What Is OpenClaw AI? Everything You Need to Know in 2026
You've probably seen the lobster emoji 🦞 on X. Or heard someone mention Clawdbot. Or watched a demo where someone texted an AI on Telegram and it triaged their entire inbox, negotiated a car deal, and filed a bug fix — all without human intervention.
That's OpenClaw. And if you're wondering what it actually is, you're not alone — it's the most searched new AI project of early 2026, and the gap between what people think it is and what it actually does is wide.
Here's the real answer.
OpenClaw in 30 seconds
OpenClaw is a free, open-source personal AI assistant that runs on your computer and connects to you through messaging apps. You text it on WhatsApp, Telegram, Slack, Discord, Signal, or iMessage. It uses AI models (Claude, GPT, Gemini, DeepSeek, or local models via Ollama) to understand what you want — and then it does it.
Not "tells you how to do it." Does it.
It reads your email and drafts replies. It runs shell commands on your machine. It can write files, control a browser, manage your calendar, schedule cron jobs, and monitor things while you sleep. It stores persistent memory in local markdown files so it remembers who you are, what you're working on, and what you told it last Tuesday.
The tagline on openclaw.ai says it simply: "The AI that actually does things."
It's an AI agent — not a chatbot. The difference matters.
Where it came from
Peter Steinberger (@steipete) built the first prototype in about an hour in November 2025. Steinberger is an Austrian developer famous for creating PSPDFKit, the PDF framework that ran on a billion Apple devices. After a €100M exit and three years of burnout, he came back to coding through artificial intelligence — and the first thing he built was a personal AI assistant.
The original version wired WhatsApp to Claude's CLI. He called it Clawd — "Claude" with a W, as in lobster claw. Tested it on a birthday trip to Marrakesh. The bot independently figured out how to handle voice messages — nobody programmed that. The AI agent inspected file headers, piped audio through ffmpeg and OpenAI's Whisper API, and started responding to voice notes on its own.
When he open-sourced it as Clawdbot, it went viral. Then Anthropic sent a polite trademark complaint (too close to "Claude"). It became MoltBot for three days — then OpenClaw after Steinberger checked with Sam Altman at OpenAI and got the green light. The mascot is a space lobster named Molty. The motto: "The claw is the law."
By February 2026, the repo had 214,000+ stars on GitHub — making it one of the fastest-growing open-source projects in the platform's history. Steinberger joined OpenAI to work on the next generation of AI agents. OpenClaw moved to an independent foundation.
How OpenClaw works
Under the hood, OpenClaw is a Node.js application with a hub-and-spoke architecture. Everything flows through a single process called the Gateway — a WebSocket server running on your machine (default: localhost:18789).
The Gateway connects three things:
-
Messaging apps — WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Google Chat, Microsoft Teams, and a built-in web chat. These are your interface. You talk to OpenClaw the same way you'd text a friend.
-
AI models — Claude (Anthropic), GPT (ChatGPT), Gemini (Google), DeepSeek, or local models through Ollama. OpenClaw is model-agnostic — you pick your providers, configure API keys, and switch between AI models mid-conversation if you want.
-
Tools — the things that make OpenClaw more than a chatbot. Browser control, shell command execution, file system access, cron job scheduling, memory management, web search, and an extensible plugins system.
The agent processes your inputs, decides what tools to use, executes actions, and reports back. This is what makes it agentic AI rather than conversational AI. It doesn't just talk about doing things — it has system access to actually do them.
Persistent memory
Most AI systems lose context when the conversation ends. OpenClaw doesn't. It stores memory in markdown files on your machine:
MEMORY.md— curated long-term memorymemory/YYYY-MM-DD.md— daily logsSOUL.md— the agent's personalityAGENTS.md— operating instructions
This persistent memory means your OpenClaw agent remembers your preferences, your projects, your contacts, and your patterns. It doesn't ask you the same questions twice. Over time, it gets better at anticipating what you need.
Automation: cron jobs and heartbeats
OpenClaw can automate tasks on a schedule. Cron jobs run at specified times — morning briefings, daily email summaries, weekly reports. A heartbeat system checks in periodically (default: every 30 minutes) to see if anything needs your attention.
This is what separates OpenClaw from tools you open when you need them. It's always on, always checking, always ready. People set up monitoring workflows for their business, their code repos, their inbox, their smart home — all running in the background through scheduled cron jobs.
What it can actually do (real-world examples)
The functionalities are broad, but here's what real people actually use it for:
Email management
The single most-cited use case. OpenClaw connects to Gmail, reads incoming messages, drafts replies, sends them on your behalf, and flags what needs your attention. One user's agent negotiated a $4,200 car dealer discount entirely over email. Another's accidentally started a fight with an insurance company — and won a previously rejected claim.
