OpenClaw Review: What It Is, What I Tried, and What Matters for You
OpenClaw is a self-hosted AI agent that runs on cron, connects to 17,000+ skills, and manages workflows 24/7. Tested for 6 weeks.
OpenClaw is an open-source framework for running autonomous AI agents that read, write, post, research, and act on a schedule without human supervision. In 2026, its creator was hired by OpenAI, its GitHub stars surpassed React, and its security vulnerabilities became the most debated topic in the AI agent community. This guide covers what OpenClaw does, the acquisition story, the ecosystem, the security reality, and a practitioner’s framework for deciding whether it belongs in your stack.
273,000 GitHub stars in under a year.
A bidding war between OpenAI and Meta for its creator.
More weekly npm downloads than Express.js.
Then the security researchers showed up.
OpenClaw went from side project to the most talked-about AI framework of 2026 in a matter of weeks.
The excitement is real. So are the risks. I wanted to find out for myself which side weighs more, because if you’re running a business on your own, this changes what you can take on.
I’ve been running OpenClaw for a few weeks now. Everything that’s been building momentum in the AI world: agents, skills, MCP integrations, scheduled workflows, they all converge inside an OpenClaw agent, wrapped in an interface friendlier than anything I’ve used before. The more I use it, the more I realize that my entire stack could run through it with the right setup. The automation, the content workflows, the AI systems, the Build to Launch ecosystem.
The agency it gives you is a superpower. It’s also an incredible source of danger. That’s the fascinating part. I’m relearning which tasks are actually worth doing myself and which ones I can hand off to an agent that runs while I sleep. I’m building and refreshing things at rates I couldn’t have imagined a year ago.
This series documents that process. Here’s where I am so far.
What you’ll go through with me:
What OpenClaw Does — the capabilities, one by one
The OpenAI Deal — the acquisition and what it means for the project
The Ecosystem — ClawHub, community personas, and what got built on top
The Security Debate — the controversy, the data, and where it stands
What I Found Running OpenClaw for 6 Weeks — what surprised me, what broke, what I’d do differently
When to Use OpenClaw (and When to Wait) — the decision framework, quickstart, and what’s next in this series
Hi, I’m Jenny. I build AI systems and teach people how to do the same. AI builder behind VibeCoding.Builders and other products with hundreds of paying customers. See all my launches
If you’re new to Build to Launch, here’s what you might enjoy:
What OpenClaw Does
OpenClaw is a self-hosted AI agent that runs persistently on your machine and takes action through messaging apps, scheduled cron jobs, and a skill marketplace of 17,000+ extensions.
Unlike a chatbot, it doesn't wait to be prompted, it runs on a heartbeat.
Open source. Free. Runs on your machine.
Pick any brain.
Claude, GPT, DeepSeek, Gemini, or a local model through Ollama. OpenClaw is model-agnostic. Point it at whatever you want.
Connect it to everything.
Telegram, Discord, Slack, WhatsApp, X, email. 50+ integrations out of the box. Your agent lives where you already work.
Give it a personality.
One markdown file called SOUL.md defines who the agent is, how it behaves, what rules it follows. Every time it wakes up, it reads itself into existence from that file.
Give it memory.
It remembers what it did yesterday. Last week. Last month. Context carries across every conversation, every task.
Put it on a schedule.
“Every morning at 8 AM, scan my newsletter feeds, find posts relevant to my work, and draft a response.” That’s a cron job. It runs whether you’re watching or not.
Give it a workspace.
A folder of files it can read, write, and manage. Mine has strategy documents, posting logs, research digests.
Give it skills.
13,700+ community-built capabilities on ClawHub, the marketplace. Whether you should install them is a different story. More on that below.
The runtime holding this together is called Gateway. Think of it as the operating system. Plugins add deeper integrations like memory systems, connectors and databases.
If you’ve used Claude Code, the mental model is similar: an AI with tools and instructions. OpenClaw just runs autonomously, on a schedule, without you sitting there. It also self-corrects when something fails and self-evolves its own behavior over time.
That’s what it does on paper. Whether it earns your time is what the rest of this article answers.
The OpenAI Deal
The story of OpenClaw is really the story of Peter Steinberger, and it explains where this project is headed.
Steinberger grew up in rural Austria. He studied software engineering in Vienna, then moved to Silicon Valley. In 2011, while waiting six months for a work visa with nothing to do, he started building a PDF rendering tool for iPads. That side project became PSPDFKit, a PDF SDK that eventually powered nearly a billion users across Apple, Adobe, Dropbox, and Disney.
