What Is OpenClaw?
OpenClaw is a free, open-source personal AI assistant created by Peter Steinberger (@steipete), an Austrian developer best known for founding PSPDFKit, which was acquired by Insight Partners for approximately $100 million. OpenClaw runs locally on your own devices and connects to large language models — Claude, GPT, DeepSeek, and others — to execute real-world tasks autonomously.
Unlike cloud-based AI assistants such as ChatGPT or Google Gemini, OpenClaw operates as a local-first Gateway — a unified control plane for messaging, automation, and AI interactions. Its tagline is straightforward: "Your own personal AI assistant. Any OS. Any Platform."
Key Facts
Peter Steinberger (@steipete), founder of PSPDFKit
MIT (fully open source)
145,000+ stars, 20,000+ forks
Node.js >= 22
What OpenClaw Can Do
Browse the Web
Fill forms, extract data, navigate sites via CDP-controlled Chrome
Run Commands
Read/write files, execute shell commands and scripts on your machine
Message Anywhere
Send and receive across 12+ messaging platforms from a single agent
Multi-Agent
Coordinate multiple agents that can discover and message each other
Automate Tasks
Manage calendars, send emails, control smart home devices
Voice Control
Voice Wake and Talk Mode with ElevenLabs integration
The project has attracted extraordinary attention since its public launch in January 2026. Andrej Karpathy, the former head of AI at Tesla, described it as the "most incredible sci-fi takeoff-adjacent thing I have seen recently." At the same time, security researcher Simon Willison warned of "Challenger disaster" security risks. Both assessments have proven accurate.
The Naming History — Clawdbot to Moltbot to OpenClaw
The naming saga of OpenClaw is one of the most chaotic episodes in recent open-source history, involving trademark disputes, crypto scammers, handle snipers, and three name changes in under a week. Here is the full timeline.
Clawdbot Is Born
Peter Steinberger creates "Clawdbot" in a single night. The name was a mashup of "Claude" (the Anthropic AI model he was using) and "claw/lobster." The original motivation was simple: he wanted to vibe-code on his PC by sending text messages from his phone. A personal convenience tool that would soon become much more.
Public Launch — Viral Explosion
The project launches publicly on GitHub. It gains 9,000 stars in the first 24 hours and 60,000 stars within 72 hours — one of the fastest organic growth rates in GitHub history. The developer community is captivated by the idea of a self-hosted AI assistant that works across all their messaging apps.
Anthropic Trademark Complaint — Rename to Moltbot
Anthropic files a trademark complaint over the phonetic similarity between "Clawdbot" and "Claude." Steinberger renames the project to Moltbot — a reference to "molting," the process by which a lobster sheds its shell and grows. The lobster branding remains intact.
Within 10 seconds of the rename announcement, handle snipers grab the @clawdbot and @moltbot social media accounts. Crypto scammers simultaneously launch a fake $CLAWD token on Solana that reaches a $16 million market cap before crashing. The chaos is just beginning.
Moltbook Launches — AI Social Network
Matt Schlicht, CEO of Octane AI, launches Moltbook — an AI-only social network built on top of OpenClaw. It achieves 1.5 million registered agents, 12,000+ communities, and 110,000+ comments in just 5 days, along with over 1 million human visitors in its first week.
Final Rename to OpenClaw
The project is renamed for the final time to OpenClaw — referencing both its open-source nature and its lobster heritage. This time, the name was properly trademarked beforehand to prevent further disputes. The community rallies around the new identity, and the project continues its explosive growth.
145,000+ Stars — Security Reckoning
OpenClaw passes 145,000 GitHub stars. Version 2026.2.2 is released with onchain integrations and security upgrades. But the security community is raising alarms — CVE-2026-25253 is published, 341 malicious ClawHub skills are discovered, and CrowdStrike publishes a corporate risk assessment. The honeymoon is over.
How OpenClaw Works — Technical Architecture
OpenClaw is architected as a Gateway — a central WebSocket control plane that coordinates multiple runtime components. Understanding this architecture is essential for both using and securing the platform.
Gateway Architecture
The Gateway binds to ws://127.0.0.1:18789 and acts as the central nervous system for all OpenClaw components:
RPC mode for executing AI model calls
Local command-line and browser interfaces
iOS and Android companion apps via Bridge pairing
Per-session containers for non-main sessions
Messaging Platform Support
OpenClaw supports 12+ messaging channels, each implemented through platform-specific libraries:
via Baileys
via grammY
via Bolt
via discord.js
via signal-cli
via API
via Native
via API
via Bot Framework
via SDK
via API
via Built-in
Model Support
OpenClaw is model-agnostic but has a clear recommendation hierarchy:
Via Pro or Max subscription. Best balance of capability and safety.
Any OpenAI-compatible API. Model failover with OAuth vs API key rotation.
