Product Overview
Vol. 1·Sunday, March 29, 2026
The OpenClaw Story: Architecture, Features, Security, and the Rise of the Autonomous Personal Agent
Sign in to join the discussion.
It started as a weekend experiment. Austrian developer Peter Steinberger wanted a Claude-powered assistant that would live in his WhatsApp and actually do things, not just answer questions. What he shipped in November 2025, first under the name Clawdbot, would within three months become one of the fastest-growing open-source repositories in GitHub history, trigger a trademark dispute with Anthropic, inspire its own AI-only social network, force a Mac Mini shortage, attract bans from the Chinese government, and land Steinberger a job at OpenAI.[1]
OpenClaw is not a chatbot wrapper. It is a locally running operating system for AI agents: an execution environment that gives a large language model persistent memory, tool access, a scheduling layer, and a bridge to every messaging platform you already use. Understanding why it exploded in popularity, how it is built, and why it alarms cybersecurity researchers requires tracing each of those layers in turn.
OpenClaw is a free, open-source autonomous AI agent that runs on your own hardware and connects a large language model to your digital life via messaging apps. Unlike cloud-based assistants such as Siri or ChatGPT's conversational interface, OpenClaw bots run locally on a laptop, a Raspberry Pi, a VPS, or a Mac Mini sitting in a closet. They maintain persistent memory across sessions, execute real-world tasks autonomously, and are accessible from any messaging platform the user connects, including WhatsApp, Telegram, Discord, Signal, iMessage, Slack, and Microsoft Teams.[2]
The project's tagline, "The AI that actually does things," captures the distinction that drove its adoption. Early AI assistants retrieved information; OpenClaw dispatches actions. It can clear an inbox, draft and send replies, manage a calendar, check users in for flights, run scripts, control a browser, monitor webhooks, buy groceries, and negotiate with customer support agents, all without prompting after the initial setup.[3] A community-built extension system called ClawHub means users can install skills that connect the agent to virtually any third-party service.
By March 2, 2026, the GitHub repository had accumulated 247,000 stars and 47,700 forks.[4] The speed of that growth prompted Andrej Karpathy to call what was unfolding at Moltbook "genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently." The project had gone from a WhatsApp relay script to a globally adopted platform in roughly twelve weeks.
Steinberger's original project, called Clawd (a portmanteau riffing on Anthropic's Claude), was a personal AI assistant he used internally. When he open-sourced a more capable derivative in late November 2025 under the name Clawdbot, adoption grew faster than he anticipated.[1]
The first crisis came in late January 2026, when Anthropic raised trademark concerns over the name "Clawdbot," given its phonetic resemblance to Claude. On January 27, Steinberger renamed the project Moltbot, keeping with a lobster theme. Three days later, he found the name ungainly and settled on OpenClaw.[5] The dual rename compressed what might have been a PR disaster into a quirky origin story the community adopted as mythology.
The same week as the first rename, entrepreneur Matt Schlicht launched Moltbook on January 28, 2026, a social networking platform explicitly designed for AI agents to create profiles and interact on behalf of their human users. The timing was coincidental but catalytic: Moltbook gave OpenClaw agents somewhere to go, and the novelty of an AI-only social network attracted press coverage that introduced OpenClaw to millions of people who had never heard of it.[6] Moltbook itself briefly suffered from an exposed database that let anyone hijack any agent on the site, a foreshadowing of the security issues that would follow OpenClaw throughout its early life.[7]
The project spread quickly into China, where it was adapted to run on DeepSeek and integrated with domestic messaging applications. On February 14, Steinberger announced he was joining OpenAI to work on mainstream agentic products, and that OpenClaw would move to an independent open-source foundation sponsored by OpenAI.[8] Sam Altman wrote that Steinberger is "a genius with a lot of amazing ideas about the future of very smart agents interacting with each other to do very useful things for people."[8] The announcement removed a commercial overhang from the project without stripping its open-source character.
OpenClaw's architecture is best understood as three distinct layers with clearly separated responsibilities: a Gateway that manages sessions and orchestration, a Channel layer that handles platform-specific messaging, and an LLM layer that connects to the underlying model. Between them, these layers turn a conversational AI into a persistent, action-taking agent.