He bootstrapped it for 13 years. No venture capital. Then in 2021, he sold it to Insight Partners for over 100 million euros.
Then came the founder depression. The thing that had defined him for over a decade was gone. He describes that period as severe.
The spark came back in April 2025. He was tinkering with a Twitter analysis tool and realized AI had undergone a “paradigm shift.” He started building what would become OpenClaw.
The timeline from there moved fast:
November 2025 — Published as “Clawdbot” on GitHub
January 27, 2026 — Renamed to “Moltbot” after Anthropic filed a trademark complaint (the lobster theme: “lobsters need to shed their shells to grow”)
January 28, 2026 — Moltbook launches, an AI-only social network. Goes viral instantly
January 30, 2026 — Renamed again to “OpenClaw”
Late January — 190,000 GitHub stars in 14 days. Two million visitors in one week
February 14, 2026 — Steinberger announces he’s joining OpenAI
February 15, 2026 — Sam Altman confirms on X
This was an acqui-hire, not a traditional acquisition. No company was purchased. No price was disclosed.
Both Meta and OpenAI made competing offers. Meta reportedly floated a mid-nine-figure cash-and-stock package, potentially hundreds of millions of dollars. Steinberger chose OpenAI instead, because they agreed to his non-negotiable condition: OpenClaw stays open source.
Sam Altman’s announcement: “Peter Steinberger is joining OpenAI to drive the next generation of personal agents. He is a genius with a lot of amazing ideas about the future of very smart agents interacting with each other to do very useful things for people.”
Steinberger’s stated mission at OpenAI: build an agent interface so simple that “even my mum can use it.”
What this means for users:
OpenClaw stays free and open source. MIT license preserved
The project moved to an independent foundation. No single company controls it
OpenAI sponsors development and dedicates Steinberger’s time to maintenance
The foundation governance is still being formalized. The community is growing into it
What’s coming:
OpenClaw 2026.3.1 (released March 2) shipped three significant features:
OpenAI WebSocket streaming for faster response times
Claude 4.6 adaptive thinking so agents can escalate or skip chain-of-thought reasoning based on task complexity
Native Kubernetes operator for production-grade deployment with auto-scaling and S3 backups
With Steinberger now inside OpenAI, expect deeper model integration. DigitalOcean already offers a 1-Click Deploy with security hardening built in.
But OpenClaw’s real story isn’t the code or the acqui-hire. It’s what the community built on top of it.
The Ecosystem
ClawHub (Official Skill Marketplace)
ClawHub is where the community publishes installable skills for OpenClaw agents. It ships with OpenClaw and is built into the CLI. As of March 6th, 2026, it hosts 17,034 skills across 11 categories: AI/ML, Utility, Development, Productivity, Web, Science, Media, Social, Finance, Location, and Business.
Skills are versioned bundles: a SKILL.md file with description and usage, plus optional configs, scripts, and metadata. ClawHub uses vector search for discovery.
The most downloaded skills are self-improvement tools: agents that evolve their own capabilities, web scrapers, CLI wrappers. The top skill (Capability Evolver) has 35,000+ downloads. Whether you should install any of them is a different question, and one the security section below answers directly.
souls.directory (Independent Community Project)
souls.directory is a community-curated library of SOUL.md personality templates, built by David Dias. Not part of OpenClaw itself. Independent, MIT-licensed, free, no premium tier.
The idea: instead of writing your agent’s personality from scratch, browse templates. Developer personas (code review, debugging, DevOps), specialized characters, business roles (project managers, assistants). You can mix traits from different templates.
52 community members contribute. The concept of shareable agent personalities is going to matter more as these agents become mainstream. If you’re thinking about how to manage AI as a partner, personality design is where it starts.
What People Built With It
Moltbook is the project that made OpenClaw famous.
Launched January 28, 2026, by Matt Schlicht, it’s an AI-only social network where only bots can post.
It scaled from 37,000 to 1.5 million agents in 24 hours.
Without anyone scripting it, the agents developed emergent social structures: a parody religion called Crustafarianism (complete with 40+ AI prophets and sacred texts). Then a governance system called “The Claw Republic” with its own constitution. Then economic exchange systems and encrypted communication channels. None of it was programmed. It emerged from collective agent interaction.
Felix is the other headline project.
