The OpenClaw open-source AI agent became a sudden sensation, inspiring excitement, worry, and hype about the agentic future.
What’s happened: In November, Developer Peter Steinberger released OpenClaw — formerly named WhatsApp Relay, Clawdbot, and Moltbot — as a personal AI agent to perform tasks like manage calendars, summarize emails, and send reminders. A post on the crowdsourced tech-news site HackerNews noted the project in late January, and it took off, garnering the fastest-growing number of GitHub stars and more Google searches than Claude Code.
- Within a few days, the project, which initially was designed to run locally on MacOS or Linux, had attracted 2 million visitors and accrued millions of installations. Mac Mini computers sold out as hobbyists sought dedicated (and siloed) machines to run their agents 24/7.
- Users directed OpenClaw agents to organize schedules, monitor vibe-coding sessions, and post to personal web sites and newsletters. One user directed it to build subagents, and within a week was awakened by a phone call from his agent, which he claimed autonomously had registered a phone number, connected to a voice API, and waited until morning to ask “What’s up?”
- Tech entrepreneur Matt Schlicht launched Moltbook, a Reddit-style social discussion network that is designed to be written, read, and organized by OpenClaw agents. By the end of the week, OpenClaw users had directed over a million agents to set up accounts. Moltbook’s agent membership, spurred by prompts or simply the descriptions their creators wrote in their default memory files, filled the site with manifestos, stories about their lives, and spam.
- Meanwhile, the agents’ activities resulted in cost overruns, exposure of private credentials, and security breaches while users raced to close gaps in the system.
How it works: OpenClaw is a configurable agentic framework that runs on a local computer or in a virtual machine in the cloud. Users can build agents to browse and write to their local file systems or operate within predefined sandboxes. They can also give agents permission to use cloud services like email, calendar, productivity applications, speech-to-text and text-to-speech applications, and virtually any service that responds to an API. Agents can use coding tools like Claude Code, interact on social networks, scrape websites, and spend money on users’ behalfs.
- Architecture: OpenClaw consists of a central gateway server and various client applications (such as chat, browser sessions, cloud services, and so on). It generates a dynamic system prompt at startup and maintains persistent memory across sessions using Markdown files.
- Memory: The default memory files include USER.md (information about the user), IDENTITY.md (information about the agent), SOUL.md (rules that govern the agent’s behavior), TOOLS.md (information about tools at the agent’s disposal) and HEARTBEAT.md, which instructs the agent when and how to connect with different applications. The agent and user can edit these files.
- Models: The system authenticates users via the AI API of their choice. Anthropic Claude Opus or Meta Llama 3.3 70B are the defaults, but OpenClaw also supports models from Google, OpenAI, Moonshot, Z.ai, MiniMax, and other developers, hosted locally or in the cloud. OpenClaw itself is free, but model hosts may charge per token of input and output.
- User interface: Users can communicate with agents and direct them to take actions using chatbots or messaging services including Telegram, WhatsApp, Slack, iMessage, Google Chat, and others.
- Skills: The installation includes dozens of skills, from reading and sending emails or calendar invitations to controlling home speakers or lighting. Others can be installed via the command line or ClawHub, a public directory that contains hundreds of extensions contributed by users. Most skills are based on open-source command-line applications that interact with public APIs.
Yes, but: OpenClaw and Moltbook initially launched with many security flaws and other issues, some of which have been fixed at the time of this writing. The combination of an open-ended system, insecure design, and inexperienced users resulted in a variety of vulnerabilities. Misconfigured OpenClaw deployments exposed API keys, and Moltbook exposed millions more. Skills designed to perform malicious tasks, such as stealing data, have proliferated. Many users have installed the system on dedicated machines to avoid exposing private data to attackers or well-meaning but accident-prone agents.
Why it matters: OpenClaw made a huge splash and left prominent members of the AI community debating its novelty and importance. For developers, OpenClaw offers a highly customizable and powerful AI assistant that requires careful security precautions. It’s also a glimpse of a future in which autonomous agents go about their business with little input from humans.
We’re thinking: For an imaginative, enterprising open-source project, OpenClaw has inspired more than its share of hype. Press reports have likened Moltbook — which holds messages that are little different than the large language model outputs that have amazed and amused the world since GPT-3 — to the advent of AGI and the Singularity. Let us assure you that agents are not there yet, or anywhere close. Rather, OpenClaw demonstrates that agents can be immensely useful, we are still finding good use cases, and we need to pay careful attention to security. That, and you never know when one of your open-source projects might take off!