OpenClaw is a free, open-source AI agent that runs on your own computer and autonomously executes real-world tasks. Created by Peter Steinberger, it has 310,000+ GitHub stars but over 60 CVEs. Here's everything you need to know.
Last updated: March 24, 2026
OpenClaw is a free, open-source AI agent that runs on your own computer and autonomously executes real-world tasks — sending emails, managing calendars, browsing the web, writing code, and automating workflows — all through the messaging apps you already use. Created by Austrian developer Peter Steinberger in November 2025, it has become one of the fastest-growing open-source projects in history, amassing over 310,000 GitHub stars in under four months and drawing endorsements from NVIDIA CEO Jensen Huang, who called it "probably the single most important release of software ever."
But OpenClaw is also one of the most controversial AI projects of the decade. Security researchers have flagged over 60 CVEs, Gartner labeled it "insecure by default," China banned it from government computers, and crypto scammers hijacked its abandoned social accounts to launch a $16 million pump-and-dump token. OpenClaw sits at the exact intersection of transformative utility and serious risk — a mirror of the agentic AI era itself.
What Is OpenClaw AI?
OpenClaw is a self-hosted agent runtime and message router — software that turns large language models (LLMs) like Claude, GPT, or open-source alternatives into autonomous digital workers that can take real actions on your behalf.
Unlike ChatGPT or Claude, which generate text in response to prompts, OpenClaw can actually do things: send emails, modify files, run terminal commands, browse websites, manage your calendar, execute code, and chain together complex multi-step workflows. Its tagline — "the AI that actually does things" — captures the core difference.
Three capabilities set it apart from other AI tools:
Computer access. OpenClaw has genuine control over the system it runs on, including the ability to write and execute code, modify configurations, and automate browser interactions via Chrome DevTools Protocol.
Persistent memory. Conversation history, user preferences, and learned context are stored locally as Markdown files. Over time, the agent learns your patterns, remembers your preferences, and builds on previous interactions — creating what users describe as "compounding intelligence."
Proactive behavior. A heartbeat daemon allows the agent to act without being prompted — checking your email at 6am, preparing daily briefings, monitoring systems, or running scheduled automations while you sleep.
OpenClaw is model-agnostic, meaning it works with 20+ AI providers: Anthropic's Claude family, OpenAI's GPT models, Google's Gemini, DeepSeek, xAI's Grok, and any local model via Ollama.
Who Created OpenClaw? The Peter Steinberger Story
Peter Steinberger is an approximately 40-year-old Austrian software engineer who grew up in rural Upper Austria. His first major company, PSPDFKit, was a PDF framework he built in 2011 that eventually powered PDF functionality on over one billion devices for clients including Dropbox, DocuSign, SAP, IBM, and Volkswagen. On October 1, 2021, Insight Partners invested €100 million ($116 million).
What followed was a period of severe burnout lasting roughly three years. The spark returned in April 2025 when he realized AI had undergone a paradigm shift. Over the next seven months, he built 43 different AI projects — none of which caught on. OpenClaw was project number 44.
The prototype was built in a single hour during a trip to Marrakesh in November 2025. On February 14, 2026, Steinberger announced he would join OpenAI. Sam Altman called him "a genius with a lot of amazing ideas about the future of very smart agents."
His coding workflow has become legendary: 6,600 commits in January 2026, including 600 in a single day, running 5–50 parallel AI agents simultaneously. He calls pull requests "prompt requests."
A Complete Timeline
November 24, 2025 — Launched as "Clawdbot" (a play on Anthropic's Claude).
January 27, 2026 — Anthropic sends a trademark complaint. Steinberger renames to "Moltbot." Crypto scammers seize abandoned accounts within seconds and launch a fake $CLAWD token that pumps to $16 million.
January 30, 2026 — Renamed to "OpenClaw." Steinberger personally called Sam Altman to confirm OpenAI would be fine with "Open" in the name.
February 14, 2026 — Steinberger announces OpenAI hire and transfers the project to the independent OpenClaw Foundation.
March 11, 2026 — China restricts state-owned enterprises from installing OpenClaw.
March 16, 2026 — NVIDIA announces NemoClaw at GTC 2026. Jensen Huang delivers his famous endorsement.
March 20, 2026 — Anthropic launches Claude Code Channels as a direct competitor.
How Does OpenClaw Work?
At its core, OpenClaw is a single long-lived Node.js process called the Gateway that runs on your machine and serves as a message router between your messaging apps, AI models, and your computer's capabilities.
Hardware requirements are modest: 4 GB RAM minimum, a 64-bit CPU, 1 GB of disk space, and an internet connection. The canonical setup is a Mac Mini running 24/7.
