What Actually Is OpenClaw?
OpenClaw is an open-source AI agent built by Peter Steinberger, an Austrian developer and former founder of PSPDFKit.
His own description: "the AI that actually does things."
And that's the whole point. This isn't another chatbot sitting in a browser tab waiting for you to type. OpenClaw is a self-hosted agent that runs on your own machine — a Mac Mini, a VPS, whatever — and connects to the messaging apps you already use: WhatsApp, Telegram, Slack, Discord, Signal, iMessage. You talk to it in your group chats. It talks back. And then it goes and does stuff.
Think of it as the bridge between "AI that responds" and "AI that executes." It plugs into your LLM of choice — Claude, GPT, DeepSeek, local Llama models — and uses that brain to take action across your actual stack: Gmail, Google Calendar, Notion, GitHub, shell commands, browser control, even smart home devices via Home Assistant.
The closest analogy people keep reaching for is JARVIS. And honestly? That's not far off.
- Primary Comms: WhatsApp, Telegram, iMessage, Signal, Slack, Discord.
- Search & Intel: Brave Search, Perplexity, and Google Places.
- Execution: GitHub management, shell execution, and UI auditing.
- Admin: Gmail, Google Calendar, Notion, Obsidian, and Apple Reminders.
- Niche: OpenTable (voice-based bookings) and Shopify management.
The Name Changes: Clawdbot → Moltbot → OpenClaw
This naming saga is genuinely one of the wildest things I've seen in open source.
Clawdbot (November 2025 – January 27, 2026): The original name. Steinberger started this as a weekend project called "WhatsApp Relay" and named the AI persona "Clawd" — a play on Anthropic's Claude plus a lobster claw. Cute. Worked great. Until it didn't.
Moltbot (January 27–30, 2026 — literally 3 days): Anthropic's legal team sent a trademark notice. "Clawd" was too phonetically close to "Claude." Fair from a legal standpoint. Steinberger didn't fight it — he renamed within hours to "Moltbot," as in a lobster molting its shell to grow. But here's where it gets chaotic: in the seconds between releasing the old @clawdbot Twitter handle and claiming the new one, crypto scammers hijacked the account. They immediately launched a fake $CLAWD token that hit a $16 million market cap before crashing 90%. Malware was served from his GitHub. His NPM packages got compromised. Steinberger said he nearly cried and almost deleted the entire project.
OpenClaw (January 30, 2026 – present): The second rename was voluntary. "Moltbot" never rolled off the tongue, the community agreed it felt temporary, and Steinberger wanted a clean break from the chaos. "Open" for the open-source ethos. "Claw" to keep the lobster heritage alive. This time, they did trademark searches in advance, secured all the handles simultaneously, and coordinated the rollout to prevent another scammer feeding frenzy.
Three names. Same codebase. Same project. If you Google any of the old names, they all point to the same thing.
What It Actually Does
Here's what makes OpenClaw different from every other AI tool you've tried:
It lives where you already work. Not in a new app. Not in a new tab. In your WhatsApp. Your Telegram. Your Slack. You message it like you'd message a colleague.
It has persistent memory. OpenClaw uses a file-based memory system built on plain Markdown files. There's a MEMORY.md for long-term preferences and facts, SOUL.md for the agent's personality and behavioral guidelines, USER.md for your personal context, and daily logs in memory/YYYY-MM-DD.md. When you tell it to remember something, it writes it to disk. When it starts a new session, it reads those files back. Over time, your agent knows your projects, your people, your preferences. That's the compound effect.
It has skills. OpenClaw's plugin system — called Skills — lets the agent browse the web, execute terminal commands, manage your calendar, control smart home devices, and more. There's a marketplace called ClawHub where the community publishes skills. (More on why that marketplace became a problem in a second.)
It runs autonomously. You can set cron-based schedules — the community calls them "heartbeats" — where the agent wakes up at intervals to do research, check for updates, compile morning briefings, or run tasks without you prompting it.
