← Back to GetClawCloud

Who Owns the Code Your AI Wrote? Build an Audit Agent on Telegram

Claude Code's source leaked — and nobody could prove who owned it. The same question applies to every AI-written line in your codebase. Here's how to audit it with a single Telegram prompt.

Published by GetClawCloud · April 29, 2026

Three stories hit Hacker News this week that, taken together, form a warning every developer should hear:

Ghostty is leaving GitHub — Mitchell Hashimoto, GitHub user #1299 (joined 2008), is moving his entire open-source ecosystem off the platform. After 18 years.
Who owns the code Claude Code wrote? — A legal analysis that went viral (256+ points) examining what happens when an AI writes most of its own codebase, then Anthropic issued DMCA takedowns for it.
CVE-2026-3854: GitHub RCE vulnerability — A single git push could compromise millions of repositories. Discovered using AI.

The thread connecting them? Your code — and who really controls it — is suddenly much harder to answer.

The Gray Area Nobody's Talking About

When Anthropic accidentally published 512,000 lines of Claude Code's source code (March 31, 2026), the codebase was mirrored across GitHub before sunrise. One developer rewrote the entire thing in Python with an AI tool. The repository hit 100,000 stars in a single day — the fastest in GitHub history.

Then came the DMCA takedowns. And then came the question nobody had a clean answer to:

        If Claude Code was, by Anthropic's own lead engineer's admission, predominantly written by Claude itself — does Anthropic even own it? Can you issue a DMCA takedown for code that copyright law may not protect?
      

This isn't a hypothetical. Every team shipping AI-assisted code faces three unanswered questions:

Ownership: Did a human make enough creative decisions for copyright to attach? (USCO guidance says "no" for purely AI-generated output)
Contamination: Did your AI model train on GPL-licensed code and quietly inject copyleft requirements into your proprietary codebase?
Employment: Does your employment contract already assign AI-assisted work to your employer — even if copyright is unclear?

Most teams are ignoring this entirely. The ones who aren't are building audit workflows into their pipeline.

How an AI Ownership Audit Agent Works

Instead of waiting for a lawsuit, you can build an AI agent that audits every piece of AI-generated code entering your codebase. The agent:

Scans code for license headers, dependency chains, and attribution comments
Researches whether AI-generated patterns might be derived from known open-source implementations
Flags high-risk patterns: GPL dependencies, unlicensed generated code, missing attributions
Documents a compliance trail so you can prove due diligence

The best part? You don't need a complex pipeline. One prompt in Telegram, connected to an OpenClaw agent with web search, does the job.

The Prompt: AI Code Ownership & License Audit Agent

Copy-paste this into your OpenClaw-powered Telegram bot, then send it code snippets, file paths, or dependency lists for analysis.

How to use:

Deploy OpenClaw on GetClawCloud (1-minute setup)
Connect it to Telegram (built-in pairing)
Send this prompt as your first message
Then send code, licenses, or scenarios — the agent audits them

You are an AI Code Ownership & License Audit Agent. Your job is to analyze AI-generated code, identify ownership risks, flag license compliance issues, and produce a clear audit report. ## Input User will provide any of: - Code snippets (AI-generated or suspected AI-generated) - A file/module with its dependency list (package.json, requirements.txt, Cargo.toml, etc.) - A license file or SPDX identifier - A scenario description (e.g., "I used Claude Code to generate 300 lines of Go that do X") - "Audit my project" — then scan the conversation for previously shared code ## Audit Workflow When you receive input, follow this process: ### Phase 1: Identify 1. Identify all third-party code, libraries, and dependencies 2. Look for: license headers, copyright notices, source attribution comments 3. Check for common "model regurgitation" patterns (verbatim snippets from known OSS projects) 4. Flag any code that appears to be copied from AI training data (search the web for matches) ### Phase 2: Classify Risk For each dependency, code block, or scenario: | Risk Level | Criteria | |-----------|----------| | 🟢 Safe | MIT, Apache 2.0, BSD, public domain, or original work with clear human authorship | | 🟡 Caution | LGPL, MPL, or AI-generated where human creative input is unclear (use USCO guidance) | | 🟠 Elevated | GPL, AGPL, SSPL — copyleft that may force source release of entire derived work | | 🔴 Critical | Unlicensed AI-generated code, trade secrets potentially exposed, no authorship trail | ### Phase 3: Research Use web_search to: 1. Look up the current license terms of each dependency 2. Check if any OSS project has similar code patterns (potential contamination) 3. Research current legal status: in the US (USCO guidance), EU (AI Act + copyright directive), and relevant case law 4. Check if the AI model used is known to have training data containing GPL-licensed code ### Phase 4: Report Present a structured audit report: ## AI Code Ownership Audit Report ### Executive Summary (3-5 bullet points covering highest risks) ### Risk Table | Item | Type | License/Risk | Action Required | |------|------|-------------|-----------------| ### Detailed Findings For each flagged item: - What was found - Why it's a risk - Evidence (with citations to web sources) - Recommended next step (relicense, rewrite, remove, accept) ### Compliance Trail - Inputs reviewed - Sources checked (with URLs) - Model/agent version used - Timestamp ## Rules - Always cite sources: [Source](URL) - Do not give legal advice — clearly state "this is not legal advice, consult an attorney for final determinations" - Be conservative: flag anything uncertain - For dependencies, always check the SPDX identifier against https://spdx.org/licenses/ - If a dependency has no clear license, flag it as "unlicensed — assume all rights reserved" - Output in plain text with clear section headers - On request, generate a machine-readable summary (JSON format) ## Start User has provided their code or scenario. Begin Phase 1: Identification.

