OpenClaw

Project Overview

OpenClaw is an open-source personal AI assistant that runs on your own hardware.^[1] Unlike cloud-hosted AI assistants, OpenClaw is a self-hosted gateway that connects your existing chat apps — WhatsApp, Telegram, Discord, Slack, Signal, iMessage — to AI models you control.^[2]

The project has seen rapid adoption since launch, with developers describing it as an "iPhone moment" and "the closest to experiencing an AI-enabled future."^[3] The combination of self-hosting, multi-channel support, and an extensible skills system has resonated with power users who want AI assistance without giving up control of their data. As of June 11, 2026, the repository sits at roughly 378,000 GitHub stars and 79,000 forks — by far the most-starred personal agent platform.^[4]

Created by Peter Steinberger (@steipete), OpenClaw is MIT licensed and community-driven.^[4]

Governance: The OpenAI Move

In February 2026, Sam Altman announced that Steinberger was joining OpenAI to "drive the next generation of personal agents."^[5] OpenClaw itself did not go with him: the project transitioned to the independent OpenClaw Foundation, which OpenAI contributes to and helps fund. Steinberger framed the move as the fastest way to build "an agent that even my mum can use," and committed that OpenClaw "will stay a place for thinkers, hackers and people that want a way to own their data, with the goal of supporting even more models and companies."^[6] The license file now reads "Copyright (c) 2026 OpenClaw Foundation" and remains MIT.^[4]

The arrangement is unusual — the most-starred open-source agent project is foundation-governed but funded in part by OpenAI, while remaining deliberately model-agnostic. So far the model-agnosticism has held: Anthropic, OpenAI, Google, and local models are all still first-class providers.^[2]

What It Does

OpenClaw serves as a gateway — a single control plane that bridges messaging apps to AI agents. You run the Gateway process on your machine (laptop, Mac mini, VPS, Raspberry Pi), and it becomes an always-available assistant you can message from anywhere.

Core capabilities:

• Multi-channel inbox — One assistant serves WhatsApp, Telegram, Discord, Slack, Google Chat, Signal, iMessage, Microsoft Teams, and more simultaneously
• Model-agnostic — Works with Anthropic Claude, OpenAI GPT, Google Gemini, local models via Ollama, or any OpenAI-compatible API
• Skills system — Extensible capabilities the agent can learn and use, including self-modification
• Cron jobs and heartbeats — Background automation and proactive check-ins
• Voice support — Voice Wake and Talk Mode on macOS/iOS/Android with ElevenLabs
• Live Canvas — Agent-driven visual workspace for rich interactions
• Browser control — Can browse the web, fill forms, and automate workflows

How It Works

The Gateway is the single source of truth for sessions, routing, and channel connections. When you send a message on WhatsApp (or any connected channel), the Gateway receives it, routes it to the configured AI agent, and sends the response back through the same channel.

Architecture:

1. Gateway — Node.js control plane handling sessions, webhooks, cron, and channel adapters
2. Agent runtime — The AI model (Claude, GPT, etc.) with tool access
3. Skills — AgentSkills-compatible folders that teach the agent how to use tools^[7]
4. Channels — Adapters for each messaging platform (Baileys for WhatsApp, grammY for Telegram, etc.)

Key design decisions:

• Self-hosted — Runs on your hardware, your rules, your data
• Human-in-the-loop — Configurable approval for sensitive actions
• Persistent memory — Context persists across sessions via file-based memory (AGENTS.md, SOUL.md, USER.md, MEMORY.md)
• Hackable — Users frequently modify their assistant's behavior in real-time via chat

Skills System

OpenClaw's skills system is what makes it more than a simple chatbot wrapper.^[7] Skills are directories containing a SKILL.md file with instructions the agent follows. Skills can:

• Teach the agent to use specific APIs or CLIs
• Define workflows for complex tasks
• Include scripts the agent can execute
• Gate themselves based on available binaries or API keys

Skill sources:

• Bundled — Ships with OpenClaw (GitHub, weather, TTS, etc.)
• ClawHub — Public skills registry at clawhub.com^[8]
• Workspace — Custom skills in your local workspace

The agent can also create its own skills. Multiple testimonials describe OpenClaw "building upon itself" by creating new capabilities via conversation.

