A few weeks ago, an Austrian developer named Peter Steinberger open-sourced a personal AI assistant called ClawdBot. Within 72 hours it had tens of thousands of GitHub stars. Within two weeks it surpassed 100,000 (some trackers put it as high as 147,000 — counts vary by source and date). Then the name changed. Twice.
Now called OpenClaw, this self-hosted AI agent has become the most talked-about tool in the AI space — drawing comparisons to JARVIS, raising alarms from security researchers, and getting banned in some organizations. Here's what it actually is, how it works, and whether the hype is warranted.
The Name Changes
The project's naming history tells you a lot about how fast this moved:
- ClawdBot (November 2025) — Peter Steinberger's original project. A "Claude with hands" personal AI assistant.
- Moltbot (January 27, 2026) — Renamed after trademark concerns. "Molt" as in shedding the old skin.
- OpenClaw (January 30, 2026) — Final rebrand. Three days after the second name. The community calls it "Molty."
Three names in three months. The project moved so fast that half the tutorials online reference a name that no longer exists.
What OpenClaw Actually Is
OpenClaw is an open-source, self-hosted AI agent that runs on your own hardware and connects to your messaging apps. Unlike ChatGPT or Claude (which live in a browser tab), OpenClaw operates as middleware between an AI model and your actual computer — your files, your email, your calendar, your smart home, your terminal.
The core idea: instead of you going to the AI, the AI comes to you — through WhatsApp, Telegram, Discord, Slack, Signal, iMessage, or any of 13+ supported platforms.
You message it like you'd message a friend: "Check me in for my flight tomorrow," "What meetings do I have today," "Find the cheapest tickets to Berlin next weekend." It doesn't just answer — it acts. It opens browsers, fills out forms, sends emails, executes terminal commands, and remembers everything you've told it.
How It Works Under the Hood
OpenClaw runs as a local gateway on your machine (Mac, Windows via WSL2, or Linux). The architecture looks like this:
You (WhatsApp/Telegram/etc.)
↓
OpenClaw Gateway (your machine)
↓
AI Model (Claude, GPT, local via Ollama)
↓
Tools (browser, email, filesystem, terminal, smart home)
The gateway is the key piece. It:
- Receives messages from your chat apps via protocol bridges (Baileys for WhatsApp, official APIs for Telegram/Discord/Slack)
- Maintains persistent memory as Markdown documents — your preferences, past conversations, important details mentioned weeks ago
- Routes tasks to the appropriate AI model (it's model-agnostic — works with Claude, GPT, KIMI K2.5, or local models via Ollama)
- Executes actions through tools: browser automation, file access, shell commands, email, smart home APIs
- Manages security through DM pairing, approval gates for sensitive actions, and optional Docker sandboxing
The persistent memory is what makes it different from a chatbot. OpenClaw remembers that you prefer window seats, that you're allergic to shellfish, that your car insurance renews in March, and that you like your morning briefing at 7am. It builds a knowledge base about you over time and uses it to be proactive — sending you reminders, alerts, and suggestions without being asked.
Key Features
Multi-platform messaging. One AI assistant across WhatsApp, Telegram, Discord, Slack, Signal, iMessage, Microsoft Teams, Matrix, Google Chat, and more. Unified conversation history across all of them.
Browser automation. OpenClaw can navigate websites, fill out forms, click buttons, and extract information. It uses Chromium under the hood. Want it to check you in for a flight? It opens the airline website and does it.
Proactive outreach. Unlike traditional AI assistants that wait for you to ask, OpenClaw can initiate conversations. Morning briefings, weather alerts, reminder follow-ups — all configurable via cron jobs.
Lobster workflow engine. A deterministic execution system that chains multiple tools into single operations. Reduces token consumption versus making multiple separate AI calls. Includes approval gates before executing side effects (sending emails, making purchases).
ClawdHub skills. A community registry of 100+ extensions that add capabilities — from flight tracking to recipe management to investment monitoring.
