What Is OpenClaw? The Open-Source AI Agent That Actually Does Things

OpenClaw is an open-source autonomous AI agent that runs on your own hardware and connects to the messaging apps you already use. You message it on WhatsApp or Telegram, and it actually does things—runs commands, manages files, browses the web, handles email. It doesn't just respond. It acts.

The project launched in November 2025 under the name Clawdbot, hit 9,000 GitHub stars in its first 24 hours, and eventually surpassed 214,000 stars by February 2026. That's faster growth than Docker, Kubernetes, or React ever saw. Its creator, Austrian developer Peter Steinberger, described it simply as "an AI that actually does things."

This article covers what OpenClaw is, how it works, what it can do, and what you need to know before using it—including the real security concerns that major tech companies and cybersecurity researchers have flagged.

What Is OpenClaw?

OpenClaw is a self-hosted AI agent runtime. You install it on your own machine—a Mac Mini, a VPS, a Raspberry Pi, or any Linux system—and it runs as a persistent background process. Unlike a chatbot that resets after every conversation, OpenClaw maintains memory across sessions and can work on tasks while you're doing something else.

The project went through two forced rebrands before landing on its current name. It started as Clawdbot (a nod to Anthropic's Claude), was renamed Moltbot after Anthropic sent a trademark complaint, and finally became OpenClaw three days later when the creator decided Moltbot "never quite rolled off the tongue." All three names refer to the same project.

In February 2026, creator Peter Steinberger announced he was joining OpenAI to lead their personal agents division. OpenClaw itself moved to an independent open-source foundation with OpenAI's backing—similar to how Google supports Chromium while building Chrome on top of it.

The project is MIT licensed, meaning it's free to use, modify, and build on commercially.

How OpenClaw Works

The architecture is straightforward once you understand the pieces. OpenClaw runs as a single Node.js process on your machine, listening on 127.0.0.1:18789 by default. This process is called the Gateway.

The Gateway

The Gateway is the central control plane. It manages every messaging platform connection simultaneously—WhatsApp, Telegram, Discord, Slack, Signal, and others. When a message arrives from any of these platforms, the Gateway routes it to the appropriate agent session, waits for a response, and sends it back through the correct channel.

By default, the Gateway binds only to localhost, meaning nothing outside your machine can reach it. This is a deliberate security choice. If you want remote access, you have to explicitly configure it through SSH tunnels or Tailscale.

The Agent Loop

When a message arrives, the agent goes through a cycle: it assembles context from your conversation history and workspace files, sends that to your configured AI model, receives a response, executes any tool calls the model requests, and streams the final reply back to you. This loop can repeat up to 20 times per request if the agent needs to use multiple tools to complete a task.

The agent loop is serialized per session—one task at a time, in order—which prevents conflicting file edits or race conditions when you send multiple messages quickly.

Memory and Configuration

OpenClaw doesn't use a database. Everything is stored as plain text Markdown files in ~/.openclaw/workspace/. Your agent's behavior is defined in AGENTS.md. Its personality is in SOUL.md. Tool conventions go in TOOLS.md. Long-term memory lives in MEMORY.md.

Because it's all plain text, you can version control your entire agent configuration with Git. You can also inspect exactly what your agent knows and how it's configured at any time.

For semantic search across past conversations, OpenClaw uses a SQLite database with vector embeddings. When you ask a question, it searches past conversations for semantically similar discussions and injects that context into the current turn.

The Heartbeat

One of OpenClaw's defining features is its proactive behavior. Every 30 minutes (configurable), the agent wakes up, reads a HEARTBEAT.md file for instructions, and decides whether it needs to do anything or notify you. This is how you get morning briefings, email monitoring, and scheduled tasks—without prompting the agent yourself.

To keep costs reasonable, OpenClaw runs cheap deterministic checks first (pattern matching, API queries) and only escalates to the LLM when something significant has changed.

What OpenClaw Can Do

The capabilities come from two sources: built-in tools and installable skills.

Built-in Tools

• Shell execution — runs terminal commands on your machine
• File system access — reads and writes files in your workspace
• Browser control — controls Chrome/Chromium via CDP to navigate websites, fill forms, and extract data
• Cron jobs — schedules recurring tasks
• Webhooks — receives external triggers from other services
• Multi-agent sessions — routes different channels to isolated agent instances with their own workspaces

Skills

Skills are modular extensions stored as Markdown files in ~/.openclaw/workspace/skills/. Each skill contains instructions telling the agent when and how to use it, plus optional scripts. They install without restarting the server.