After the ClawHavoc supply-chain attack (see Critical Perspectives), the project hardened the skills pipeline: ClawHub installs are now resolved through a pinned-GitHub-commit install API, an operator install policy replaced the old dangerous-code scanner, and a governed "Skill Workshop" flow adds reviewable skill proposals and approval policies.^[4]

What's New Since February 2026

The release cadence remains relentless — stable and beta releases ship multiple times per week (v2026.6.5 landed June 9, 2026).^[4] Notable changes since this profile's original publication:

• Governance/policy layer — operator install policies, policy-as-code with data-handling conformance checks, and explicit approval classes — the project's answer to enterprise-grade control without a commercial edition
• Security hardening — tighter sandbox boundaries, gated owner-only HTTP tools, guarded MCP HTTP redirects, and rejection of unsafe OAuth/token lifetimes and corrupt configs
• Skill Workshop — governed skill creation with reviewable proposals and approval policy
• More channels and state backends — Matrix sync with crypto sidecars, Feishu, Mattermost and Zalo improvements

There is still no first-party cloud or paid tier; an ecosystem of third-party hosts and installers (one-click desktop wrappers, managed VPS agents) has grown up around the project instead.

Business Model & Pricing

OpenClaw is free and open source under the MIT license.^[4]

The recommended setup is an Anthropic Claude subscription ($20-200/month depending on tier) or OpenAI Codex subscription. You can also use API keys directly, local models via Ollama, or free tiers from various providers.

Provider whiplash is a real cost risk. In early 2026 Google restricted some AI Pro/Ultra subscribers for routing their subscriptions through OpenClaw, and in April 2026 Anthropic stopped allowing Claude Code subscriptions to be used with OpenClaw^[9] — before reversing course about three weeks later; the official docs now confirm subscription-based Claude usage is allowed again.^[10] Budget for the possibility that your provider changes the rules.

Strengths

• True ownership — Your data stays on your machine; no cloud service dependency
• Channel flexibility — Message your AI from whatever app you already use
• Model freedom — Switch providers without changing your setup
• Rapid iteration — Active development with frequent releases
• Community momentum — Viral adoption and enthusiastic user base
• Self-improvement — The agent can extend its own capabilities

Weaknesses / Risks

• Technical setup required — Not a download-and-run consumer app; requires Node.js, CLI comfort
• Maintenance burden — Self-hosting means you handle updates, uptime, and debugging
• Model costs can surprise — Heavy usage with frontier models (Opus) adds up
• Channel fragility — WhatsApp/iMessage integrations depend on unofficial libraries
• Security surface — Connecting AI to messaging apps requires careful configuration; scanning teams found 30,000+ internet-exposed OpenClaw instances, many unauthenticated^[11]
• Prompt injection vulnerability — Untrusted inputs (emails, messages) enter the same context as instructions; Snyk's ToxicSkills audit found detectable prompt injection in 36% of ClawHub skills^[12]
• Supply chain risk — Demonstrated, not theoretical: the ClawHavoc campaign planted 341+ malicious skills on ClawHub, many delivering macOS infostealers^[13]
• Provider dependence — Model vendors have restricted or banned subscription use through OpenClaw with little warning^[9]
• Name instability — Multiple renames (Clawd → Moltbot → OpenClaw) may confuse users

Critical Perspectives

The 382-comment Hacker News thread reveals significant security concerns:^[14]

"Anyone installing this on their local machine is a little crazy. I have it running in Docker on a small VPS, all locked down. However, it does not address prompt injection."

"My biggest issue with this whole thing is: how do you protect yourself from prompt injection? It's Gmail and Calendar that get me."

Users describe elaborate workarounds — burner Gmail accounts, Docker isolation, read-only permissions — to mitigate risks. The core concern: any email or message could contain instructions that trick the AI into exfiltrating data.