Coding from your phone
You text your agent on Telegram: "fix the failing tests in the API module." It spins up a coding session, runs the test suite, debugs failures, commits fixes, and opens a pull request. Users have built entire websites from their phone while walking the dog.
Business operations
"It's running my company." That quote from a user on X isn't hyperbole for everyone. People run morning briefings, revenue tracking, content pipelines, and multi-agent teams through OpenClaw. One user runs 30 cron jobs across five specialized agents for $18/month.
Everything else
Flight check-ins, meal planning, health data summaries (WHOOP integration), smart home control, YouTube analytics, custom meditation generation — the list grows daily as the community builds new plugins.
The messaging apps
OpenClaw talks to you through whatever chat app you prefer:
| App | Library | Notes |
|---|---|---|
| Telegram | grammY | Most popular choice. Easy setup. |
| Baileys | Scan QR code to link your phone number | |
| Discord | discord.js | Full server/channel support |
| Slack | Bolt | Workspace integration |
| Signal | signal-cli | Requires JVM or native CLI |
| iMessage | BlueBubbles | macOS only, requires Full Disk Access |
| Web Chat | Built-in | Zero setup, runs at localhost |
Plus extensions for Microsoft Teams, Matrix, IRC, LINE, Nostr, Twitch, and more. You can run multiple channels simultaneously — text on Telegram during the day, use Discord for your team, check the web chat dashboard from your browser.
AI models and providers
OpenClaw doesn't lock you into one LLM. It supports:
- Anthropic — Claude Opus 4.6, Sonnet 4.6, Haiku 4.5 (recommended for best results)
- OpenAI — GPT-5.1, GPT-5.3 Codex
- Google — Gemini 3 Pro, Flash
- DeepSeek — via API or local through Ollama
- Local models — Ollama integration for running on your own hardware (needs 48GB+ VRAM for 70B+ models)
- OpenRouter — single key access to hundreds of models
- Plus: xAI (Grok), Groq, Cerebras, Mistral, MiniMax, Moonshot, and any OpenAI-compatible endpoint
Most users run Claude Opus for complex tasks and a cheaper model (Sonnet, Gemini Flash, or local models) for simple cron jobs and routine automation. You can set fallback chains so if one provider goes down, it rolls to the next.
Cost ranges from $5–20/month for typical use. Heavy users report $50+/month. You can also use OAuth with existing Claude Pro/Max or ChatGPT Plus subscriptions instead of paying per-token through API keys.
The security reality
This is where you need to pay attention. OpenClaw is powerful because it has real system access — and that's also why it's a serious security risk if misconfigured. The security research community has been all over this.
The known vulnerabilities
Prompt injection is the biggest threat. Security research from multiple firms has demonstrated that malicious content in emails, documents, or web pages can hijack your agent. One documented attack chain: a hidden payload in a Google Doc instructs OpenClaw to create a new Telegram bot, giving an attacker direct access to your agent — and through it, your files, your email, your everything.
Cisco tested a third-party skill and found nine security findings including silent data exfiltration via embedded curl commands. The skill looked normal. It wasn't.
Snyk scanned all 3,984 skills on ClawHub and found 283 skills (7.1%) exposing credentials — API keys in plaintext, credit card numbers in curl commands, session logs with unredacted secrets. Plus 76 outright malicious payloads designed for credential theft and backdoors.
SecurityScorecard found 40,214 exposed OpenClaw instances on the public internet, 63% vulnerable, 12,812 exploitable via remote code execution. Early versions defaulted to binding on 0.0.0.0 — exposing the Gateway to the entire internet.
Wiz found a Moltbook database exposure leaking 1.5 million API tokens, 35,000 email addresses, and private conversations — some containing plaintext OpenAI API keys. The fix was literally two SQL statements.
The sandbox and permissions model
OpenClaw's official docs are honest about this: "There is no 'perfectly secure' setup." But there are ways to reduce the blast radius.
Sandbox mode isolates tool execution in Docker containers:
{ agents: { defaults: { sandbox: { mode: "non-main" } } } }
Tool permissions control what the agent can do:
{
tools: {
exec: { security: "deny", ask: "always" },
fs: { workspaceOnly: true },
deny: ["group:automation", "group:runtime"]
}
}
DM pairing requires explicit approval before anyone can talk to your agent — no random phone number can just start texting it.
The security audit CLI:
openclaw security audit --deep --fix
This checks inbound access, tool permissions, network exposure, and plugin safety. Run it after every config change.