The Configuration File System
Your agent's behavior is defined through plain Markdown files:
- SOUL.md — personality, communication style, values, and behavioral guardrails
- AGENTS.md — operational rules, workspace patterns, memory management
- USER.md — context about you: name, timezone, preferences
- HEARTBEAT.md — checklist for periodic autonomous checks
Memory Architecture
OpenClaw uses four layers: bootstrap files, daily memory logs, a long-term MEMORY.md file, and session transcripts with vector search. Users report that after a week, "it feels like it actually knows you."
What Do People Use OpenClaw For?
Email and Calendar Management
This is the killer app. OpenClaw monitors your inbox, identifies action items, drafts replies, and manages scheduling autonomously. One notable incident involved a user whose agent drafted and sent a legal rebuttal to insurance company Lemonade — citing specific policy language. Lemonade reopened the investigation.
Software Development and DevOps
Developers use OpenClaw for automated debugging, test suite execution, PR creation, and CI/CD pipeline management. Users report agents refactoring entire codebases overnight.
Business Automation
Small businesses adopt OpenClaw for lead generation, Google Ads management, invoice creation, and content pipelines. Some run teams of multiple agents for under $400/month in API costs.
Trading and Finance
Among the most viral use cases are autonomous crypto and prediction market trading bots on Polymarket.
How Much Does OpenClaw Cost?
OpenClaw itself is completely free and open-source under the MIT license. The only costs come from AI model API usage:
- Light use: $10–30 per month
- Typical use: $30–70 per month
- Heavy automation: $100–300+ per month
- Zero-cost option: Running local models via Ollama
How Safe Is OpenClaw?
Security is the single most discussed dimension. The project has accumulated over 60 CVEs since launch.
Critical Vulnerabilities
The most severe was CVE-2026-25253 (CVSS 8.8), a one-click remote code execution vulnerability. At disclosure, over 40,000 OpenClaw instances were found exposed on the internet.
The Malicious Skills Problem
Snyk's "ToxicSkills" research scanned ~4,000 skills and found 36% contained prompt injection, 534 had critical-level issues, 283 exposed credentials in plaintext, and 76 were confirmed malicious.
What the Experts Say
Gartner called it "insecure by default" and recommended enterprises "block OpenClaw downloads and traffic immediately."
Kaspersky warned that credentials are stored in plaintext under ~/.openclaw/, and popular infostealers have already added OpenClaw file paths to their target lists.
How to Use OpenClaw Securely
- Run on dedicated hardware or a VM. Never install on your primary work machine.
- Never expose the Gateway to the public internet. Use Tailscale or a VPN.
- Enable authentication and sandboxing. Use Docker containers for isolation.
- Audit all installed skills. Treat them like any third-party code.
- Use separate accounts. Create dedicated email and API keys.
- Enable consent mode. Setting
exec.ask: "on" requires approval before executing commands.
OpenClaw maintainer Shadow's warning: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely."
The Ecosystem
The ClawHub registry has grown from ~2,800 skills in mid-January 2026 to over 13,700 by late February. Popular categories include Google Workspace, social media, developer tools, smart home, and finance.
Key ecosystem projects:
- NemoClaw (NVIDIA) — enterprise security wrapper with kernel-level sandboxing
- NanoClaw — security-focused fork at ~700 lines of TypeScript
- FlashClaw and ClawApp — third-party mobile clients
- Moltbook — social network for AI agents, acquired by Meta after a security breach
OpenClaw vs. Competitors
vs. ChatGPT and Claude
Fundamentally different tools. Claude is the intelligence; OpenClaw is the body that lets it act.
vs. Manus AI
Manus ($39–$199/month) is polished but closed. OpenClaw offers full data privacy and model choice but requires technical skill.
vs. Claude Code Channels
Anthropic's response supports only two platforms (vs. OpenClaw's 24+), works only with Claude, and requires a paid subscription.
The Controversies
The $CLAWD Scam
Crypto scammers seized abandoned social accounts within seconds of the rename, launching a fake token that pumped to $16 million. Steinberger was "close to crying" and considered deleting the project.
MoltMatch: When AI Agents Start Dating
An experimental dating platform where agents create profiles. One CS student discovered his agent had created a profile describing him without explicit direction.
The China Paradox
China restricted government installations but local governments offered subsidies up to 2 million yuan for OpenClaw development. "Raising lobsters" became slang for deploying agents.
The Future of OpenClaw
Three unresolved tensions will shape OpenClaw's trajectory:
Power versus safety. Can enterprise-grade security coexist with personal-agent flexibility?
Open-source versus proprietary. Can the community model maintain pace against well-funded competitors?
The foundation's independence. With OpenAI as a sponsor, the governance model will be tested.
OpenClaw represents the first mainstream taste of AI agents that act in the real world. Whether it becomes the "personal OS" layer that its advocates envision or a cautionary tale about the gap between AI capability and AI safety depends on the choices made in the months ahead. The lobster is out of the tank.
