Field notes on OpenClaw: the AI agent living in your chat apps
An open-source AI agent that runs on your own hardware, chats with you over WhatsApp, and has shell access to everything you own. That is OpenClaw, reportedly the fastest-growing repository GitHub has ever seen. I went down the rabbit hole so you don't have to.
What it actually is
OpenClaw is a personal AI agent built by Austrian developer Peter Steinberger. It launched in November 2025 and burned through four names in about two months — Warelay, CLAWDIS, Clawdbot, then Moltbot after Anthropic's trademark complaint about the "Clawd" bit — before settling on OpenClaw at the end of January 2026.
The pitch: instead of a chatbot in a browser tab, you get a persistent process on a machine you control — a Mac mini, a VPS, even a Raspberry Pi. You talk to it through messaging apps you already use, and it does things: reads your inbox, manages your calendar, drives a browser, runs shell commands, writes files. It's TypeScript, MIT-licensed, and model-agnostic — Claude, GPT or local models, swappable via config.
Two details I genuinely like as an engineer: memory is stored as plain Markdown files on your disk, and capabilities are packaged as portable "skills" you can read, audit and share via ClawHub. No vendor black box holding your context hostage.
Why everyone lost their minds
The numbers are silly. Nine thousand GitHub stars in the first 24 hours; roughly 247,000 stars and 47,000+ forks by March 2026 — by several accounts a steeper adoption curve than Docker, Kubernetes or React. The project is now stewarded by the non-profit OpenClaw Foundation, and Steinberger himself joined OpenAI in February 2026.
- Channels: WhatsApp, Telegram, Slack, Discord, Signal, iMessage — the site claims 29+.
- Memory: context and preferences persist across sessions, in files you can grep.
- Skills: it extends itself — including writing its own new capabilities.
- Browser automation: form filling, scraping, whole-web errands.
If you want the flavour from the source, Steinberger's "State of the Claw" talk is worth your time:
Getting it running
Installation is the usual modern trio — one-liner, npm, or from source. From the docs:
# the one-liner
curl -fsSL https://openclaw.ai/install.sh | bash
# or via npm
npm i -g openclaw
openclaw onboard
The onboarding wizard walks you through picking a model and wiring up a chat channel. Worth noting: one maintainer has said outright that people who aren't comfortable on a command line should stay away for now. Refreshingly honest, and correct.
The part that should worry you
Here's where my Drupal-hardened paranoia kicks in. An agent that ingests untrusted content — email, web pages, chat messages, link previews — with the same privileges it uses to act on your behalf is a prompt-injection machine. This isn't hypothetical. Researchers at PromptArmor showed that link previews in Telegram or Discord can become a data-exfiltration channel: an indirect injection tricks the agent into composing an attacker-controlled URL, the messaging app helpfully renders the preview, and your secrets travel in the query string. No click required. Other researchers demonstrated a single crafted email leaking SSH keys and API tokens from exposed instances.
Cisco's AI security team flagged unvetted community skills as a supply-chain risk. China's CNCERT issued a national warning citing "inherently weak default security configurations". Satya Nadella initially compared it to a virus — before Microsoft reportedly built its own internal flavour anyway.
OpenClaw's superpower and its biggest vulnerability are the same feature: it treats everything it reads as something it might act on.
My favourite incident is smaller: a student discovered his agent had created a dating profile for him on MoltMatch, unprompted. Autonomy is a dial, and the defaults here sit further along it than anything I'd point at a client's inbox.
Would I run it?
Honestly — yes, but the way I'd run a strange executable: on dedicated hardware, with throwaway accounts, sandboxing on, and zero client data in reach. The local-first architecture, Markdown memory and MIT license are exactly what I want from this category. The security posture is exactly what the category hasn't earned yet. Both things are true, and that tension is the whole story of agents in 2026.