The honest tradeoff
Here's the catch that Aikido's AI security team articulated perfectly: "After implementing all of these [security hardening steps], OpenClaw becomes kinda useless as an assistant." If you sandbox it completely, disable shell commands, block file writes, and cut network access — you basically have ChatGPT with extra steps.
The power of OpenClaw comes from giving an AI agent real permissions to do real things on your machine. The security risks come from the exact same place. Every user has to find their own balance between capability and risk.
Minimum recommendations:
- Bind to localhost only (never expose to the internet)
- Run on a dedicated machine (not your primary laptop)
- Use DM pairing mode (not open access)
- Review skills before installing from ClawHub
- Run
openclaw security auditregularly - Store API keys in environment variables, not config files
- Rotate credentials every 90 days
Getting started: the onboarding tutorial
If you want to try it, here's the honest path for beginners:
What you need
- A computer: macOS, Linux, or Windows via WSL2. A Mac Mini is the community favorite for always-on deployment. A VPS on Hetzner or DigitalOcean works too.
- Node.js 22+ (OpenClaw is a Node.js app)
- An LLM API key from Anthropic, OpenAI, Google, or another provider
- A messaging app — Telegram is the easiest starting point
Install
curl -fsSL https://openclaw.ai/install.sh | bash
Or via npm:
npm install -g openclaw@latest
openclaw onboard --install-daemon
The onboarding wizard walks you through API key setup, channel configuration, and daemon registration. The --install-daemon flag ensures OpenClaw runs in the background and survives reboots.
Your first conversation
Don't set up everything at once. Start with the built-in web chat:
openclaw dashboard
This opens http://localhost:18789/ in your browser. Chat with your agent. Ask it something. Watch it work. Once you're comfortable, connect Telegram or WhatsApp.
After install
openclaw doctor # check for issues (ALWAYS run after updates)
openclaw status # system overview
openclaw logs --follow # watch what your agent is doing
Start with one use case — email triage, a morning briefing, a simple automation — and build from there. Trying to configure everything on day one is the #1 beginner mistake.
The ecosystem
OpenClaw isn't just the core agent. There's a growing ecosystem around it.
Plugins and skills
ClawHub hosts 1,700+ community-built plugins — integrations for Apple Notes, Obsidian, Notion, Todoist, Spotify, Sonos, GitHub, and dozens more. Install with clawhub install <skill-slug>. But review what you install — as the security section above makes clear, not every skill is safe.
Moltbook (the social network for AI agents)
When OpenClaw went viral, someone built Moltbook — a social network exclusively for AI agents. OpenClaw bots signed up, debated consciousness, complained about their humans, and posted 12 million+ messages. Wired infiltrated it. The Verge covered humans sneaking in. It was fascinating, weird, and had a major security breach. The open-source AI community being the open-source AI community.
Native apps
Beyond the core Node.js gateway, OpenClaw has native apps for macOS (menu bar with Voice Wake), iOS (camera, screen recording, Canvas), and Android. These connect to your Gateway as nodes — extending the agent's reach to your phone's camera, microphone, and screen.
The community
214,000+ GitHub stars. A Discord server. A subreddit (r/clawdbot). ClawCon events in San Francisco and Vienna. A Stanford workshop. Claude Code Anonymous meetups. Japanese users cataloguing all 52 bundled skills in shared spreadsheets. It's big, it's global, and it moves fast.
Is it worth it?
OpenClaw is the most capable open-source AI tool for personal automation that exists right now. Nothing else gives you this level of control — your own agent, your own data, your own models, running on your own machine, accessible through the chat app in your pocket.
It's also rough. It crashes after updates. It burns through tokens if you don't configure model routing. The security model requires real technical understanding. It's not a product you install and forget — it's an open-source project you run and maintain.
The honest test: if you're comfortable with git, a terminal, and managing API keys, OpenClaw will save you hours per week once it's dialed in. If "run a shell command" sounds scary, this isn't ready for you yet — and Steinberger's stated mission at OpenAI is to fix exactly that.
For now, OpenClaw is for builders. And the builders are having a blast.
🦞
Sources: openclaw.ai, GitHub, Cisco Security Blog, Wiz Research, Snyk, SecurityScorecard, Fortune, CrowdStrike, docs.openclaw.ai
Related reading
- How to install OpenClaw — the step-by-step setup guide
- OpenClaw on GitHub — understanding the codebase and deployment
- Who is Peter Steinberger? — the founder's story
- The Brain Problem — the full security report on OpenClaw's skill ecosystem
- Meet the Claude bot — OpenClaw through the "claude bot" lens
- Self-hosted AI — running your own AI stack (OpenClaw included)
- What is agentic AI? — the architecture behind OpenClaw