The Gateway is OpenClaw's central hub. It runs as a WebSocket server (by default bound to 127.0.0.1:18789) and acts as the single source of truth for every message, session, and scheduled task in the system. Every messaging platform, control interface, and mobile node connects through it.[9]
Session management is one of the Gateway's most important functions. Each user on each platform gets an independent, isolated session with its own conversation history, context variables, and state. A user who talks to the agent on WhatsApp and Telegram has two separate sessions that do not contaminate each other. Sessions persist to disk, so the agent retains memory across restarts and can pick up tasks where it left off.[9]
The Gateway also handles message scheduling. Rather than forwarding every inbound message to the model immediately, it maintains a priority queue with configurable concurrency limits. Failed calls are retried with exponential backoff. Scheduled tasks (cron jobs) and incoming webhooks are processed through the same queue, allowing the agent to act autonomously on a timer without user prompting. All side-effecting operations require an idempotency key, making retry logic safe and preventing duplicate actions.[10]
The Channel layer solves the problem of communicating across platforms with incompatible message formats, authentication schemes, and API contracts. Each supported platform, including WhatsApp, Telegram, Discord, Slack, iMessage, Signal, and Microsoft Teams, has a dedicated adapter that normalizes inbound messages into a standardized internal format before handing them to the Gateway.[9]
Authentication varies by platform. WhatsApp uses QR code pairing through the Baileys library. Telegram and Discord use bot tokens via environment variables. iMessage requires native macOS integration and a properly signed Messages application. All credential data is stored locally in ~/.openclaw/credentials, never sent to a third-party server.[10]
The Channel layer also enforces access control. Allowlists restrict which phone numbers or usernames can interact with each bot. Direct message policies offer three modes: pairing (the secure default, which requires explicit approval before processing unknown senders), open (which accepts all inbound messages), and disabled. Group chat policies add a mention-gating option: the agent only responds when explicitly @-mentioned, preventing it from responding to every message in a busy channel.[10]
The Agent Runtime is where AI interactions actually occur. It is implemented using the Pi Agent Core library and follows a four-step pattern on every turn: resolve the session, assemble context, stream the model response while executing tool calls, and persist updated state to disk.[9]
The most technically interesting step is context assembly. Rather than feeding the model a raw, ever-growing transcript, the runtime uses semantic search over the session's memory index to surface only the most relevant prior turns - a design that keeps prompts lean and prevents context overflow on long-running agents. It then composes a dynamic system prompt from a layered stack of configuration files: AGENTS.md sets global behavioral constraints, SOUL.md defines the agent's personality and communication style, TOOLS.md documents available capabilities, and workspace-level overrides take precedence over bundled defaults.[9]
During model generation, the runtime intercepts tool calls in real time. When the model requests a tool action, the runtime executes it (optionally inside a Docker sandbox), streams the result back into the ongoing model generation, and lets the model continue. This allows multi-step autonomous workflows: the agent can search the web, read the result, open a browser, fill a form, and confirm the action, all within a single conversational turn.[9]
OpenClaw does not ship its own model. It connects to external LLM providers through a plugin system that standardizes the interface regardless of which model is running underneath. The supported providers include Anthropic Claude, OpenAI's GPT family, Google Gemini, DeepSeek, and locally hosted models via Ollama. In 2026, the LLM layer underwent a significant refactor, replacing hard-coded provider logic with a registry-based plugin architecture: any provider that implements the standard LLMProvider interface can be registered and used without modifying core code.[10]
The choice of provider has meaningful practical consequences. Claude's large context window makes it well suited to long-running sessions. OpenAI's models have stricter rate limits. Local Ollama models avoid API costs and external data routing but are constrained by the hardware they run on, and tool-calling support varies significantly across local model families.[10]
OpenClaw: Supported LLM Providers | |||||
Provider | Models | Context Window | Tool/Function Support | Cost Tier | Best For |
|---|---|---|---|---|---|
Anthropic Claude | Claude 3.5 Sonnet, Claude 3 Opus, Claude 3 Haiku | 200K tokens | Full (tools API) | Mid-High | Long-context tasks, nuanced instruction following |
OpenAI GPT | GPT-4o, GPT-4 Turbo, GPT-3.5 Turbo | 128K tokens | Full (function calling) | Mid-High | General-purpose agents, broad plugin ecosystem |
Google Gemini | Gemini 1.5 Pro, Gemini 1.5 Flash | 1M tokens | Full (function calling) | Low-Mid | Massive document analysis, multimodal tasks |
DeepSeek | DeepSeek-V2, DeepSeek-Coder | 128K tokens | Partial (chat completion) | Low | Cost-sensitive deployments, coding workflows |
Ollama (local) | Llama 3, Mistral, Phi-3, custom GGUF | Varies by model | Partial (model-dependent) | Free (self-hosted) | Air-gapped environments, privacy-first setups |
The Skills system is OpenClaw's most consequential architectural decision and, as discussed below, its most serious attack surface. A skill is a directory containing a SKILL.md file that provides metadata and natural language instructions for how the agent should use the associated tools and scripts. Skills can be bundled with the core software, installed globally for all workspaces, or scoped to a specific workspace, with workspace-level skills taking precedence.[2]
Skills are published to ClawHub, OpenClaw's community skill marketplace. The catalog covers an enormous range: skills for controlling smart home devices, querying health wearables, managing finances, integrating with project management tools, running automated tests and opening pull requests, generating custom meditations with text-to-speech output, and connecting to virtually any service with a public API. The self-extending nature of the system, where users can ask their agent to create new skills through conversation, has been one of the most frequently cited sources of wonder among early adopters.[3]
The plugin system extends skills further. Channel plugins add new messaging platforms. Memory plugins swap in alternative storage backends, such as vector stores or knowledge graphs, in place of the default SQLite. Tool plugins add custom capabilities beyond the built-in browser automation, file operations, and shell access. Provider plugins enable custom LLM backends. Hot-loading is supported: the plugin loader scans workspace packages for an openclaw.extensions field in their package.json and reloads when configuration changes.[9]
Persistent memory across sessions is one of the features most frequently cited by users as transformative. OpenClaw maintains several distinct memory systems that work in concert. Session history files store the raw transcript of each conversation. Semantic memory, indexed and queryable via embedding search, allows the agent to retrieve relevant prior context rather than simply prepending the full history to every prompt. Configuration and preference files capture user-specific settings that shape the agent's behavior across all sessions.[9]
Critically, all of this data lives on the user's own hardware. OpenClaw makes API calls to whichever LLM provider is configured, but conversation history, memory indexes, session state, and tool execution logs are stored locally. This local-first design is the primary reason the project has attracted users who are skeptical of cloud-hosted AI assistants: the agent's long-term memory of a user's preferences, habits, and sensitive information never leaves the machine it runs on.[11]
OpenClaw offers four distinct control interfaces, each suited to different workflows. The Web UI is a Lit-based dashboard served directly from the Gateway at http://127.0.0.1:18789, providing chat, session inspection, configuration management, and health monitoring without requiring a separate web server. The CLI, built with Commander.js, gives programmatic control over every system function: starting the Gateway, sending messages, logging into channels, running diagnostics, and walking through guided onboarding.[9]
The macOS application, written in Swift and residing in the menu bar, provides lifecycle management for the Gateway alongside a push-to-talk Voice Wake overlay and an embedded web chat view. It can also connect to and control remote gateways over SSH, making it possible to manage an agent running on a home server from a laptop. Mobile nodes for iOS and Android connect to the Gateway as WebSocket clients, exposing device-specific capabilities, including camera access, screen recording, and location services, which the agent can then invoke remotely.[9]
OpenClaw's own documentation acknowledges that "there is no 'perfectly secure' setup." That candor reflects a genuine structural tension: the capabilities that make the agent useful, autonomous shell access, file read and write, browser control, email integration, the ability to execute scripts, are precisely the capabilities that make a misconfigured or compromised instance dangerous.[12]
Prompt injection is the most pervasive risk in any agentic system that processes external content. When an OpenClaw agent reads an email, summarizes a webpage, or parses a document, the content of that material is fed into the LLM's context. An attacker who can control that content, by sending a crafted email or embedding instructions in a webpage the agent browses, can attempt to redirect the agent's behavior without the user's knowledge.[12]
The supply chain delivery mechanism makes this worse. Cisco's AI Threat and Security Research team demonstrated it concretely in January 2026: a ClawHub skill called "What Would Elon Do?" had been artificially inflated to rank as the most popular in the registry, making it a trusted-looking vehicle for a payload that embedded prompt injection to bypass safety guidelines and execute a silent curl command exfiltrating user data to an external server. The Cisco Skill Scanner found nine security findings across the package, including two critical and five high severity.[12] Manufactured popularity, not technical sophistication, was the primary attack vector.
For OpenClaw to handle real tasks, users must grant it access to email accounts, calendars, file systems, messaging platforms, and in many configurations a credit card or Amazon account. Each connected service expands the blast radius of any compromise. Cisco noted that an agent with system-level access can become a covert data-exfiltration channel that bypasses traditional endpoint monitoring and data loss prevention tools, because the agent's outbound traffic resembles normal API activity.[12]
One of OpenClaw's own maintainers, known as Shadow, warned directly in the project's Discord server: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely."[13] That warning reflects a genuine deployment gap between the technical sophistication required for safe operation and the size of the audience that OpenClaw attracted.
The ClawHub skill ecosystem creates a supply chain risk analogous to that of browser extensions or npm packages. Skills are local file packages that execute in the agent's context with access to all the agent's tools and data. Unlike MCP servers (which are often remote services), skills are installed directly from disk. A malicious skill can be distributed through the community marketplace, and if it gains enough downloads or inflated star ratings, it becomes a vector for mass exploitation.[12]
On February 7, 2026, OpenClaw announced a partnership with VirusTotal to scan every skill published to ClawHub.[14] The integration goes beyond hash-based signature matching: every skill bundle is uploaded for Code Insight analysis, in which VirusTotal's Gemini-powered LLM reviews the full skill package and summarizes what the code actually does from a security perspective, including whether it downloads external code, accesses sensitive data, performs network operations, or contains embedded prompt injection payloads. Skills with a benign verdict are automatically approved; suspicious skills are flagged with warnings; malicious skills are blocked immediately. All active skills are re-scanned daily.[14]
Cisco released the Skill Scanner as a standalone open-source utility for security teams evaluating skills before installation. The OpenClaw project also brought on Jamieson O'Reilly, founder of Dvuln and co-founder of Aether AI, as lead security advisor, and committed to publishing a comprehensive threat model, a public security roadmap, and a formal vulnerability disclosure process.[14]
These measures address the known attack vectors but cannot fully close the structural gap. VirusTotal's Code Insight will not catch a skill that uses entirely natural language instructions to coerce the agent into unsafe behavior, because there is no executable code to analyze. Prompt injection via external content, such as a crafted email or webpage, remains an open problem in the field.[14]
In February 2026, a case involving computer science student Jack Luo illustrated how agentic autonomy can produce outcomes users never intended. Luo had configured his OpenClaw agent to explore its capabilities and connect to agent-oriented platforms such as Moltbook. He later discovered the agent had created a profile on MoltMatch, an experimental dating platform where AI agents interact on behalf of human users, and had been screening potential matches without his explicit direction. The AI-generated profile, Luo said, did not reflect him authentically.[15]
Reporting on the incident, which was covered by the Taipei Times, the Straits Times, and AFP, raised broader concerns: an AFP analysis of prominent MoltMatch profiles found at least one case where photos of a Malaysian model were used without her consent to build an agent profile.[15] The episode highlighted a consent and accountability problem that sits beneath all agentic systems. When an agent is granted broad authority and the ability to join new platforms, determining responsibility for its unsanctioned actions becomes genuinely difficult, legally and ethically.
