny-new objects rewards.

The acquisition

Google paid $2.1 billion for Fitbit in 2021. Alphabet generated 83% of its $161.86 billion in 2019 revenue from targeted advertising. Fitbit’s value was its data back then. It came with heartbeats, sleep patterns, calorie intake, walking distances, menstrual cycles, health conditions. Twenty-eight million users’ worth.

The EU saw it coming.

The European Commission approved the deal only with conditions: a ten-year data silo keeping Fitbit health data separate from Google Ads, API access commitments for third-party developers, interoperability guarantees for competing wearables on Android. A monitoring trustee was appointed. Civil society groups across Europe had begged regulators to block the deal. The European Data Protection Board warned:

the possible further combination and accumulation of sensitive personal data regarding people in Europe by a major tech company could entail a high level of risk to the fundamental rights to privacy and to the protection of personal data.

The Commission approved it anyway. The EU’s stated preference is to regulate tech giants, not to prevent their expansion.

The squeeze

Five years later, here is what Google has done with its regulated acquisition.

It deprecated the Fitbit web app in July 2024, removing the only robust food tracking and data analysis tools without porting them to mobile. It forced all users to migrate from Fitbit accounts to Google Accounts. Forced as in comply by May 19, 2026, or lose all your historical health data, which gets deleted starting July 15, 2026. It launched a Gemini-powered “AI Coach” that requires users to share medical records through third-party partners including Clear, the facial recognition company best known for expediting airport security checks.

And it shipped an update that caused the health tracking device to hallucinate fitness data while deleting real biometric readings.

NOYB, the European privacy organization, filed complaints in Austria, the Netherlands, and Italy arguing that Fitbit forces consent from users who have no real choice.

Their lawyer put it simply: you buy a watch for a hundred euros, you sign up for a paid subscription, and then you’re told to “freely” agree to global data sharing or lose everything you’ve tracked for years.

The mechanism

Google does not sell fitness trackers. Google sells attention to advertisers.

Fitbit’s users are not customers. They are inventory.

The promotion culture ensures no one inside the company is incentivized to care about product integrity after launch. The acquisition model ensures that purchased products get absorbed into the data ecosystem and then neglected. The forced migration ensures that users cannot exit without losing their own health records. The regulatory framework ensures that commitments are narrow enough to honor in letter while violating in spirit.

Every piece of the system is functioning as designed. The step count fabrication is not a failure of the system. It is a product of a company where the word “maintenance” means “no one’s job.”

Integrity as threat

Google killed Google Reader despite 129 million active users. It killed Inbox despite widespread devotion. It killed Google Play Music, Hangouts, Google+, Stadia, and roughly 275 other products — each one representing a set of promises made to users who organized some part of their lives around the product’s continued existence.

The pattern reveals the value system and the lack of integrity breach reporting.

Launching is rewarded. Maintaining is tolerated. Caring about whether the thing you shipped still works correctly is not just unrewarded, it is structurally incompatible with Google’s internal concepts of skill and career advancement.

When maintaining integrity is career poison, you get a company that fabricates health data, ships the fix without repairing the damage, and leaves it to users to reboot their own devices to receive the correction.

When maintaining integrity is career poison, you get a company that buys a health platform, strips its best features, forces account migration under threat of data deletion, and then uses the captive user base to feed its AI model.

This is a management decision and direction. Everyone involved understands exactly what they are doing. That is what makes it a governance story, which exposes integrity breaches as still very different than confidentiality breaches.

The people inside Google who know this system is broken and continue operating it because the business model depends on it? They have a name. They are the product.

In related news: