OpenClaw
Last reviewed
Sources
27 citations
Review status
Source-backed
Revision
v4 ยท 3,878 words
Improve this article
Add missing citations, update stale details, or suggest a clearer explanation.
Suggest edit
CtrlK
Last reviewed
Sources
27 citations
Review status
Source-backed
Revision
v4 ยท 3,878 words
Add missing citations, update stale details, or suggest a clearer explanation.
OpenClaw is a free, open-source autonomous AI agent that runs locally on a user's own machine and executes real-world tasks through everyday messaging apps such as WhatsApp, Telegram, Discord, Slack, and Signal. Created by Austrian software engineer Peter Steinberger and first released in November 2025 (originally as "Clawdbot," then briefly "Moltbot"), it became the fastest-growing open-source project in GitHub history, surpassing React's decade-long star record in roughly 60 days and crossing 300,000 stars by April 2026 [1][7][22]. NVIDIA CEO Jensen Huang called it "definitely the next ChatGPT" and "the largest, most popular, the most successful open-sourced project in the history of humanity" at GTC 2026 [3][23].
Unlike cloud-hosted assistants, OpenClaw stores all configuration data and conversation history on the user's own device, giving users full control over their data [1]. It is model-agnostic: it connects to external large language models including Claude from Anthropic, GPT-4 and GPT-4o from OpenAI, and DeepSeek, as well as locally hosted models via Ollama and LM Studio.
OpenClaw is an "always on" personal AI agent rather than a chatbot that waits for prompts. Where a conventional assistant generates text in response to a question, OpenClaw can take actions: it controls a web browser, reads and writes files, runs shell commands, schedules recurring jobs, and replies to the user inside whatever chat app they already use [1][10]. NVIDIA's Jensen Huang summarized the category shift by predicting OpenClaw-style agents would "transform every SaaS into an agentic company," reframing software from "selling tools" to "selling outcomes" [3][23].
The project is distributed under the MIT License and, since February 2026, is governed by an independent 501(c)(3) foundation with a maintainer council, ensuring the codebase stays community-owned even though its creator now works at OpenAI [8].
Peter Steinberger, previously known as the founder of the PDF software company PSPDFKit (which he ran for 13 years), published the first version of the project in November 2025 under the name "Clawdbot." The name was a playful pun on "Claude" with a claw, referencing Anthropic's Claude model that the bot initially used as its default LLM. Steinberger described the initial release as a "weekend hack," a way to text an AI and have it actually do things on your behalf, rather than simply generating text responses [4].
Clawdbot gained modest traction among developers in late 2025, but the project remained relatively obscure for its first few weeks.
Steinberger has run an unusually visible development process. In one widely reported example, he disclosed that a fleet of 100 OpenAI Codex agents he used to help build OpenClaw consumed roughly 603 billion tokens across 7.6 million requests in a single 30-day period, generating a $1.3 million API bill (covered by OpenAI). The agents autonomously reviewed pull requests, scanned commits for vulnerabilities, deduplicated GitHub issues, and wrote fixes [24].
Steinberger's first release went out in November 2025 as Clawdbot, built around a WhatsApp relay so a user could text an AI assistant and have it act on their behalf [4][5].
On January 27, 2026, Anthropic's legal team contacted Steinberger with trademark concerns about the "Clawdbot" name, which they felt was too close to "Claude." Steinberger renamed the project to "Moltbot" the same day, a name chosen during a Discord community brainstorm. The lobster-themed branding stuck (molting refers to the process by which lobsters shed their shells to grow), but Steinberger found that "Moltbot" never quite rolled off the tongue [5].
Just three days later, on January 30, 2026, the project was renamed again to "OpenClaw," which preserved the lobster motif while emphasizing the project's open-source nature. This final name stuck, and the lobster became the project's unofficial mascot.
OpenClaw's explosive growth coincided with the launch of Moltbook, a social networking service created by entrepreneur Matt Schlicht that was designed specifically for AI agents. Moltbook prohibited human posting while allowing millions of verified bots (many powered by OpenClaw) to debate, hold discussions, and coordinate tasks. The novelty of an AI-only social network captured widespread media attention, and the viral popularity of Moltbook drove significant interest back to OpenClaw itself [6].
By late January 2026, OpenClaw was trending on GitHub, Hacker News, and social media platforms simultaneously. The project's growth rate was unprecedented: it surpassed Linux's all-time GitHub star count and overtook React's decade-long record (about 243,000 stars) within approximately 60 days, reaching 250,000 stars by March 3, 2026 and over 302,000 by April 2026 [7][22].