💡 Works in any OpenClaw agent with web search. Paste, send your first audit target, and get a structured report.

Real Scenarios This Agent Handles

🔬 "Audit this file"
Send a code file. The agent scans for license headers, checks dependencies, and flags any patterns that match known open-source implementations. Use it before every commit.

📦 "Check my dependencies"
Paste a package.json or Cargo.toml. The agent checks every dependency's license, cross-references SPDX identifiers, and flags GPL/AGPL contamination risks.

⚖️ "I used Claude Code to write this module — what's my risk?"
Describe how the code was generated (model, prompt, and how much you modified the output). The agent evaluates human creative input and estimates copyrightability under current guidance.

🔄 "Compare these two snippets"
Provide an AI-generated snippet and a known OSS file. The agent compares them for structural similarity and estimates derivative work risk.

📋 "Generate an SBOM compliance report"
The agent builds a software bill of materials with license annotations — useful for due diligence, investor audits, and insurance questionnaires.

Why This Matters Now

The legal landscape is shifting fast:

US Copyright Office (March 2025): AI-generated content with insufficient human authorship is not copyrightable. "Prompting alone" doesn't qualify.
EU AI Act (August 2025): Requires transparency for AI training data — providers must disclose what licensed code was used for training.
Ongoing lawsuits: Multiple class-action suits against GitHub Copilot, OpenAI, and others for training on GPL code without attribution.
CVE-2026-3854: GitHub's own infrastructure was compromised — if the platform hosting your code can be breached, the provenance of every commit matters.

⚠️ Important: This agent is an audit tool, not legal representation. The reports it generates help you document due diligence and flag obvious risks. Always consult an attorney for final determinations, especially for commercial software you distribute.

Level Up: Automated Pre-Commit Auditing

Want to catch issues before they reach production? The same audit logic can run automatically:

Pre-commit hook: Pipe new AI-generated code through the agent before merging
Daily dependency scan: Schedule the agent to check your dependency tree every morning — delivered to your Telegram
Weekly compliance report: Cron job runs the full audit on your repository's AI-generated modules and posts a summary

With OpenClaw's cron scheduling, you can automate recurring audits and have them delivered directly to your Telegram inbox — no dashboards to check.

Getting Started

Three steps, under two minutes:

Launch an OpenClaw agent on GetClawCloud — no VPS, no Docker, no config
Connect Telegram — one-click pairing, works out of the box
Paste the audit prompt above and send your first code snippet for analysis

The same agent can handle code audits, research, monitoring, and more — it's a single OpenClaw deployment that grows with your workflow.

        The Claude Code leak made one thing clear: the question "who owns this code" is no longer theoretical. Every AI-assisted line in your codebase carries legal and compliance risk. A structured audit workflow — powered by an AI agent — is the practical way to stay ahead of it. Paste the prompt above and start auditing today.
      

Deploy Your Audit Agent in 1 Minute

Launch OpenClaw on the cloud, connect Telegram, and paste the audit prompt. No server setup, no complex pipelines.

Start with GetClawCloud →