OpenClaw
Last reviewed
Mar 25, 2026
Sources
21 citations
Review status
Source-backed
Revision
v2 · 2,997 words
Improve this article
Add missing citations, update stale details, or suggest a clearer explanation.
Suggest edit
CtrlK
Last reviewed
Mar 25, 2026
Sources
21 citations
Review status
Source-backed
Revision
v2 · 2,997 words
Add missing citations, update stale details, or suggest a clearer explanation.
OpenClaw (formerly Clawdbot and Moltbot) is a free and open-source autonomous AI agent developed by Austrian software engineer Peter Steinberger. Released in November 2025, OpenClaw runs locally on a user's machine and acts as a personal AI assistant that can execute real-world tasks through messaging platforms such as WhatsApp, Telegram, Discord, Slack, and Signal. Unlike cloud-hosted AI assistants, OpenClaw stores all configuration data and conversation history on the user's own device, giving users full control over their data [1].
OpenClaw integrates with external large language models including Claude from Anthropic, GPT-4 from OpenAI, and DeepSeek, as well as locally hosted models via Ollama and LM Studio. The project became one of the fastest-growing open-source repositories in history, accumulating over 247,000 GitHub stars and 47,700 forks by March 2026 [2]. NVIDIA CEO Jensen Huang called OpenClaw "definitely the next ChatGPT" at the GTC 2026 conference [3].
Peter Steinberger, previously known as the founder of the PDF software company PSPDFKit (which he ran for 13 years), published the first version of the project in November 2025 under the name "Clawdbot." The name was a playful pun on "Claude" with a claw, referencing Anthropic's Claude model that the bot initially used as its default LLM. Steinberger described the initial release as a "weekend hack" -- a way to text an AI and have it actually do things on your behalf, rather than simply generating text responses [4].
Clawdbot gained modest traction among developers in late 2025, but the project remained relatively obscure for its first few weeks.
On January 27, 2026, Anthropic's legal team contacted Steinberger with trademark concerns about the "Clawdbot" name, which they felt was too close to "Claude." Steinberger renamed the project to "Moltbot" the same day, a name chosen during a Discord community brainstorm. The lobster-themed branding stuck (molting refers to the process by which lobsters shed their shells to grow), but Steinberger found that "Moltbot" never quite rolled off the tongue [5].
Just three days later, on January 30, 2026, the project was renamed again to "OpenClaw," which preserved the lobster motif while emphasizing the project's open-source nature. This final name stuck, and the lobster became the project's unofficial mascot.
OpenClaw's explosive growth coincided with the launch of Moltbook, a social networking service created by entrepreneur Matt Schlicht that was designed specifically for AI agents. Moltbook prohibited human posting while allowing millions of verified bots (many powered by OpenClaw) to debate, hold discussions, and coordinate tasks. The novelty of an AI-only social network captured widespread media attention, and the viral popularity of Moltbook drove significant interest back to OpenClaw itself [6].
By late January 2026, OpenClaw was trending on GitHub, Hacker News, and social media platforms simultaneously. The project's growth rate was unprecedented: it surpassed Linux's all-time GitHub star count and overtook React's decade-long record within approximately 60 days [7].
On February 14, 2026, Steinberger announced that he would be joining OpenAI to work on "bringing agents to everyone." He simultaneously announced that OpenClaw would be transferred to an independent 501(c)(3) open-source foundation to ensure the project's continued independence. OpenAI agreed to sponsor the project, but the codebase remained MIT-licensed and community-governed, with a maintainer council overseeing the decision-making process [8].
Meta subsequently acquired Moltbook in March 2026, bringing Moltbook CEO Matt Schlicht and COO Ben Parr into Meta's Superintelligence Labs division [9].
OpenClaw's technical architecture is built around two primary components: the Gateway and the Agent Runtime. This separation of concerns is intentional, reflecting the principle that a production AI agent deployment always needs an orchestration layer in front of the model [10].
The Gateway is the central process that runs on the user's machine (or a VPS) and serves as the single source of truth for sessions, routing, and channel connections. It typically runs as a long-lived background process, and clients connect to it over WebSocket at the configured bind host, which defaults to ws://127.0.0.1:18789 [10].
The Gateway handles:
The Agent Runtime handles reasoning and execution. When a message arrives at a channel, the Gateway routes it to a session (which can be a main session, group session, or isolated session). The agent then loads context and skills for that session, sends the conversation to the configured LLM, executes any tools the model requests, streams the reply back to the channel, and writes conversation data and memory updates into the local workspace [10].