On February 14, 2026, Steinberger announced that he would be joining OpenAI to work on "bringing agents to everyone." Sam Altman described the hire on X, calling Steinberger "a genius with a lot of amazing ideas about the future of very smart agents interacting with each other to do very useful things for people" and saying he was joining "to drive the next generation of personal agents" [25]. Steinberger simultaneously announced that OpenClaw would be transferred to an independent 501(c)(3) open-source foundation to ensure the project's continued independence. OpenAI agreed to sponsor the project, but the codebase remained MIT-licensed and community-governed, with a maintainer council overseeing decision-making [8][25].
Meta subsequently acquired Moltbook in March 2026, bringing Moltbook CEO Matt Schlicht and COO Ben Parr into Meta's Superintelligence Labs division [9].
OpenClaw's technical architecture is built around two primary components: the Gateway and the Agent Runtime. This separation of concerns is intentional, reflecting the principle that a production AI agent deployment always needs an orchestration layer in front of the model [10].
The Gateway is the central process that runs on the user's machine (or a VPS) and serves as the single source of truth for sessions, routing, and channel connections. It typically runs as a long-lived background process, and clients connect to it over WebSocket at the configured bind host, which defaults to ws://127.0.0.1:18789 [10].
The Gateway handles:
The Agent Runtime handles reasoning and execution. When a message arrives at a channel, the Gateway routes it to a session (which can be a main session, group session, or isolated session). The agent then loads context and skills for that session, sends the conversation to the configured LLM, executes any tools the model requests, streams the reply back to the channel, and writes conversation data and memory updates into the local workspace [10].
The core agent loop follows a structured sequence for every interaction:
| Step | Action | Description |
|---|---|---|
| 1 | Message reception | Gateway receives a message from a connected platform |
| 2 | Session routing | Message is routed to the appropriate session context |
| 3 | Context loading | Agent loads relevant skills, memory, and conversation history |
| 4 | LLM call | Conversation is sent to the configured language model |
| 5 | Tool execution | Any tool calls requested by the model are executed |
| 6 | Response streaming | Reply is streamed back to the originating channel |
| 7 | Memory persistence | Conversation and memory updates are written to the workspace |
To stay within model context limits, OpenClaw performs automatic compaction. Older parts of the conversation are summarized and persisted, keeping the active context window manageable. Before compaction occurs, the system can run a lightweight "memory flush" step that promotes important information from the conversation into persistent memory files [10].
OpenClaw uses a file-based memory system designed to be simple and explainable:
This approach means all agent memory is human-readable and can be inspected, edited, or deleted by the user at any time, aligning with OpenClaw's local-first philosophy.
OpenClaw is model-agnostic and supports a broad range of LLM providers and local models [11].
| Provider | Models | Notes |
|---|---|---|
| Anthropic | Claude Opus, Claude Sonnet, Claude Haiku | Recommended for serious agent work; reliable tool calls, long context |
| OpenAI | GPT-4o, GPT-4, GPT-3.5 | Large community support and extensive examples |
| DeepSeek | DeepSeek V3 | Cheapest cloud option; strong at code tasks |
| Gemini models | Supported via API integration | |
| Moonshot AI | Kimi | Strong multilingual and Chinese language support |
| Ollama (local) | Llama 3.3, Mistral, Qwen | Full privacy, no API cost; requires capable hardware |
| LM Studio (local) | Various open models | Alternative local model runtime |
Models can be switched dynamically based on task complexity and cost requirements, and users can configure different models for different types of tasks.
OpenClaw supports over 50 messaging platform integrations. Users interact with their AI agent through the chat applications they already use, rather than needing to learn a new interface.
| Category | Platforms |
|---|---|
| Consumer messaging | WhatsApp, Telegram, Signal, iMessage, LINE |
| Team collaboration | Slack, Discord, Microsoft Teams, Google Chat, Mattermost |
| Developer platforms | IRC, Matrix |
| Regional platforms | Zalo, Feishu, BlueBubbles |
This broad platform support is a key differentiator. The user's phone or desktop messaging app becomes the interface to a capable AI agent running on their own hardware.
OpenClaw ships with a set of core tools that give the agent practical capabilities:
Beyond built-in tools, OpenClaw's capabilities can be extended through "skills," modular code bundles that grant the agent new abilities. Each skill defines its capabilities, the tools it provides to the AI model, and the permissions it requires [12].