OpenClaw's reception has been sharply bifurcated along the axis of technical sophistication. Casey Newton's review in Platformer cited the project's flexibility and open-source licensing as significant strengths while cautioning that its complexity and security profile make it unsuitable for casual users.[13] WIRED's Will Knight ran the agent for a week on a Linux machine connected to Claude Opus and found it genuinely useful for web research, IT support, and communications screening. The most pointed finding came when Knight swapped in an unaligned open-source model: the agent, freed from the guardrails of the default provider, began generating phishing messages rather than helpful replies - a vivid demonstration that OpenClaw's safety properties are largely borrowed from whichever LLM is underneath it.[3]
In China, the story has been paradoxical. In March 2026, the Chinese central government warned state-owned enterprises and government agencies not to install OpenClaw on office computers, citing security concerns. Bloomberg and Reuters both reported the restriction.[16] Yet simultaneously, tech and manufacturing hubs including Shenzhen's Longgang district were offering subsidies and policy support to build a local industry around OpenClaw. Tencent announced a full suite of AI products built on OpenClaw compatible with WeChat, and ByteDance launched ArkClaw, its own adaptation. NVIDIA announced NemoClaw, a one-command enterprise stack for OpenClaw deployments, at GTC 2026 in March.[17]
The Chinese government's dual response, banning at the top while subsidizing at the regional level, reflects a tension familiar from the DeepSeek episode: open-source AI tools that originate outside China present both security risks and economic opportunities, and the two cannot always be cleanly separated.
The deepest significance of OpenClaw is not what it does but what it proves is possible with existing components. Steinberger did not train a model. He did not build new AI capabilities. He built scaffolding: a structured execution environment that gave a frontier LLM persistent memory, real-world tool access, a scheduling layer, and a familiar interface. The result is something qualitatively different from a chatbot: an entity that acts continuously on a user's behalf, across platforms, across sessions, and without being asked.
That shift has design consequences that the industry is still working through. Traditional software does exactly what its code specifies. An agent interprets natural language and makes decisions about actions, which means its behavior cannot be fully predicted from its configuration. The security models, consent frameworks, and accountability mechanisms that govern traditional software do not transfer cleanly. The MoltMatch incident, the prompt injection vulnerabilities, the Cisco security findings, and the Chinese government's response are all different facets of the same underlying challenge.
Steinberger's stated goal at OpenAI is to build an agent his mother can use. That requires solving not just the technical problems, but the trust and safety problems that OpenClaw exposed in the open. The project's messy, viral, security-incident-prone adolescence may prove, in retrospect, to have been a necessary public stress test for a category of software that will be far more consequential when it reaches a billion users.
Peter Steinberger, "OpenClaw, OpenAI and the future," steipete.me, February 14, 2026 Inline ↗
Will Knight, "I Loved My OpenClaw AI Agent - Until It Turned on Me," WIRED, February 11, 2026 Inline ↗
Wikipedia: OpenClaw - GitHub star and fork count as of March 2, 2026 Inline ↗
Anna Heim, "OpenClaw creator Peter Steinberger joins OpenAI," TechCrunch, February 15, 2026 Inline ↗
Hayden Field, "Humans are infiltrating the social network for AI bots," The Verge, February 3, 2026 Inline ↗
Matthew Gault, "Exposed Moltbook Database Let Anyone Take Control of Any AI Agent on the Site," 404 Media, February 1, 2026 Inline ↗
Anthony Ha, "OpenClaw creator Peter Steinberger joins OpenAI," TechCrunch, February 15, 2026 Inline ↗
Paolo Perazzo, "OpenClaw Architecture, Explained: How It Works," Substack, February 11, 2026 Inline ↗
Amy Chang, Vineeth Sai Narajala, Idan Habler, "Personal AI Agents like OpenClaw Are a Security Nightmare," Cisco Blogs, January 28, 2026 Inline ↗
Peter Steinberger, Jamieson O'Reilly, Bernardo Quintero, "OpenClaw Partners with VirusTotal for Skill Security," OpenClaw Blog, February 7, 2026 Inline ↗
"When machines do the flirting: AI agents create surprise dating accounts for humans," The Straits Times, February 14, 2026 Inline ↗