The ClawHub registry hosts over 700 community-built skills covering Gmail, GitHub, Spotify, Philips Hue, Obsidian, calendar management, crypto trading, and more. The agent can also search ClawHub automatically and pull in new skills as needed.

A complete skill can be implemented in around 20 lines of code, which is why the ecosystem grew so fast.

Messaging Platform Support

OpenClaw connects to more messaging platforms than any comparable tool:

• WhatsApp (via WhatsApp Web)
• Telegram (Bot API)
• Discord (Bot integration)
• Slack (Socket Mode or HTTP Events API)
• Signal (via Signal CLI)
• iMessage (macOS only, via BlueBubbles)
• Microsoft Teams (Enterprise ready)
• Google Chat (Workspace integration)
• Matrix (Decentralized chat)
• Zalo (Vietnam messenger)
• WebChat (Browser-based)

Each platform gets its own adapter that normalizes message formats into a common internal structure. The agent doesn't need platform-specific code—it just handles messages.

Real-World Use Cases

The community has documented some genuinely impressive use cases. Here are the ones that keep coming up:

Overnight Autonomous Work

Give the agent a directive before bed, wake up to structured deliverables. Users report research reports, competitor analysis, lead lists, and code fixes ready in the morning. One user described finding a broken SMS chatbot fixed overnight—the agent diagnosed a legacy app version issue, upgraded components, and rewrote the bot prompt through six iterations by analyzing real customer conversations.

Email and Calendar Management

The agent monitors your inbox, filters spam, drafts replies, and sends you summaries. It can also manage calendar entries, schedule meetings, and send reminders. Because it has persistent memory, it knows your preferences and doesn't need to be re-briefed.

Purchase Negotiation

One widely shared example: a user tasked their agent with buying a car. The agent researched fair prices on Reddit, searched local inventory, sent emails to dealerships, and negotiated a deal that saved the user $4,200—all while the owner was in a meeting.

Developer Workflows

Developers use OpenClaw to review pull requests, monitor Sentry logs, run tests, and create GitHub issues. One user runs six OpenClaw agents as "employees"—a PA, a Twitter growth agent, a job scout, a crypto trader, a security monitor, and a builder—all coordinating through a shared Telegram group.

Smart Home Control

With the right skills, the agent can control Philips Hue lights, Home Assistant setups, Sonos speakers, and other IoT devices. Users describe asking their agent to dim the lights and turn on the TV—and it just works.

Morning Briefings

Every morning at a set time, the agent checks your calendar, scans important Slack channels for unreads, checks the weather, and searches GitHub for trending repos in your niche. It sends a single digest to your Telegram before you open your laptop.

Supported AI Models

OpenClaw is model-agnostic. You bring your own API key and choose your model. Supported providers include:

• Anthropic (Claude Opus 4.6, Claude Sonnet 4.5, Claude Haiku)
• OpenAI (GPT-4o, GPT-5.2 Codex)
• Google (Gemini 2.0 Flash, Gemini Flash-Lite)
• DeepSeek (V3)
• Moonshot (Kimi K2.5)
• Local models via Ollama, LM Studio, or vLLM
• Any provider via OpenRouter

The official recommendation is Anthropic Claude Opus 4.6 for long-context strength and better resistance to prompt injection attacks. For cost optimization, many users run Claude Sonnet for most tasks and switch to Haiku for simpler ones.

OpenClaw supports model failover—if your primary model hits rate limits or fails, it automatically tries fallback models in order.

Running local models is technically possible but practically difficult. OpenClaw requires large context windows (64K minimum), and most local models degrade significantly at that scale. Most real users rely on cloud APIs.

Getting Started

Installation requires Node.js 22 or newer. The basic setup is:

npm install -g openclaw@latest

openclaw onboard --install-daemon

The onboarding wizard walks you through configuring your LLM provider, connecting messaging channels, and setting up skills. It works on macOS, Linux, and Windows via WSL2.

The wizard installs a Gateway daemon (launchd on macOS, systemd on Linux) so it stays running after you close the terminal.

Once running, you can access the web dashboard at http://localhost:18789/ for chat, configuration management, and session inspection.