ClawHub is the centralized marketplace and directory for these skills. As of early 2026, ClawHub hosted over 700 community-built skills covering categories including:
Skills are installed via a command-line interface using clawhub install <skill-name>, and each skill page on ClawHub provides documentation, installation instructions, and permission details [12].
Unlike SaaS AI assistants where user data resides on third-party servers, OpenClaw runs entirely where the user chooses: a laptop, a home server, or a VPS. All conversation history, configuration, and memory files remain under the user's control. The only external communication occurs when the agent calls an LLM API (for cloud-hosted models) or connects to messaging platform APIs.
OpenClaw's rapid adoption has raised significant security concerns, drawing attention from major cybersecurity firms and government agencies. Security researchers have repeatedly characterized it as a "security nightmare" for organizations, pointing to the fundamental tension between an agent that needs broad system access to be useful and the risks of granting that access [14].
Several critical vulnerabilities were discovered in OpenClaw's early months:
Because many users ran the Gateway without authentication, large numbers of OpenClaw installations were left open on the public internet during the late-January 2026 adoption surge. The first Shodan scans in late January found nearly 1,000 instances running without any authentication, and Censys researcher Silas Cutler tracked growth from roughly 1,000 to 21,639 exposed instances in under a week (as of January 31, 2026) [15][26]. Security researcher Jamieson O'Reilly (founder of Dvuln, who later joined OpenClaw as lead security advisor) manually examined exposed instances and found several completely open; he was able to access Anthropic API keys, Telegram bot tokens, Slack credentials, and months of complete chat histories, and could send messages on behalf of users and execute commands with full administrator privileges [15][26].
The ClawHub marketplace also became a supply-chain attack vector. In an attack dubbed "ClawHavoc" by Koi Security, a single threat actor uploaded 341 malicious skills to ClawHub over January 27-29, 2026, delivering keyloggers and Atomic Stealer malware to anyone who installed them [15]. Researchers reported the number of malicious skills continued to climb into the hundreds in the following weeks, ranging from credential stealers to backdoors that gave remote attackers persistent access to the host machine [15].
OpenClaw instances were discovered running in sensitive sectors including healthcare, finance, government, and insurance, often deployed without formal IT approval. Microsoft, Cisco, and Kaspersky all published advisories warning organizations about the risks of unmanaged OpenClaw deployments [14][16][17].
The OpenClaw project responded by implementing stricter default security configurations, adding authentication requirements for the Gateway, improving skill vetting processes on ClawHub, and publishing a comprehensive security hardening guide. NVIDIA's NemoClaw project (discussed below) was partly motivated by addressing these enterprise security gaps [18].
NVIDIA announced NemoClaw as an enterprise-focused derivative of OpenClaw, integrating it into NVIDIA's open agentic AI stack. NemoClaw adds enterprise-grade security features, data privacy controls, compliance tooling, and guardrails for agent behavior. Rather than competing directly with OpenClaw, NemoClaw is designed to make OpenClaw safe for enterprise deployment by providing the governance layer that the base project lacks [18].
NVIDIA CEO Jensen Huang described OpenClaw as a transformative technology at GTC 2026, predicting it would "transform every SaaS into an agentic company" [3][23].
| Project | Description |
|---|---|
| IronClaw (Near AI) | Rust-based reimplementation focused on privacy and security |
| ZeroClaw | Lightweight alternative for resource-constrained environments |
| GitClaw | Runs OpenClaw entirely on GitHub Actions |
| MoltWorker (Cloudflare) | Runs OpenClaw on Cloudflare Workers for serverless deployment |
| TenacitOS | Mission control dashboard for managing OpenClaw agents |
The breadth of the derivative ecosystem reflects both the project's popularity and the demand for specialized versions tailored to different deployment scenarios.
OpenClaw's adoption spread rapidly beyond its European origins. In China, the project sparked what Bloomberg described as an "OpenClaw mania," with companies and individual developers racing to build applications on the framework. Chinese developers adapted OpenClaw to work with the DeepSeek model and domestic messaging platforms like Feishu and WeChat [19].
Local governments offered large subsidies for companies building on OpenClaw. In Shenzhen, the AI and robotics agency of the Longgang district proposed subsidies of up to 2 million yuan (about US$290,000) for approved projects, plus subsidies and financing of up to 10 million yuan (about US$1.4 million) for companies that build notable OpenClaw applications, along with free computing resources and discounted office space for "one-person companies" [27].