Nat Eliason gave his OpenClaw agent $1,000 in startup capital and named it Felix. In three weeks, Felix generated $14,700 in revenue by creating a playbook called “How to Hire an AI,” building a marketplace called Claw Mart, launching its own website and X account, and creating a token on the Base blockchain.
Other notable builds: automated bug resolution pipelines (Sentry alert to code fix to Slack update, zero humans), client onboarding automation, multi-agent content factories, smart home control, and a Claude Opus-based agent that almost got hired for a real job.
The thing I keep coming back to:
AI is already capturing the smartest wisdom from human beings. Community personas and skills are the digital presence of slices of that wisdom, packaged so you can tap into them directly. These are emerging forms of intelligence that, when used properly, compound in ways that are hard to predict. This is why I’m dedicating real time to learning OpenClaw’s evolution. It’s by far the closest thing I’ve found to building a genuine one-person superpower.
That’s the excitement. Now for the part that made people reconsider whether any of this is safe.
The Security Debate
This isn’t a hidden problem. It’s one of the loudest conversations in the AI agent community right now, and for good reason.
Two major security stories broke in February 2026, and together they caused real skepticism, heated arguments, and a serious reckoning about what “open” means when your agent has system-wide permissions.
The ClawHavoc Supply Chain Attack
Repello AI’s threat research team discovered what they named the “ClawHavoc” campaign: over 800 malicious skills uploaded to ClawHub, roughly 20% of the entire registry at the time.
The primary payload was Atomic macOS Stealer (AMOS), a commodity infostealer you can rent on Telegram for $500-1,000 per month. It harvests browser credentials, keychain passwords, cryptocurrency wallets, SSH keys, and personal files.
The attack pattern was clever. Malicious skills had professional-looking documentation with a “Prerequisites” section that instructed users to install an additional component, usually by executing a shell command from a code-sharing site. Over 100 posed as cryptocurrency tools. 57 as YouTube utilities. Others typosquatted ClawHub’s own CLI tool.
The root cause: ClawHub was open by default. Anyone with a GitHub account at least one week old could upload anything.
Snyk ran a broader audit. Their ToxicSkills study scanned 3,984 skills and found 36% contain detectable prompt injection and confirmed 1,467 malicious payloads. 91% of malicious samples combined prompt injection with traditional malware.
That’s more than a third of the ecosystem. The ToxSec findings turned the conversation from “be careful” to a full-blown debate about whether the ClawHub model is fundamentally broken.
135,000+ Exposed Instances
Separately, SecurityScorecard found 135,000+ unique IPs running exposed OpenClaw instances across 82 countries. 42,000 were exploitable in the first 24 hours of scanning. 12,812 were vulnerable to remote code execution.
The root cause: OpenClaw binds to 0.0.0.0:18789 by default, meaning it listens on all network interfaces, including the public internet. For a tool that has system-wide permissions, that default should be localhost only.
Attackers accessed Anthropic API keys, Telegram bot tokens, Slack OAuth credentials, and months of complete chat histories from exposed instances. Three high-severity CVEs now have public exploit code. 63% of observed deployments are flagged as vulnerable.
Where It Stands Now
The community responded. ClawHub now integrates VirusTotal scanning. Suspicious skills get warning badges. Malicious skills are blocked from download. All active skills are re-scanned daily. The cleanup removed thousands of entries, though the registry has since rebuilt to 13,700+.
The debate is ongoing: some argue the open model is fundamentally too dangerous for tools with system access. Others say the scanning improvements are sufficient and the real problem was the default network binding. Both sides have a point.
How I handle this:
Bind to
127.0.0.1only (verified:ss -tlnpshows localhost on port 18789)Zero third-party skills from ClawHub
Both SOUL.md files explicitly state: “Never install third-party skills from ClawHub”
iptables rules rejecting all inbound traffic except SSH
If you want the secure deployment guide, it’s coming in this series. (For production-ready practices in the meantime, see this guide.)
What I Found Running OpenClaw for 6 Weeks
I run OpenClaw on an Oracle Cloud ARM server. Two agents share that server: a personal AI assistant with persistent memory that handles Substack inbox processing and article indexing, and a WaaS builder bot that my business partner and I use to build and deploy websites together.
Between them, 12 active cron jobs handle inbox scanning, article indexing, research digests, social posting, posting reviews, Search Console analysis, site audits, blog syncing, and health monitoring. Three systemd services keep the two OpenClaw gateways and an X streaming listener running persistently.
The full agent fleet I’m building toward is the subject of this series. This is where I am right now.