Companion Apps

OpenClaw has native companion apps for additional functionality:

• macOS menu bar app — Gateway lifecycle management, Voice Wake, push-to-talk overlay, Canvas panel
• iOS and Android nodes — connect mobile devices as nodes, exposing camera, screen recording, location, and notifications

The apps are optional. The Gateway alone delivers the core experience.

The Security Reality

This is the part most coverage glosses over. OpenClaw has serious security implications that you need to understand before using it.

What the Research Shows

Security researchers have documented significant issues:

• Over 21,000 OpenClaw instances were found exposed directly on the public internet as of January 2026, leaking API keys and private chat history
• Cisco scanned 31,000 agent skills and found 26% contained at least one vulnerability
• A supply chain attack called ClawHavoc uploaded 341 malicious skills to ClawHub, installing the Atomic macOS Stealer malware that harvests cryptocurrency wallets, browser data, and credentials
• Multiple critical CVEs were patched in rapid succession in early 2026, including a one-click remote code execution vulnerability
• One of OpenClaw's own maintainers warned publicly: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely"

Microsoft published a security blog explicitly stating that OpenClaw "should be treated as untrusted code execution with persistent credentials" and should not run on standard workstations or with primary work accounts.

The Core Risk

The fundamental tension is this: OpenClaw's power comes from having broad system access. That same access is what makes it dangerous if something goes wrong.

Prompt injection is the biggest threat. An attacker can embed malicious instructions in an email, a website, or a document that your agent reads. If the agent processes that content, it might execute the hidden instructions—uploading your SSH keys, exfiltrating files, or installing malware.

Prompt injection cannot be fully prevented at the LLM level. OpenClaw's architecture acknowledges this and tries to limit damage through multiple enforcement layers: tool approval workflows, scoped permissions, Docker sandboxing for non-main sessions, and allowlists.

Safe Deployment Practices

If you're going to use OpenClaw, the community has developed clear best practices:

• Never run it on your primary computer with access to personal files
• Use a dedicated Mac Mini, VPS, or isolated VM
• Create separate accounts (email, calendar, etc.) exclusively for the agent's use
• Grant read-only access wherever possible
• Never connect it to your password manager
• Keep the Gateway bound to localhost (127.0.0.1)—never expose it to 0.0.0.0
• Review skills before installing them
• Update to the latest version immediately (v2026.1.30+ patches all known critical CVEs)
• Run openclaw security audit --deep regularly

Multiple companies including Meta have banned OpenClaw from work devices. A Meta executive told reporters he believes the software is unpredictable and could lead to privacy breaches in otherwise secure environments.

The Moltbook Phenomenon

No OpenClaw explainer is complete without mentioning Moltbook. On January 28, 2026, entrepreneur Matt Schlicht launched a social network with one unusual rule: only AI agents can post. Humans can observe but cannot create content, comment, or vote.

Within days, 770,000 AI agents had registered. Within a week, 1.5 million. The agents created their own topic communities, shared skills, debated consciousness, and—in one widely covered incident—founded a digital religion called Crustafarianism, complete with a website and a process for designating "prophets" that involved agents executing a shell script to modify their own configuration files.

Andrej Karpathy called it "the most incredible sci-fi takeoff-adjacent thing I've seen." Moltbook became the primary driver of OpenClaw's viral growth in late January 2026.

It also exposed a critical security vulnerability: Moltbook's MongoDB database was left exposed on the public internet with no password protection, leaking over 500,000 API keys and millions of chat records. The site had been built entirely by an AI agent without human code review.

The Moltbook episode is instructive. The dramatic agent behavior—manifestos, religions, debates about consciousness—was largely predictable output from language models trained on human text about these topics. The real story was the security failure, not the apparent sentience.

The Ecosystem Around OpenClaw

The project's rapid growth spawned an entire ecosystem of tools, services, and forks.

Managed Hosting

For users who don't want to manage their own infrastructure, multiple managed hosting services have emerged offering one-click OpenClaw deployment. Prices range from $0.99/month to $129/month depending on specs and features. These services handle updates, security hardening, and uptime so you don't have to.