However, in March 2026, Chinese authorities moved to restrict state-owned enterprises and government agencies from using OpenClaw on office computers, citing security concerns. Employees at affected organizations were instructed to report existing installations for security review and possible removal. The restrictions extended to personal phones connected to company networks, and in some cases to families of military personnel [20].
The restrictions varied in strictness. Some agencies imposed outright bans, while others required prior approval before deploying OpenClaw. The situation created an unusual paradox: local governments were simultaneously subsidizing OpenClaw development while national security agencies were restricting its use [20][27].
OpenClaw has drawn criticism on several fronts. Security researchers have characterized it as a "security nightmare" for organizations, pointing to the fundamental tension between an agent that needs broad system access to be useful and the security risks of granting that access [14]. Gary Marcus, a prominent AI critic, published an essay titled "OpenClaw (a.k.a. Moltbot) is everywhere all at once, and a disaster waiting to happen," warning about the risks of deploying autonomous agents at scale without adequate safety controls [21].
The rapid proliferation of exposed instances, malicious skills, and enterprise deployments without IT oversight has raised questions about whether the open-source AI agent model can be made safe enough for mainstream use. Defenders of the project argue that these are growing pains common to any rapidly adopted open-source technology and that the community is responding quickly to address security gaps.
OpenClaw's success also fueled a broader debate about LLM commoditization. As CNBC noted, an independent developer, rather than a richly valued lab, produced what many called the next major consumer AI breakthrough, exposing a potential flaw in the investment thesis behind frontier models: that the models themselves may be getting commoditized while the agent layer captures the value [3]. The Moltbook acquisition by Meta separately generated debate about the implications of an AI-only social network and whether such platforms could be used for coordination, manipulation, or other unintended purposes.
| Date | Event |
|---|---|
| November 2025 | Peter Steinberger publishes Clawdbot as an open-source weekend project |
| January 27, 2026 | Renamed to Moltbot following Anthropic trademark concerns |
| January 27-29, 2026 | "ClawHavoc" supply-chain attack: 341 malicious skills uploaded to ClawHub |
| January 30, 2026 | Renamed to OpenClaw |
| Late January 2026 | Moltbook launches; OpenClaw goes viral |
| January 31, 2026 | Censys tracks exposed instances rising from ~1,000 to 21,639 in under a week |
| February 14-15, 2026 | Steinberger announces he is joining OpenAI; project moves to foundation |
| March 3, 2026 | Reaches 250,000 GitHub stars, overtaking React's all-time record |
| March 2026 | China restricts OpenClaw use in state agencies and banks |
| March 10, 2026 | Meta acquires Moltbook |
| March 16-17, 2026 | NVIDIA announces NemoClaw; Jensen Huang calls OpenClaw "the next ChatGPT" at GTC |
| April 2026 | Surpasses 300,000 GitHub stars |
As of 2026, OpenClaw is governed by an independent 501(c)(3) foundation with a maintainer council. The project has surpassed 300,000 GitHub stars, making it the most-starred non-aggregator software project on the platform, ahead of React, Vue.js, and TensorFlow. It is licensed under the MIT License [8][22].
The ecosystem continues to expand rapidly, with NVIDIA's NemoClaw providing an enterprise-grade pathway, Cloudflare's MoltWorker enabling serverless deployment, and hundreds of community skills available on ClawHub. The project faces ongoing challenges around security hardening, skill marketplace safety, and governance scaling, but its position as the leading open-source AI agent framework appears firmly established.
NVIDIA's endorsement at GTC 2026 and the Chinese tech sector's enthusiastic adoption suggest that OpenClaw's influence on the broader AI agent landscape will continue to grow, even as governments and enterprises work through the security and governance implications of deploying autonomous AI agents at scale.
Imagine a really smart helper that lives on your own computer instead of on someone else's. You talk to it the same way you text a friend on WhatsApp or Telegram, but instead of just chatting back, it can actually do things: open websites, fill out forms, organize your files, or run errands on the computer for you. Because it lives on your machine, your messages and notes stay with you and not on a company's server. A programmer named Peter built it as a fun weekend project, gave it a lobster mascot, and so many people loved it that it became the most "starred" project ever on GitHub (a website where coders share their work). The tricky part is that a helper this powerful can be dangerous if it is not locked up properly, which is why security experts keep warning people to set it up carefully.