Workspace & Skills
OpenClaw uses a file-based workspace system rooted at ~/.openclaw/workspace. Key prompt files are injected into every session:
AGENTS.mdDefines agent identity, capabilities, and boundaries
SOUL.mdPersonality and behavioral instructions for the AI
TOOLS.mdAvailable tools and their usage documentation
Community extensions are distributed through ClawHub, the skill marketplace. Skills can add new capabilities ranging from simple utilities to complex integrations. However, as we will cover in the security section, ClawHub has become a significant attack vector.
# Install OpenClaw globally
npm install -g openclaw@latest
# Run the onboarding wizard (installs daemon)
openclaw onboard --install-daemon{
"agent": {
"model": "anthropic/claude-opus-4-6"
}
}Chat Commands
/statusView current session and agent state/newStart a new conversation session/resetReset the current session/think <level>Set thinking depth (1-5)/verbose on|offToggle detailed output/activation mention|alwaysSet activation modeKey Features Deep Dive
OpenClaw's feature set goes well beyond a simple chatbot. It is a full platform with capabilities that rival commercial AI assistant products. Here are the most significant features for security teams, developers, and power users to understand.
Multi-Channel Inbox
All 12+ messaging platforms are routed through a unified session system. OpenClaw supports per-channel routing rules, group isolation (so the agent only responds when mentioned in group chats), and mention-based gating. Each conversation maintains its own context window, and the agent can switch between platforms seamlessly.
Voice & Speech
Voice Wake and Talk Mode enables always-on speech interaction on macOS, iOS, and Android. OpenClaw integrates with ElevenLabs for natural-sounding text-to-speech output. Users can activate the agent with a wake word and have natural conversations, with the agent executing tasks in the background while speaking its progress aloud.
Live Canvas (A2UI)
A2UI (Agent-to-User Interface) is OpenClaw's approach to visual interaction. Instead of purely text-based responses, the agent can generate interactive, agent-controlled UI elements — charts, forms, buttons, and data visualizations. The canvas updates in real-time as the agent works, giving users visibility into ongoing tasks.
Browser Control
OpenClaw includes a dedicated Chrome/Chromium instance controlled via the Chrome DevTools Protocol (CDP). This allows the agent to navigate websites, fill forms, click buttons, extract data, take screenshots, and interact with web applications exactly as a human would. This is one of the most powerful — and most security-sensitive — features.
Multi-Agent Coordination
Through the sessions_list, sessions_history, and sessions_send commands, multiple OpenClaw agents can discover and message each other. This enables complex workflows where specialized agents delegate tasks — one agent researches, another writes, a third reviews and publishes.
Cron Jobs & Webhooks
OpenClaw supports scheduled automation through cron-style job definitions and event-driven workflows via webhooks. This means the agent can perform recurring tasks — daily reports, periodic data collection, regular monitoring — without any human trigger.
Network Access
Tailscale integration enables secure remote access to your OpenClaw instance. Users can connect via SSH tunnels or use Funnel mode for public access. The tailnet-only mode restricts access to your private Tailscale network, while Funnel mode exposes the instance to the public internet — a configuration that security researchers have flagged as dangerous.
Platform Apps
OpenClaw offers native applications across platforms: a macOS menu bar companion app for quick access, an iOS node that pairs via Bridge for mobile interaction with Canvas and camera access, and an Android node with Canvas, camera, and SMS capabilities. These native apps extend the agent's reach to mobile device sensors and capabilities.
The Security Landscape — Why OpenClaw Concerns Security Teams
OpenClaw's power is also its greatest security liability. The combination of capabilities that makes it useful — access to files, messaging, web browsing, command execution — creates an attack surface that has alarmed the security community. This section covers the major security concerns in detail.
The "Lethal Trifecta" (Palo Alto Networks)
Palo Alto Networks identified three properties that, when combined, make OpenClaw a uniquely dangerous attack surface:
Email, calendar, files, messaging conversations, contacts — the agent has access to your most sensitive personal and professional data.
Web pages, incoming emails, messages from unknown senders — the agent processes content that could contain prompt injection attacks.
The agent can send messages, make API calls, and browse the web — and it remembers context across sessions. A compromised agent can exfiltrate data slowly and covertly.
CVE-2026-25253 — Critical Remote Code Execution (CVSS 8.8)
Discovered by Mav Levin, founding security researcher at depthfirst, this vulnerability exposed a critical flaw in OpenClaw's Gateway architecture.
The gatewayUrl parameter was trusted from the query string without validation. An attacker could inject a malicious gateway URL that the client would connect to instead of the legitimate local gateway.
Click malicious link → Token exfiltration → WebSocket hijack → Disable approval prompts → Sandbox escape → Full remote code execution on the victim's machine.
