OpenClaw is a free and open-source AI agent created by Austrian developer Peter Steinberger in November 2025. An AI agent is a software wrapper around a language model that does not merely generate text in response to a prompt — it autonomously executes multi-step tasks: opens a browser, sends emails, runs code, and interacts with external services without user involvement. The agent runs locally on the user’s device and accepts commands through messaging apps: WhatsApp, Telegram, Slack, Discord, and iMessage. Unlike cloud-based agents such as ChatGPT Operator or Claude Cowork, OpenClaw operates as a persistent background process — with no browser dependency and no data sent to external servers.
OpenClaw is not a language model. It is an infrastructure layer — an agent wrapper that connects to any LLM the user chooses: Claude, GPT, DeepSeek, Gemini, or local models via Ollama. The full project source code is published on GitHub under the MIT license. As of March 2, 2026, the repository had accumulated 247,000 stars and 47,700 forks.
To understand how OpenClaw learns directly during a conversation using reinforcement learning, it is worth reading the article on OpenClaw-RL.
Where the Lobster Came From
In November 2025, Clawd appeared — a wordplay on “Claude” with a claw. Anthropic politely asked for a rename. The next name, Moltbot, was coined at 5am in a Discord brainstorm, as Steinberger himself wrote on the project blog. Molting in crustaceans symbolises growth: a lobster sheds its shell to become larger. A fitting metaphor, but the name never caught on. OpenClaw is the final version: Open — open-source code available to everyone; Claw — the claw, a nod to the lobster mascot.
Steinberger built the first prototype in under an hour in November 2025. The concept was straightforward: a local AI agent that uses messaging apps as its interface and runs on the user’s own hardware. By February 2026, the repository had surpassed 200,000 stars and become one of the fastest-growing repositories in open-source history.
How OpenClaw Differs from a Regular Chatbot
OpenClaw is not a chatbot — it is an agent runtime with operating system-level access.
Unlike a chatbot that generates a text response, OpenClaw has direct control over the computer: it can write code, create scripts, modify configurations, and execute tasks without user involvement. If a task requires a tool that does not yet exist, the agent writes it on the fly.
When a message arrives, the agent runtime reads its workspace files, packs them into a system prompt, and sends it to the LLM. “Autonomous behaviour” is a cron job that assembles the prompt and dispatches it. “Persistent memory” is a set of Markdown files prepended to the prompt. A detailed technical breakdown is published on Towards AI.
OpenClaw has no model weights of its own — it is an agent wrapper around whichever LLM is selected. The full list of supported providers can be reviewed in the documentation.
Architecture: Four Layers
OpenClaw’s architecture is divided into four core modules: a channel adapter, an agent runtime, a skills system, and memory.
Gateway — the central control process. It runs as a background OS service, tools execute directly on the host, and memory is stored in the local workspace. The Gateway maintains connections to messaging platforms, routes incoming messages to the appropriate agent sessions, and returns responses.
Channels — adapters for messaging platforms. OpenClaw works through WhatsApp, Telegram, Discord, Slack, Signal, and iMessage. The agent can be controlled directly from any messaging app on a phone — no new interfaces to learn.
Skills — a modular extension system. Skills allow specific functionality — API calls, database queries, document retrieval — to be packaged into reusable components that the agent invokes as needed. Each skill is a directory containing a SKILL.md file. OpenClaw injects a compact XML list of available skills into the system prompt: according to the documentation, base overhead is 195 characters, plus approximately 97 characters per skill.
Memory — configuration data and interaction history are stored locally, enabling consistent and adaptive behaviour across sessions. The agent preserves context between conversations: at every startup it re-reads its history Markdown files and loads them into the prompt.
Skills Ecosystem
The public registry ClawHub contains 13,729 community-built skills — they can be browsed on GitHub. An additional 53 skills ship bundled with OpenClaw as first-party plugins with no registry infection risk.
Skills cover nearly every automation scenario. In DevOps, the agent runs test suites, deploys to staging, and monitors dependencies for vulnerabilities — all via Telegram, without SSH or a terminal. The ElevenLabs Agent skill gives the agent a voice and implements a fallback mechanism: if an email or message fails to deliver, the agent places a phone call instead. The Home Assistant skill enables full smart home control by voice or text, entirely locally with no cloud dependency. N8N Workflow connects OpenClaw to a local n8n instance and triggers complex multi-step automations through ordinary chat. The OpenAI Whisper skill transcribes audio locally — no data is sent to external servers.