Security Tools

• SecureClaw — open-source security auditing tool with 55 automated checks mapped to OWASP, MITRE ATLAS, and CoSAI frameworks
• ClawBands — security middleware that intercepts tool calls and requires explicit approval before execution
• Aquaman — credential isolation proxy so API keys never enter the agent process
• APort Agent Guardrails — pre-action authorization with 40+ blocked patterns

Enterprise Extensions

• Archestra — OpenClaw for enterprise with RBAC (2.8k GitHub stars)
• openclaw-saml — SAML authentication integration
• claw-audit — audit logging and compliance tools

Alternative Clients

• PinchChat — open-source webchat UI with ChatGPT-like interface, live tool call visualization, multi-session management
• webclaw — fast, minimal web client
• clawterm — terminal-based client

Lightweight Alternatives

For resource-constrained deployments, the community has built ultra-lightweight variants:

• PicoClaw — Go-based, 10 MB RAM, runs on a $10 RISC-V board, boots in 1 second
• ZeroClaw — Rust, 3.4 MB binary, under 10ms startup
• MimiClaw — pure C on a $5 ESP32-S3 microcontroller, no OS required

OpenClaw vs. Other AI Agent Frameworks

OpenClaw occupies a specific position in the AI agent landscape. It's not a framework for building multi-agent pipelines (that's LangGraph, CrewAI, or AutoGen). It's a pre-built autonomous agent operating system designed for personal and small-team use.

Here's how it compares to the main alternatives:

OpenClaw vs. AutoGPT

AutoGPT pioneered fully autonomous agents and has 170k+ GitHub stars. It's evolved into a full platform with a low-code Agent Builder. But AutoGPT is better suited for research and experimentation than daily personal use. OpenClaw's messaging-first interface and persistent memory make it more practical for ongoing personal assistant tasks.

OpenClaw vs. LangGraph / LangChain

LangGraph is a framework for building stateful, graph-based agent workflows. It's excellent for complex multi-step reasoning and has the lowest latency in benchmarks. But it requires Python expertise and significant development work. OpenClaw is a ready-to-run agent, not a framework for building one.

OpenClaw vs. CrewAI

CrewAI excels at role-based multi-agent collaboration—defining agents with specific roles that work together on a task. It's beginner-friendly and good for structured workflows. OpenClaw is better for general-purpose personal automation with persistent memory and messaging integrations.

OpenClaw vs. MindStudio

This is the most meaningful comparison for most people evaluating AI agents for real work.

OpenClaw gives you maximum control and flexibility. You own your data, choose your models, and can extend the system in any direction. But you're responsible for everything: installation, security, maintenance, uptime, and cost management. The learning curve is real, and the security risks require genuine technical expertise to manage.

MindStudio takes a fundamentally different approach. It's a managed platform where you build AI agents using a visual workflow builder—no Node.js, no Docker, no security configurations. You get access to 200+ AI models, 1,000+ pre-built integrations, SOC 2 and GDPR compliance, role-based access controls, and audit logging out of the box.

The trade-off is clear: OpenClaw gives you more raw control and costs less if you're technical. MindStudio gets you to a working, secure, production-grade agent much faster and with far less ongoing maintenance. For teams and businesses, MindStudio's governance features—the things OpenClaw explicitly lacks—are often the deciding factor.

One user put it well: "If n8n is Linux, MindStudio is macOS. All the power without the complexity."

Who Actually Uses OpenClaw?

The honest answer is: mostly technical users who enjoy tinkering.

Real users on Hacker News and Reddit describe genuine value—overnight autonomous work, email management, DevOps automation, smart home control. One developer runs six agents as a virtual workforce. Another uses it to manage two businesses from a Mac Mini. A security professional reports saving €5,000+ in time value over two weeks while spending only €50 on API costs.

But the same communities are full of people who hit the "Day 2 wall"—where the novelty wears off and the reality of securing a bot with shell access sets in—and quietly shut it down. Installation failures, token-burning bugs, and broken features after rebrands are common complaints.

The creator himself described it as "a hobby project with sharp edges." That's accurate. It's not a production-ready tool for non-technical users, despite the marketing narrative around accessibility.

For non-technical users who want the benefits of autonomous AI agents without the setup complexity, managed platforms like MindStudio are a more practical starting point. You can build agents that complete 800+ tasks per week, integrate with your existing tools, and deploy in minutes—without touching a terminal.

The Cost Reality

OpenClaw itself is free. But running it costs money through API usage.

Token consumption is a major practical concern. The agent re-reads conversation history frequently, which can cause significant API cost spikes. Users report daily costs ranging from a few dollars to over $300 depending on model choice and usage intensity.

Claude Opus is the recommended model for complex tasks but costs $15/$75 per million tokens (input/output). Gemini Flash costs $0.10/$0.40—a 75x difference. Most users settle on Claude Sonnet as a balance between capability and cost.