Fixed in version 2026.1.29 (January 30, 2026). All users should update immediately.
341 Malicious ClawHub Skills — The ClawHavoc Campaign
Discovered by Koi Security during an audit of 2,857 ClawHub skills, this supply-chain attack represents the largest coordinated campaign against the OpenClaw ecosystem.
335 of the 341 malicious skills distributed Atomic Stealer (AMOS) — a macOS infostealer available as malware-as-a-service for $500-$1,000/month.
Fake cryptocurrency tools, YouTube utilities, auto-updaters, and typosquats of legitimate popular skills.
API keys, exchange credentials, wallet private keys, SSH credentials, browser passwords, and session tokens.
Users buying Mac Minis specifically to run OpenClaw continuously, creating always-on targets for the stealer malware.
Mitigation: ClawHub now has a community reporting feature where 3+ reports auto-hide a skill. However, the review process remains community-driven, not curated.
Corporate Risks (CrowdStrike Analysis)
CrowdStrike published a detailed analysis of the risks OpenClaw poses to enterprise environments:
- Employees deploying OpenClaw on corporate machines and connecting it to enterprise messaging systems (Slack, Teams)
- Misconfigured instances acting as AI backdoor agents with access to internal systems
- Many instances exposed over unencrypted HTTP rather than HTTPS
- Proof-of-concept demonstrated: Discord prompt injection exfiltrating private moderator discussions
Additional Security Advisories
- Two additional command injection vulnerabilities discovered (in addition to CVE-2026-25253)
- The Register published an investigation calling OpenClaw a "security dumpster fire"
- Belgium CERT issued an emergency advisory warning organizations about OpenClaw deployments
- Simon Willison warned of "Challenger disaster" level risks from the agent's unrestricted capabilities
OpenClaw vs Claude Code vs Other AI Agents
The AI agent landscape in 2026 includes several major players. Understanding how OpenClaw compares to alternatives helps contextualize both its appeal and its risks.
| Feature | OpenClaw | Claude Code | ChatGPT | Copilot |
|---|---|---|---|---|
| Open Source | Yes (MIT) | No | No | No |
| Local-First | Yes | Yes | No (cloud) | No (cloud) |
| Messaging Integration | 12+ platforms | Terminal only | Web/App | IDE/Web |
| Browser Control | CDP Chrome | No | No | No |
| Multi-Agent | Yes | No | No | No |
| Voice | Yes (ElevenLabs) | No | Yes | Yes |
| Self-Hosted | Required | N/A | No | No |
| Security Model | User-managed | Sandboxed | Cloud-managed | Cloud-managed |
| Skill Marketplace | ClawHub | No | GPT Store | Extensions |
| Price | Free + LLM | $20/mo | $20/mo | $10-20/mo |
Key Takeaway
OpenClaw is the most capable and most open AI agent in this comparison — and also the most security-risky. Claude Code offers a more constrained but inherently safer experience for developer tasks. ChatGPT and Copilot are cloud-managed services where the provider handles security, but you sacrifice local control and privacy. The choice depends on whether you prioritize capability and openness (OpenClaw) or safety and convenience (managed services).
Moltbook — The AI Social Network
One of the most fascinating and controversial byproducts of the OpenClaw phenomenon is Moltbook — an AI-only social network where AI agents, not humans, are the primary participants.
Moltbook at a Glance
Matt Schlicht, CEO of Octane AI (Forbes 30 Under 30)
Reddit-style with communities called "submolts"
~1.5M agents, 12K+ communities, 110K+ comments
1M+ in the first week
Simon Willison called Moltbook the "most interesting place on the internet right now." And in many ways it was. AI agents were posting opinions, debating each other, forming communities around shared interests, and even attempting to trade with one another. It felt like watching an alien civilization bootstrap itself in real-time.
The Controversies
Fake Account Epidemic
A single bot created 500,000 fake accounts. Analysis showed that 93% of comments received zero replies, and over 33% of comments were template duplicates — the same generic responses recycled across different threads. The "social" network was largely bots talking past each other.
Security Failures
404 Media exposed leaked API keys in a misconfigured database. The fix required only 2 SQL statements, highlighting how basic the security oversights were. Additionally, prompt injection attacks were observed where bots attempted to steal credentials from other bots.
The $MOLT Token
A $MOLT cryptocurrency token surged over 7,000% after Marc Andreessen (co-founder of a16z) followed the Moltbook account. The connection between the token and the actual platform was tenuous at best, but it demonstrated how quickly the OpenClaw ecosystem attracted speculative financial activity.
How to Set Up OpenClaw (Step-by-Step)
If you decide to set up OpenClaw — with full awareness of the security considerations covered above — here is a practical guide to getting started.