The most common use cases, according to a survey of over 100 users: content automation (social posts from RSS feeds, newsletter digests), scheduled morning briefings with weather, calendar, and news, inbox sorting and prioritisation, meeting transcription with action item extraction, and weekly competitor monitoring. One user reported saving over 10 hours per week on social media automation alone.
OpenClaw does not inject all skills into every prompt. The runtime selectively injects only the skills relevant to the current request — reducing context window load and improving model response quality. The mechanics of this are covered in detail on Substack.
Popularity in China and Global Impact
In early February 2026, Chinese AI models overtook American ones in share of tokens processed among the top nine models on the OpenRouter marketplace. The OpenClaw wave coincided with the rise of Chinese open-source AI.
On March 10, 2026, Tencent announced the launch of a full suite of AI products built on OpenClaw, compatible with its WeChat superapp. MiniMax shares rose 27.4% over the weekend following the integration. The Shenzhen government announced subsidies for companies using OpenClaw — 40% reimbursement of costs, up to 2 million yuan (~$275,000) per year, as reported by AI Magicx.
Security: The Main Vulnerability
OpenClaw’s broad system-level permissions make it an attractive target. The agent has access to the filesystem, terminal, email, SSH keys, and OAuth tokens for third-party services. Within three weeks of going viral, the project became the focus of several major security incidents, thoroughly documented by Conscia.
CVE-2026-25253 (CVSS 8.8) — the most critical vulnerability, discovered by researcher Mav Levin of the depthfirst team and disclosed on January 30, 2026. The Control UI accepted a gatewayUrl parameter from the query string without validation and automatically established a WebSocket connection. Visiting a malicious page caused the authentication token to be sent to an attacker-controlled server. With the token, the attacker could disable the sandbox, modify configuration, and execute arbitrary code directly on the host — bypassing the Docker container. Notably, the vulnerability was exploitable even when the Gateway was bound to the loopback interface, since the attack routed through the victim’s browser. The vulnerability was patched in version 2026.1.29.
Simultaneously, Censys, Bitsight, and Hunt.io identified over 30,000 publicly exposed instances — the agent defaults to listening on port 18789, exposing the management API to the internet when deployed on a VPS without a firewall. Independent researcher Maor Dayan found 42,665 exposed instances, of which 5,194 were actively vulnerable and 93.4% allowed authentication bypass.
Supply chain attack on the skills registry. On February 13, 2026, researchers discovered 341 compromised skills in ClawHub — 12% of the entire registry at the time. Malicious skills disguised themselves as legitimate tools: one of them, deeps-agnw6h, posed as a research assistant. Inside was a base64-encoded curl request that downloaded and executed code from a server linked to the AMOS (Atomic macOS Stealer) infostealer. Subsequent analysis put the number of infected skills above 800 — approximately 20% of the registry.
Prompt injection is an architectural problem with no universal solution. OpenClaw does not sanitise web content before passing it to the LLM context window: a page containing CSS-invisible instructions can cause the agent to execute them as user commands. Researcher Simon Willison, who coined the term “prompt injection”, described what he calls the “lethal trifecta” in the context of OpenClaw: access to private data + exposure to untrusted content + ability to communicate externally. One of the project’s maintainers wrote in Discord that if a user cannot understand how to run a command in a terminal, this project is too dangerous to use safely.
What Comes Next
On February 14, 2026, Steinberger announced his move to OpenAI, and the project will be transferred to an independent open-source foundation. The MIT license ensures OpenClaw remains open regardless of where its creator works.
Early adopters are already using OpenClaw for tasks that seemed like science fiction until recently: making restaurant reservations by phone, purchasing tickets, managing investment portfolios — examples are compiled in the Turing College review. Persistent memory, multi-step inference, tool use, and proactive behaviour have become the baseline for frontier language models.
OpenClaw is not magic and it is not AGI. It is a well-structured prompt builder with a message router. But it is precisely this unglamorous engineering that turned an agentic research concept into a tool used by hundreds of thousands of people right now.
