Kitsy AI
What Is OpenClaw? The Open-Source Autonomous AI Agent Explained
πŸ“„

What Is OpenClaw? The Open-Source Autonomous AI Agent Explained

Β· 6 min read

Share:

In late 2025 a side project from an independent developer quietly turned into one of the fastest-growing repositories on GitHub. OpenClaw is a free, open-source autonomous AI agent that you run on your own machine and talk to through ordinary messaging apps. It has been praised as a genuinely useful personal assistant and criticized as a security liability β€” sometimes in the same breath. This guide explains what OpenClaw actually is, how it works, where it came from, and the risks you should understand before running it.

What Is OpenClaw?

OpenClaw is an open-source autonomous AI agent that executes tasks on your behalf using large language models (LLMs). Instead of a custom app, its primary interface is a chatbot inside a messaging service you already use β€” Signal, Telegram, Discord, or WhatsApp. You send it a message describing what you want, and the agent plans and carries out the work on your computer: reading and writing files, interacting with applications, and calling external services.

Three properties define it:

  • Local-first. OpenClaw runs on your own machine, and its configuration and interaction history are stored locally, giving it persistent, adaptive behavior across sessions.
  • Model-agnostic. It connects to an external LLM of your choice, such as Anthropic's Claude, DeepSeek, or OpenAI's GPT models.
  • Open source. It is released under the permissive MIT license and written primarily in TypeScript and Swift, making it cross-platform.

A Brief (and Unusually Eventful) History

OpenClaw was created by Austrian developer Peter Steinberger and evolved from an earlier assistant he built called Clawd. The project went through a rapid series of renames in its first few months:

  • Warelay β€” the original launch in November 2025
  • CLAWDIS, then Clawdbot β€” late 2025
  • Moltbot β€” January 2026, after trademark complaints from Anthropic
  • OpenClaw β€” January 2026, settling on the current name

In February 2026, Steinberger joined OpenAI, and governance of the project moved to a nonprofit, the OpenClaw Foundation. By early 2026 the GitHub repository had accumulated hundreds of thousands of stars and tens of thousands of forks, and companies β€” including major Chinese tech firms β€” had begun building services on top of it.

How OpenClaw Works

At a high level, OpenClaw connects three pieces: a messaging interface, an LLM "brain," and a set of skills that let it act.

  1. You send a message. A request arrives through your chosen messaging platform (for example, a Telegram chat with your bot).
  2. The LLM plans. OpenClaw passes your request, along with relevant context and available skills, to the configured language model, which decides what to do.
  3. Skills execute. The agent invokes one or more skills to carry out the plan β€” reading a file, searching the web, updating a record, sending a reply β€” running locally on your machine.
  4. State persists. Configuration and history are saved locally so the agent can adapt and remember across sessions.

The skills system

OpenClaw's capabilities come from skills. Each skill is a directory containing a SKILL.md file that holds metadata and instructions describing what the skill does and how the model should use its tools. Skills can be:

  • Bundled with the software,
  • Installed globally for use across workspaces, or
  • Workspace-specific, scoped to a single project.

This modular design makes OpenClaw extensible β€” you can add new abilities by dropping in a skill β€” but, as we will see, it is also the source of real security risk.

What People Use It For

Because OpenClaw can read files, drive applications, and connect to services, people use it as a hands-on personal assistant. Common patterns include:

  • Inbox and calendar triage β€” summarizing email and managing scheduling.
  • Research and prospecting β€” gathering information and compiling notes.
  • File and workflow automation β€” organizing, transforming, and generating documents.
  • Lightweight CRM tasks β€” lead generation and prospect research with CRM integrations.

The appeal is that it meets you where you already are β€” a chat thread β€” rather than requiring a new interface.

The Security Concerns You Should Know

OpenClaw's power is inseparable from its risk. To be useful, it needs broad access to sensitive systems β€” email, calendars, messaging accounts, and the file system β€” and it acts autonomously. Security researchers and journalists have flagged several specific concerns:

  • Broad permissions. Granting an autonomous agent access to your communications and files means a mistake or compromise can have wide blast radius.
  • Prompt injection. Because the agent reads external content (emails, web pages, messages), attackers can plant instructions in that content to hijack the agent's behavior.
  • Untrusted third-party skills. Researchers have found unvetted community skills that exfiltrated data without the user's knowledge. Anything you install can run with the agent's permissions.
  • Autonomy without clear consent. There have been reported incidents of agents taking actions users did not explicitly authorize, raising consent and impersonation questions.

These risks have had real-world consequences: in 2026, some governments and large organizations restricted OpenClaw on official or work computers over security concerns.

Tips and Best Practices

If you choose to run OpenClaw, treat it like powerful, privileged software:

  • Run it in an isolated environment. Prefer a dedicated machine, VM, or container rather than your primary device with full personal access.
  • Grant least privilege. Give it access only to the accounts and folders it genuinely needs, not everything by default.
  • Vet every skill. Read the SKILL.md and the underlying code before installing third-party skills; treat unvetted skills as untrusted.
  • Be wary of untrusted input. Assume that any content the agent reads could contain prompt-injection attempts, and limit what it can do automatically in response.
  • Require confirmation for sensitive actions. Configure the agent to ask before sending messages, making purchases, or modifying important data.
  • Keep audit logs. Review the local interaction history to understand what the agent has done.

Common Mistakes to Avoid

Treating it like a harmless chatbot. OpenClaw is an autonomous agent with real access to your systems β€” not a sandboxed Q&A bot.

Installing skills indiscriminately. A popular star count is not a security audit. Unvetted skills can exfiltrate data or abuse permissions.

Granting full access for convenience. Connecting every account "to be safe" maximizes the damage of any compromise. Scope access tightly.

Letting it act fully unattended on sensitive tasks. For anything irreversible β€” sending, paying, deleting β€” keep a human in the loop.

Frequently Asked Questions

Is OpenClaw free?

Yes. OpenClaw is free and open-source software released under the MIT license. You may, however, pay for the external LLM API it uses (such as Claude, GPT, or DeepSeek), depending on the provider and your usage.

What LLMs does OpenClaw support?

OpenClaw is model-agnostic and integrates with external language models including Anthropic's Claude, OpenAI's GPT models, and DeepSeek, among others. You configure which one it uses.

Is OpenClaw safe to use?

It can be used carefully, but it carries real risks because it is an autonomous agent with broad system access and an open skills ecosystem. Run it in an isolated environment, grant least-privilege access, vet all skills, and require confirmation for sensitive actions.

What was OpenClaw called before?

The project was originally launched as Warelay, then went through several names β€” CLAWDIS, Clawdbot, and Moltbot β€” before settling on OpenClaw in early 2026. The rename from Moltbot followed trademark complaints from Anthropic.

How is OpenClaw different from a chatbot like ChatGPT?

A standard chatbot answers questions in a conversation. OpenClaw is an autonomous agent: it runs on your machine, uses a skills system to take real actions (files, apps, services), connects through your messaging apps, and persists state across sessions. That capability is also why it requires far more caution.

Conclusion

OpenClaw represents a genuinely interesting direction for personal AI: an open-source, local-first, model-agnostic agent you can talk to through the apps you already use, extended through a simple skills system. That same openness and autonomy is exactly what makes it risky β€” broad permissions, prompt injection, and unvetted third-party skills are not edge cases but core concerns. If you experiment with OpenClaw, do it deliberately: isolate it, scope its access, vet what you install, and keep a human in the loop for anything that matters.

Found this useful? Share it with your team:

Share:
← Back to all guides