The core agent loop follows a structured sequence for every interaction:
| Step | Action | Description |
|---|---|---|
| 1 | Message reception | Gateway receives a message from a connected platform |
| 2 | Session routing | Message is routed to the appropriate session context |
| 3 | Context loading | Agent loads relevant skills, memory, and conversation history |
| 4 | LLM call | Conversation is sent to the configured language model |
| 5 | Tool execution | Any tool calls requested by the model are executed |
| 6 | Response streaming | Reply is streamed back to the originating channel |
| 7 | Memory persistence | Conversation and memory updates are written to the workspace |
To stay within model context limits, OpenClaw performs automatic compaction. Older parts of the conversation are summarized and persisted, keeping the active context window manageable. Before compaction occurs, the system can run a lightweight "memory flush" step that promotes important information from the conversation into persistent memory files [10].
OpenClaw uses a file-based memory system designed to be simple and explainable:
This approach means all agent memory is human-readable and can be inspected, edited, or deleted by the user at any time, aligning with OpenClaw's local-first philosophy.
OpenClaw is model-agnostic and supports a broad range of LLM providers and local models [11].
| Provider | Models | Notes |
|---|---|---|
| Anthropic | Claude Opus, Claude Sonnet, Claude Haiku | Recommended for serious agent work; reliable tool calls, long context |
| OpenAI | GPT-4o, GPT-4, GPT-3.5 | Large community support and extensive examples |
| DeepSeek | DeepSeek V3 | Cheapest cloud option; strong at code tasks |
| Gemini models | Supported via API integration | |
| Moonshot AI | Kimi | Strong multilingual and Chinese language support |
| Ollama (local) | Llama 3.3, Mistral, Qwen | Full privacy, no API cost; requires capable hardware |
| LM Studio (local) | Various open models | Alternative local model runtime |
Models can be switched dynamically based on task complexity and cost requirements, and users can configure different models for different types of tasks.
OpenClaw supports over 50 messaging platform integrations. Users interact with their AI agent through the chat applications they already use, rather than needing to learn a new interface.
| Category | Platforms |
|---|---|
| Consumer messaging | WhatsApp, Telegram, Signal, iMessage, LINE |
| Team collaboration | Slack, Discord, Microsoft Teams, Google Chat, Mattermost |
| Developer platforms | IRC, Matrix |
| Regional platforms | Zalo, Feishu, BlueBubbles |
This broad platform support is a key differentiator. The user's phone or desktop messaging app becomes the interface to a capable AI agent running on their own hardware.
OpenClaw ships with a set of core tools that give the agent practical capabilities:
Beyond built-in tools, OpenClaw's capabilities can be extended through "skills" -- modular code bundles that grant the agent new abilities. Each skill defines its capabilities, the tools it provides to the AI model, and the permissions it requires [12].
ClawHub is the centralized marketplace and directory for these skills. As of early 2026, ClawHub hosted over 700 community-built skills covering categories including:
Skills are installed via a command-line interface using clawhub install <skill-name>, and each skill page on ClawHub provides documentation, installation instructions, and permission details [12].
Unlike SaaS AI assistants where user data resides on third-party servers, OpenClaw runs entirely where the user chooses -- a laptop, a home server, or a VPS. All conversation history, configuration, and memory files remain under the user's control. The only external communication occurs when the agent calls an LLM API (for cloud-hosted models) or connects to messaging platform APIs.
OpenClaw's rapid adoption has raised significant security concerns, drawing attention from major cybersecurity firms and government agencies.
Several critical vulnerabilities were discovered in OpenClaw's early months:
In late January 2026, security researcher Jamieson O'Reilly discovered nearly a thousand publicly accessible OpenClaw installations running without any authentication. He was able to access Anthropic API keys, Telegram bot tokens, Slack account credentials, and months of complete chat histories from these exposed instances [15].
Researchers at Koi Security audited the ClawHub marketplace and found that out of 10,700 skills, more than 820 were malicious -- a sharp increase from the 324 flagged just weeks earlier in early February 2026. These malicious skills ranged from credential stealers to backdoors that gave remote attackers persistent access to the host machine [15].
OpenClaw instances were discovered running in sensitive sectors including healthcare, finance, government, and insurance, often deployed without formal IT approval. Microsoft, Cisco, and Kaspersky all published advisories warning organizations about the risks of unmanaged OpenClaw deployments [14][16][17].
The OpenClaw project responded by implementing stricter default security configurations, adding authentication requirements for the Gateway, improving skill vetting processes on ClawHub, and publishing a comprehensive security hardening guide. NVIDIA's NemoClaw project (discussed below) was partly motivated by addressing these enterprise security gaps [18].