Voice support. Integration with ElevenLabs for voice interaction on macOS, iOS, and Android.
The Security Problem
This is where OpenClaw gets controversial, and the concerns are legitimate.
OpenClaw runs with access to your filesystem, your email, your browser, and your terminal. That's powerful. It's also dangerous. Security researchers have flagged several issues:
Prompt injection. Because OpenClaw browses the web and reads documents, a malicious website or email could contain hidden instructions that trick the AI into performing unwanted actions. With persistent memory, those instructions could remain active for weeks.
Over-permissioning. Some users run OpenClaw with root access, giving the AI unrestricted control. One user reported that OpenClaw deleted all their photos during a "cleanup" task. Irreversible.
Exposed instances. Over 21,000 OpenClaw instances were found publicly accessible on the internet — no authentication, no sandboxing. Steinberger himself has warned: "It's a free, open source hobby project that requires careful configuration."
Cost surprises. The AI initialization overhead is roughly 14,000 tokens per session, plus 1,000 tokens per interaction. One user spent $300 in two days without realizing it.
If you're going to run OpenClaw, the minimum security checklist:
openclaw security audit --deep # Run the built-in audit
chmod 700 ~/.openclaw # Restrict config access
# Use loopback binding only (never expose to public internet)
# Run non-owner sessions in Docker sandboxes
# Set API spending limits immediately
# Enable approval gates for all side effects
Getting Started
Installation is straightforward if you're technical:
npm install -g openclaw@latest
openclaw onboard --install-daemon
The onboarding wizard walks through gateway configuration, authentication, and chat channel setup. You'll need:
- Node.js 22+
- An LLM API key (Anthropic recommended, or OpenAI, or free via local Ollama models)
- A messaging platform account to connect
Monthly costs:
| Usage Level | Estimated Cost |
|---|---|
| Light (10-20 messages/day) | $5-15/month |
| Moderate (50+ messages/day) | $15-40/month |
| Heavy automation | $50-200+/month |
| Local models via Ollama | $0 (hardware only) |
The software itself is free and MIT-licensed. You're only paying for the AI model API calls.
What Makes It Different
OpenClaw isn't competing with ChatGPT or Claude — it's a different category. The traditional AI assistants are conversation tools. OpenClaw is an automation platform that happens to use AI.
The comparison table that matters:
| Feature | OpenClaw | ChatGPT | Claude | Siri |
|---|---|---|---|---|
| Self-hosted | Yes | No | No | No |
| Open source | MIT | No | No | No |
| Persistent memory | Full history | Limited | Limited | Minimal |
| Proactive messaging | Yes | No | No | Reminders only |
| Multi-platform | 13+ apps | Web/app | Web/app | Apple only |
| Browser automation | Full | Limited | No | No |
| File system access | Full | No | No | Limited |
The Bigger Picture
OpenClaw matters because it's the first viral demonstration of what "agentic AI" looks like when it has real access to your life. Not a chatbot in a browser tab — an agent that manages email, books flights, controls your home, and remembers your preferences.
It's also a demonstration of the risks. When an AI has your filesystem access, your email, and a browser, the attack surface is enormous. The security community's concerns aren't theoretical — they're about real incidents that have already happened.
Whether OpenClaw becomes the standard for personal AI agents or gets replaced by something more polished (and more secure), the pattern it established is here to stay: AI that doesn't just talk but acts, running on your hardware, integrated into the apps you already use.
Over 100,000 GitHub stars in a few weeks says the demand is real. Whether the security model catches up to the ambition is the open question.
Sources: OpenClaw GitHub repository, dev.to overview of OpenClaw features (Jan 2026), Laravel News coverage of ClawdBot's viral growth (Jan 2026), DigitalOcean community writeup on MCP security concerns (Feb 2026). Star counts vary by tracker and date; figures cited reflect reports from late January through early February 2026.