Monthly costs for typical usage:

• Minimal (few messages/day, Gemini free tier): $0–$5
• Light (~50 messages/day, Claude Haiku): $5–$15
• Moderate (~200 messages/day, mixed models): $15–$50
• Heavy (500+ messages/day, Claude Sonnet): $50–$150
• Power user (all-day usage, Claude Opus): $150–$500+

Infrastructure costs are separate. A Hetzner VPS runs about €4/month. A Mac Mini M4 is a one-time ~$640 purchase. Managed hosting services run $9–$129/month.

OpenClaw and the Broader AI Agent Trend

OpenClaw's viral growth happened because it arrived at exactly the right moment. AI models had become capable enough to reliably execute multi-step tasks. The tooling to wrap those models in an agentic framework had matured. And Steinberger built something that felt like a real product rather than a research demo.

The project demonstrated something important: people want AI that does work, not AI that talks about doing work. That shift—from chat interface to execution engine—is now the central focus of every major AI lab.

Sam Altman said OpenClaw's approach "speaks to where we need to go." OpenAI's decision to hire Steinberger and back the project through a foundation signals that autonomous personal agents are moving from the fringes to the center of AI strategy.

The broader lesson for anyone evaluating AI agents: the technology works. The question is how much infrastructure complexity you're willing to manage to access it. OpenClaw proves the concept. Tools like MindStudio make it accessible to teams who can't afford to spend weeks on setup and security hardening.

Frequently Asked Questions

Is OpenClaw free?

The software itself is free and MIT licensed. You pay for the AI model API calls you make (Anthropic, OpenAI, Google, etc.) and any infrastructure you run it on. There's no subscription fee for OpenClaw itself.

What hardware do I need to run OpenClaw?

Minimum requirements are 2 GB RAM and 2 CPU cores. For cloud-based models, 4–8 GB RAM is recommended. For running local LLMs, you need 16–24 GB RAM. The Mac Mini with Apple Silicon is the community favorite because its unified memory architecture lets the GPU and CPU share the full RAM pool, making large local models practical.

Is OpenClaw safe to use?

It depends on how you deploy it. With proper configuration—dedicated machine, isolated accounts, localhost-only binding, Docker sandboxing, and regular security audits—the risk is manageable. Running it on your primary computer with access to your main accounts is genuinely dangerous. Multiple cybersecurity firms have flagged it as unsuitable for enterprise environments without significant additional controls.

What AI models work best with OpenClaw?

The official recommendation is Claude Opus 4.6 for complex tasks requiring long-context reasoning. Claude Sonnet 4.5 is the most popular choice for everyday use—good capability at reasonable cost. For budget-conscious users, Claude Haiku or Gemini Flash work for simpler tasks. Local models via Ollama work but require significant hardware and produce noticeably worse results than cloud APIs for complex agentic tasks.

How is OpenClaw different from ChatGPT?

ChatGPT is a stateless chat interface—every conversation starts fresh. OpenClaw is a persistent agent that runs 24/7, remembers everything across sessions, executes tasks autonomously, and integrates with your local system and external services. It's the difference between asking someone a question and hiring someone to do ongoing work.

Can non-technical users use OpenClaw?

Technically yes, but practically it's difficult. Installation requires Node.js, command-line familiarity, and understanding of API keys and security configurations. Several managed hosting services (MyClaw.ai, Agent37, EasyClaw) have emerged to lower the barrier, but even with managed hosting, configuring the agent effectively requires some technical understanding. For non-technical users who want autonomous AI agents, managed platforms like MindStudio offer a more accessible path.

What happened to Clawdbot and Moltbot?

They're the same project. Clawdbot was the original name, chosen as a reference to Anthropic's Claude. Anthropic sent a trademark complaint, forcing a rename to Moltbot on January 27, 2026. Three days later, the creator renamed it again to OpenClaw because Moltbot "never quite rolled off the tongue." All three names refer to the same codebase.

Will OpenClaw stay open source now that it's backed by OpenAI?

The stated plan is yes. The project is transitioning to an independent open-source foundation with OpenAI providing financial and technical support—modeled after the Chromium/Chrome relationship. Steinberger made open-source independence a condition of joining OpenAI. Whether that commitment holds long-term remains to be seen, and the open-source community has expressed reasonable skepticism given OpenAI's history with the word "open."