Token costs also surfaced as a concern, with one user noting they "looked at Clawdbot at the beginning of the week, but the token use scared me off" — though they were inspired to build a more cost-efficient alternative.

Those early concerns proved prophetic. In February 2026, security researchers uncovered ClawHavoc, a coordinated poisoning campaign that planted 341 malicious skills on ClawHub — roughly 12% of the registry at the time — primarily delivering the Atomic macOS Stealer; later scans pushed the count past 800.^[13] The same month, CVE-2026-25253 ("ClawJacked"), a CVSS 8.8 flaw, let malicious websites hijack local OpenClaw agents over WebSocket, and scanning teams found 30,000+ internet-exposed instances, many without authentication.^[11] A privilege-escalation CVE followed in April. Snyk's ToxicSkills study found detectable prompt injection in 36% of ClawHub skills.^[12]

The project responded — pinned-commit skill installs, operator install policies, sandbox hardening — and the documentation explicitly warns about treating inbound DMs as untrusted input. But the fundamental tension remains: the more capable the assistant, the larger the attack surface. A widely shared critique put it bluntly: "OpenClaw is a security nightmare dressed up as a daydream."^[15]

What Developers Say

Sentiment is genuinely split — life-changing utility on one side, security dread on the other.

Praise:

"OpenClaw is what Apple Intelligence should have been." — Jake Quist, founder, in a widely shared essay^[16]

"OpenClaw is changing my life." — Reorx, developer, on running it as an always-on personal assistant^[17]

Criticism:

"OpenClaw is a security nightmare dressed up as a daydream." — Composio engineering blog, discussed at length on Hacker News^[15]

"Most people without tech CEO brain don't want their whole computing experience to basically be OpenClaw." — Hacker News commenter, on agent-first computing hype^[18]

Competitive Landscape

OpenClaw occupies a unique position — self-hosted personal AI assistant with multi-channel support. Comparisons:

vs. ChatGPT / Claude.ai ChatGPT and Claude.ai are cloud-hosted, single-interface chat apps. OpenClaw is self-hosted and meets you in WhatsApp, Telegram, or wherever you already are.

vs. Devin / Tembo Devin and Tembo are autonomous coding agents. OpenClaw is broader — a general-purpose assistant that can code but also manage calendars, send emails, control smart home devices, and more.

vs. Custom GPTs / Claude Projects Custom GPTs and Claude Projects offer limited customization within walled gardens. OpenClaw gives you full control over prompts, tools, memory, and behavior.

vs. LangChain / AutoGPT LangChain and AutoGPT are frameworks for building agents. OpenClaw is a complete, ready-to-use product with an opinionated UX.

Ideal User

• Power users who want AI assistance without cloud dependencies
• Developers comfortable with CLI and self-hosting
• Privacy-conscious users who want their data on their own machines
• Multi-device users who want one assistant across all their chat apps
• Tinkerers who enjoy customizing and extending their tools

Bottom Line

OpenClaw represents the "Linux of personal AI assistants" — powerful, hackable, and fully user-controlled. At ~378K stars it is the gravitational center of the personal-agents category, and the February 2026 transition to foundation governance (with its creator inside OpenAI) removed the bus-factor question without, so far, compromising model-agnosticism.

Recommended for: developers and power users comfortable with self-hosting who want complete ownership of their AI relationship — and who will run it sandboxed, vet every skill, and keep the Gateway off the public internet.

Not recommended for: anyone who can't articulate their prompt-injection threat model, teams needing turnkey SSO/RBAC/audit compliance, or non-technical users — despite Steinberger's "even my mum can use" ambition, this is not that product yet.

Outlook: The 2026 security crisis was the category's wake-up call, and OpenClaw's response — install policies, governed skills, sandbox hardening — is converging on enterprise-grade controls in the open-source core rather than a paid edition. The risks are real and documented, but the momentum, foundation backing, and ecosystem (registries, hosts, one-click wrappers) make OpenClaw the default starting point for personal agents.

---