NVIDIA announced NemoClaw as an enterprise-focused derivative of OpenClaw, integrating it into NVIDIA's open agentic AI stack. NemoClaw adds enterprise-grade security features, data privacy controls, compliance tooling, and guardrails for agent behavior. Rather than competing directly with OpenClaw, NemoClaw is designed to make OpenClaw safe for enterprise deployment by providing the governance layer that the base project lacks [18].
NVIDIA CEO Jensen Huang described OpenClaw as a transformative technology at GTC 2026, predicting it would "transform every SaaS into an agentic company" [3].
| Project | Description |
|---|---|
| IronClaw (Near AI) | Rust-based reimplementation focused on privacy and security |
| ZeroClaw | Lightweight alternative for resource-constrained environments |
| GitClaw | Runs OpenClaw entirely on GitHub Actions |
| MoltWorker (Cloudflare) | Runs OpenClaw on Cloudflare Workers for serverless deployment |
| TenacitOS | Mission control dashboard for managing OpenClaw agents |
The breadth of the derivative ecosystem reflects both the project's popularity and the demand for specialized versions tailored to different deployment scenarios.
OpenClaw's adoption spread rapidly beyond its European origins. In China, the project sparked what Bloomberg described as an "OpenClaw mania," with companies and individual developers racing to build applications on the framework. Chinese developers adapted OpenClaw to work with the DeepSeek model and domestic messaging platforms like Feishu and WeChat [19].
Local governments in Shenzhen and Wuxi offered multimillion-yuan subsidies for companies building on OpenClaw, reflecting the Chinese tech sector's enthusiasm for the platform.
However, in March 2026, Chinese authorities moved to restrict state-owned enterprises and government agencies from using OpenClaw on office computers, citing security concerns. Employees at affected organizations were instructed to report existing installations for security review and possible removal. The restrictions extended to personal phones connected to company networks, and in some cases to families of military personnel [20].
The restrictions varied in strictness. Some agencies imposed outright bans, while others required prior approval before deploying OpenClaw. The situation created an unusual paradox: local governments were simultaneously subsidizing OpenClaw development while national security agencies were restricting its use [20].
OpenClaw has drawn criticism on several fronts. Security researchers have characterized it as a "security nightmare" for organizations, pointing to the fundamental tension between an agent that needs broad system access to be useful and the security risks of granting that access [14]. Gary Marcus, a prominent AI critic, published an essay titled "OpenClaw (a.k.a. Moltbot) is everywhere all at once, and a disaster waiting to happen," warning about the risks of deploying autonomous agents at scale without adequate safety controls [21].
The rapid proliferation of exposed instances, malicious skills, and enterprise deployments without IT oversight has raised questions about whether the open-source AI agent model can be made safe enough for mainstream use. Defenders of the project argue that these are growing pains common to any rapidly adopted open-source technology and that the community is responding quickly to address security gaps.
The Moltbook acquisition by Meta also generated debate about the implications of an AI-only social network and whether such platforms could be used for coordination, manipulation, or other unintended purposes.
| Date | Event |
|---|---|
| November 2025 | Peter Steinberger publishes Clawdbot as an open-source weekend project |
| January 27, 2026 | Renamed to Moltbot following Anthropic trademark concerns |
| January 30, 2026 | Renamed to OpenClaw |
| Late January 2026 | Moltbook launches; OpenClaw goes viral |
| Late January 2026 | Nearly 1,000 exposed instances discovered with no authentication |
| February 14, 2026 | Steinberger announces he is joining OpenAI; project moves to foundation |
| March 2, 2026 | 247,000 GitHub stars and 47,700 forks |
| March 2026 | China restricts OpenClaw use in state agencies and banks |
| March 10, 2026 | Meta acquires Moltbook |
| March 16-17, 2026 | NVIDIA announces NemoClaw; Jensen Huang calls OpenClaw "the next ChatGPT" at GTC |
As of March 2026, OpenClaw is governed by an independent 501(c)(3) foundation with a maintainer council. The project has over 250,000 GitHub stars, making it the most-starred non-aggregator software project on the platform. It is licensed under the MIT License [8].
The ecosystem continues to expand rapidly, with NVIDIA's NemoClaw providing an enterprise-grade pathway, Cloudflare's MoltWorker enabling serverless deployment, and hundreds of community skills available on ClawHub. The project faces ongoing challenges around security hardening, skill marketplace safety, and governance scaling, but its position as the leading open-source AI agent framework appears firmly established.
NVIDIA's endorsement at GTC 2026 and the Chinese tech sector's enthusiastic adoption suggest that OpenClaw's influence on the broader AI agent landscape will continue to grow, even as governments and enterprises work through the security and governance implications of deploying autonomous AI agents at scale.