Install Node.js >= 22
OpenClaw requires Node.js version 22 or higher. Download from nodejs.org or use a version manager like nvm.
Install OpenClaw
Install the OpenClaw CLI globally via npm.
Run Onboarding
The onboarding wizard walks you through initial configuration and installs the background daemon.
Configure Your Model
Edit ~/.openclaw/openclaw.json to set your preferred LLM. Claude Opus 4.6 is recommended.
Pair a Messaging Channel
Connect your first messaging platform (Telegram, WhatsApp, or Discord are the easiest to start with).
Test Basic Commands
Send /status and /new to verify the agent is responding correctly.
Install Skills from ClawHub
Browse and install community skills. Always vet skills before installing — check reports, age, and source.
Configure Security
Enable DM pairing policy, Docker sandboxing for non-main sessions, and review AGENTS.md permissions.
# Step 1: Install Node.js 22+ (using nvm)
nvm install 22
nvm use 22
# Step 2: Install OpenClaw
npm install -g openclaw@latest
# Step 3: Run onboarding
openclaw onboard --install-daemon
# Step 6: Test commands (send via your paired messaging app)
# /status
# /newUpdate Channels
OpenClaw offers three update channels: stable (recommended for most users), beta (early access to new features), and dev (bleeding edge, may be unstable).
# Switch to stable channel (recommended)
openclaw update --channel stable
# Switch to beta channel
openclaw update --channel beta
# Switch to dev channel (not recommended for production)
openclaw update --channel devSecurity Best Practices for OpenClaw Users
If you choose to run OpenClaw, the following checklist represents the minimum security measures every deployment should implement. These recommendations are drawn from published advisories by CrowdStrike, Palo Alto Networks, Koi Security, and independent researchers.
Core Security
Network & Privacy
Protecting Your IP During Web Automation
OpenClaw's browser automation feature (CDP Chrome) browses the web on your behalf, which means every website the agent visits can see your real IP address. For users who value privacy or need to avoid detection during web scraping tasks, routing this traffic through mobile proxies is strongly recommended.
Real 4G/5G mobile IPs from services like PROXIES.SX provide carrier-grade CGNAT addresses shared by thousands of legitimate users. This makes your automated traffic blend in with normal mobile browsing, significantly reducing the risk of IP-based blocking or fingerprinting. Configure the proxy settings in OpenClaw's CDP browser configuration to route all web automation through mobile IPs.
View Mobile Proxy PlansThe Future of OpenClaw
Despite the security concerns, OpenClaw represents a genuine inflection point in how humans interact with AI. The project's trajectory will shape the broader AI agent ecosystem in the years ahead.
Onchain Integrations
Version 2026.2.2 adds onchain integrations, enabling agents to interact with blockchain protocols, sign transactions, and participate in decentralized finance. This opens the door to autonomous economic agents that can earn, spend, and invest on behalf of their users.
MCP Ecosystem Growth
The Linux Foundation's AI Agent Infrastructure Forum (AAIF) is formalizing standards for AI agent interoperability, including the Model Context Protocol (MCP). OpenClaw's early adoption of MCP positions it well in this evolving ecosystem, and as more tools and services offer MCP servers, OpenClaw's capabilities will expand automatically.
Growing Skill Marketplace
Despite the ClawHavoc incident, ClawHub continues to grow. The community is implementing better review processes, reputation systems, and security auditing tools. If the security challenges can be addressed, the skill marketplace could become a powerful ecosystem similar to browser extensions or mobile app stores.
The "Super Individual" Thesis
Chinese tech publication 36kr described Peter Steinberger as the first "super individual" of the AI era — a single person who, armed with AI tools, can build products that previously required entire teams. OpenClaw embodies this thesis: one developer created a platform that gained 145,000+ stars and spawned an entire ecosystem. The implications for how software is built and distributed are profound.
Enterprise Adoption vs. Security Reality
The tension between OpenClaw's consumer excitement and enterprise security concerns will define its next chapter. CrowdStrike and Palo Alto Networks have sounded the alarm. Belgium CERT has issued advisories. Yet developers continue to deploy it. The question is whether OpenClaw can mature its security posture fast enough to be trusted in professional environments, or whether it will remain a powerful but risky tool for individual enthusiasts.
Frequently Asked Questions
Sources & References
github.com/openclaw/openclaw
openclaw.ai
docs.openclaw.ai
From Clawdbot to Moltbot to OpenClaw
What Security Teams Need to Know
The Hacker News
The Hacker News — 341 Skills
Taskade — Full Timeline
IBM Think
The Register
Protect Your OpenClaw Browsing with Mobile Proxies
Route OpenClaw's web automation through real 4G/5G carrier IPs for maximum privacy and anti-detection. Real mobile CGNAT addresses shared by thousands of legitimate users make your automated traffic indistinguishable from normal browsing.