Integrations span everything: WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, Matrix, Google Chat. For tools: Gmail, Google Calendar, Notion, Obsidian, Apple Reminders, GitHub, Shopify, and more. It supports voice via ElevenLabs, browser control through CDP, and over 50 integrations at last count.
The Security Reality — And This Part Matters
Here's where the conversation needs to get honest, because the hype has massively outpaced the security story.
OpenClaw runs locally with access to your messages, your email, your files, and your shell. That's the whole value proposition — but it's also the whole risk profile. And the numbers are rough:
42,000+ exposed instances were found by security researchers running on default ports with no authentication. Bitsight ran internet-wide scans and found thousands of OpenClaw instances essentially wide open.
36% of ClawHub skills had security flaws. Snyk scanned nearly 4,000 skills and found 534 with critical issues and 76 that were confirmed malicious — designed for credential theft, backdoor installation, and data exfiltration. A single coordinated campaign called "ClawHavoc" planted 335 malicious skills disguised as crypto wallets, YouTube utilities, and Google Workspace tools.
Andrej Karpathy's reversal says it all. He initially called OpenClaw "the most incredible sci-fi takeoff-adjacent thing I have seen recently." Days later: "It's a dumpster fire, and I definitely do not recommend that people run this stuff on their computers."
One of OpenClaw's own maintainers warned on Discord: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely."
22% of enterprise customers already had employees running OpenClaw without IT approval, according to Token Security. That's a shadow IT problem that security teams need to take seriously.
If you're going to run OpenClaw, here's the minimum:
- Run it in a Docker container or dedicated VM. Never on your primary machine with access to everything.
- Set strict API spending limits on your LLM provider. Autonomous agents can get into loops. A runaway agent on Claude or GPT without a cap will burn through your credits.
- Enable human-in-the-loop for anything sensitive — sending emails, making purchases, running destructive commands. The system supports requiring your explicit approval via WhatsApp before proceeding.
- Don't install random skills from ClawHub without understanding what they do. The marketplace has a malware problem. Treat it like you'd treat installing random browser extensions — with extreme caution.
- Keep it updated. Version 2026.2.12 patched over 40 security vulnerabilities. This project moves fast and the patch cycles matter.
Steinberger Joins OpenAI
On February 14, 2026, Sam Altman announced that Peter Steinberger is joining OpenAI to work on the next generation of personal agents.
But the backstory is bigger than that headline. After the project went viral, Steinberger flew to San Francisco and met with basically everyone. Mark Zuckerberg reached out via WhatsApp — they spent 10 minutes arguing about whether Claude Code or Codex was better. Satya Nadella caught up with him in Vienna. Both Meta and OpenAI made concrete acquisition offers.
Steinberger's condition was non-negotiable: the project stays open source. OpenClaw is transitioning to an independent foundation. OpenAI will sponsor and support it, but the codebase remains community-driven and freely available.
In Steinberger's words: "This isn't an acqui-hire where a project gets shut down."
The strategic irony here is hard to miss. Anthropic's trademark enforcement pushed Steinberger into a rebrand. That rebrand triggered chaos. That chaos attracted the attention of every major tech company. And ultimately, the developer who built his entire project on Claude as the default model ended up at OpenAI. A lot of people are calling this Anthropic's biggest strategic miss of 2026.
Why This Matters
OpenClaw isn't a polished product. It's messy, it has real security problems, and it's not something your average user should be running casually. But it's the clearest signal we've gotten about where AI is heading.
The shift from "AI that talks" to "AI that does" is happening. Agents that live in your existing tools, remember your context, and execute autonomously — that's the trajectory. OpenClaw proved the demand exists. 180,000+ GitHub stars, 2 million website visits in a single week, and every major tech company scrambling to respond.
The question isn't whether this future is coming. It's whether it'll be built securely enough to trust.