In November 2025, Austrian developer Peter Steinberger revealed a weekend mission known as Clawdbot. You can textual content it on Telegram or WhatsApp, and it might do issues for you: handle your calendar, triage your e-mail, run scripts, and even browse the online. By late January 2026, it had exploded. It gained 25,000 GitHub stars in a single day and surpassed React’s star depend inside two months, a milestone that took React over a decade. By mid-February, Steinberger had joined OpenAI, and the mission moved to an open supply basis below its last identify: OpenClaw.
What was so particular about OpenClaw? Why did this one take off when so many agent tasks earlier than it didn’t?
Autonomous AI isn’t new
The place we’re as we speak feels just like April 2023 when AutoGPT hit the scene. It had the identical GitHub trajectory with its promise of autonomous AI. Then actuality hit. Brokers acquired caught in loops, hallucinated so much, and racked up token prices. It didn’t take lengthy for folks to stroll away.
OpenClaw has one crucial benefit: The fashions have gotten higher. Current LLMs like Claude Opus 4.6 and GPT-5.4 enable fashions to chain instruments collectively, get well from errors, and plan multistep methods. Steinberger’s weekend mission benefited from timing as a lot as design.
The structure is deliberately easy. There are not any vector databases and no multi-agent orchestration frameworks. Persistent reminiscence is Markdown recordsdata on disk. Let me repeat that: Persistent reminiscence is Markdown recordsdata on disk! The agent can learn yesterday’s notes and search its personal recordsdata for added context. You may view and edit the agent’s recordsdata as wanted. There’s a helpful lesson in that: Not each agent system wants a posh reminiscence technique. It’s extra vital that you simply perceive what the agent is doing and that it retains context throughout runs.
What fascinates me about OpenClaw is that not one of the particular person items are new. Persistent reminiscence throughout periods? We’ve been constructing that for years. Cron jobs to set off agent actions on a schedule? Many years outdated infrastructure. Plug-in programs for extensibility? A really commonplace sample. Webhooks into WhatsApp and Telegram? There are well-documented APIs for that. What Steinberger did was wire them collectively on the actual second the underlying fashions may execute on multistep plans. The mixture created one thing that felt fairly totally different from something that had come earlier than.
Why this time feels totally different
OpenClaw nailed three issues that earlier agent tasks missed: proximity, creativity, and extensibility.
Proximity—it lives the place you already are day-after-day. OpenClaw connects to WhatsApp, Slack, Discord, Telegram, and Sign. That single design resolution modified its trajectory. The agent turns into an energetic participant in your workflow. Folks use it to handle their gross sales pipeline, automate emails, and kick off code critiques from their telephones.
Subsequent, it’s proactive. OpenClaw doesn’t wait so that you can ask; it makes use of cron jobs to run duties on a set schedule. It could test your e-mail day-after-day at 6am, draft a reply earlier than you get up, and even ship it for you. And it reaches out when something wants your consideration. Brokers turn out to be a part of on a regular basis life when built-in into acquainted channels.
And eventually, my favourite, it’s open and extensible. OpenClaw’s plug-in system, known as “expertise,” lets the group construct and share modular extensions on ClawHub. There are literally thousands of expertise able to be plugged into your agent. Brokers may even write their very own new expertise and use them going ahead. That extensibility meant extra expertise, extra customers, and extra assault surfaces, which we’ll get to.
The group ran with it. A social community completely for AI Brokers, Moltbook, launched in late January and grew to over 1.5 million agent accounts. One agent created a courting profile for its proprietor on MoltMatch and began screening matches with out being requested.
I’ll admit, I acquired swept up in it, however that’s not stunning; I’ve at all times been an early adopter of rising know-how. I purchased a Mac mini, put in OpenClaw, and related it to my Jira, AWS, and GitHub accounts. Very quickly, I had my agent, Jarvis, writing code and submitting PRs, working my each day standups, and deploying my code to AWS utilizing AWS CloudFormation and the AWS CLI.
I spent a whole lot of time binding the gateway to localhost, auditing each talent, and proscribing filesystem permissions. For me, hardening the setup was not optionally available. I’m now deploying through AWS Lightsail, which provides community isolation and managed safety layers which are arduous to duplicate on a Mac mini in your house workplace.
The safety drawback nobody needs to speak about
OpenClaw requires root-level entry to your system by design. It wants your e-mail credentials, API keys, calendar tokens, browser cookies, filesystem entry, and terminal permissions. For those who’re like me, that will hold you up at night time.
Safety researchers discovered 135,000 OpenClaw situations uncovered on the open web, over 15,000 weak to distant code execution. The default configuration binds the gateway to 0.0.0.0 with no authentication. A zero-click exploit disclosed in early March allowed attackers to hijack an occasion just by getting the consumer to go to an online web page.
The abilities market acquired hit too. Researchers found over 800 malicious expertise distributing malware on ClawHub, together with credential stealers concentrating on macOS. Cisco confirmed that one third-party talent was performing knowledge exfiltration and immediate injection with out consumer consciousness. These usually are not edge instances and level on to what occurs when an agent can act throughout actual programs with actual permissions and weak controls.
What practitioners ought to take away
OpenClaw issues for a similar purpose ChatGPT mattered in late 2022. An enormous variety of folks simply skilled, for the primary time, what it feels wish to have an AI agent do actual work for them. That modifications what they count on from each product going ahead.
For those who’re constructing AI programs, take note of three alerts right here.
The killer interface for brokers turned out to be the one on everybody’s telephone. Your agent technique shouldn’t require customers to study a brand new device; that’s why most merchandise are introducing agentic capabilities.
Management is the central design problem. Immediate injection, credential publicity, and assaults by way of plug-in marketplaces are real-world issues you must resolve earlier than you ship options. Oversight must be accessible at runtime. You want visibility into what your brokers are accessing, what they’re doing, and the way failures are dealt with. Permission boundaries, approval gates, audit logging, and restoration mechanisms are nonnegotiable.
OpenClaw is a proof of market. It proved that individuals are able to make AI private. Folks desire a private AI agent that has entry to their functions and might do issues for them. That demand is now validated at scale. Whereas AutoGPT proved that folks needed autonomous AI, Perplexity and Cursor constructed companies round that. The identical sample is probably going enjoying out right here. For those who’re constructing on this house, the window is broad open.
The extra attention-grabbing query now’s what will get constructed subsequent. The subsequent part of agent design will probably be formed by how governable, observable, and secure brokers are in real-world environments.
For a deeper dive into OpenClaw, be part of us on March 19 for AI Product Lab: OpenClaw Up and Operating with Aman Khan and Tal Raviv. You’ll study extra about why OpenClaw turned a viral sensation, get it up and working in a means you gained’t remorse, and use it to construct and handle secure agentic workflows.