What genuinely surprised me:
My business partner joined the Telegram group and started seriously chatting with it to update our website. I set it up for my own content workflow. He turned it into his own tool without me teaching him anything. The Telegram interface makes OpenClaw feel less like a developer tool and more like texting a coworker.
What pleased me:
Twice a day, the inbox cron scans my newsletter feed, picks up new posts, reads each one, and searches my memory database for related experience (the same second brain approach I use everywhere). It highlights where my own work connects: things I’ve already built that are relevant, where my experience might differ, what resonates with something I’ve written before. The results land in a database and a markdown report I can review via Telegram or GitHub.
It removes the mental overhead of finding my angle. Instead of staring at someone’s post thinking this is great but I have no entry point, I already know where my experience intersects.
I still write every comment myself. But the difference between writing from a clear connection and facing a blank comment box under a post you admire is the difference between showing up and staying silent.
What I’m still figuring out:
Making the cron jobs feed each other. The inbox scanner drafts comments, the article indexer builds the knowledge base those drafts draw from, the research digest surfaces new ideas, and the social poster syndicates content. The pieces are running, but the handoffs between them are still manual. Wiring those into a real pipeline where one job’s output triggers another is next.
What went wrong:
I asked the agent to update my kid’s language learning app via Telegram. New vocabulary pack, seed the database, push to production. It went suspiciously smooth. Then in the terminal output: “This might be a caching issue. Let me clear Prisma’s cache and try again.” That sentence is an immediate bad smell. I checked the database. Every table — dropped. The agent had wiped the entire thing trying to debug a seed conflict.
Thankfully I’d set up automatic backups after losing data the hard way months earlier, so the restore took minutes. But the lesson was clear: I went back, separated the roles, gave the agent scoped credentials with no DROP permission, and updated the SOUL.md with hard constraints. Autonomous is powerful until it decides the fastest fix is starting over.
The honest summary: OpenClaw is powerful and the experience of watching an agent work autonomously is different from anything you get with a chatbot. But it’s also early. The setup took more time than the documentation suggested, the security defaults need manual fixing, and the gap between “working demo” and “reliable production system” is real.
When to Use OpenClaw (and When to Wait)
If you run a business where you’re the writer, the marketer, the builder, the researcher, and the support team, your bottleneck isn’t the mechanical tasks.
Newsletter creator. Consultant. Freelancer. Side hustler with a day job. Indie maker. Creator selling digital products. Whatever the shape, the pattern is the same.
Sending emails, posting on schedule, syncing databases. Tools like n8n have handled those for years.
Your bottleneck is the tasks that need your judgment. Reading a newsletter and knowing which part connects to your expertise. Evaluating a lead and deciding how to follow up based on their specific context. Reviewing your analytics and deciding what to write next.
Those are the tasks you skip when time runs out. OpenClaw can handle some of them.
OpenClaw — when you need an AI that self-corrects, adapts, and scaffolds entire systems on its own. Autonomous reasoning, persistent memory, evolving behavior through SOUL.md. If the next step depends on what the agent finds, this is what it’s built for.
n8n — when the workflow is repeatable and the steps are known in advance. Deterministic, visual, no AI judgment needed, far cheaper. Scheduled tasks with fixed steps belong here, not in an agent.
Claude Code — when you’re building and want AI in the loop. Interactive, context-aware, stays in your dev environment.
Claude / ChatGPT — when you have a question or a one-off task. No setup, just ask.
To make this concrete:
Reading newsletters and surfacing what connects to your work → OpenClaw
Following up with leads based on their specific situation → OpenClaw
Sending a welcome email when someone subscribes → n8n
Posting to social media on a fixed schedule → n8n
Building a new feature for your product → Claude Code
Quick research question → ChatGPT
On the same Oracle server running my OpenClaw agents, I also run n8n workflows and system crontab jobs for everything that doesn’t need AI judgment: database syncs, resource fetching, image cleanup, weekly digests. Same infrastructure, no API costs. Why waste AI power on a task that never changes?
The rule I follow: if the steps are fixed and the workflow never needs to adapt, use n8n or cron. If the steps change based on what the agent finds, that’s where OpenClaw belongs.
Most people overreach with agents. They build complex agentic workflows for tasks that a static automation would handle better and cheaper.
OpenClaw is for you if
You’re comfortable with the initial overhead of setting it up
You want AI that works autonomously, not just answers questions
You regularly skip high-value tasks because they require too much context to hand off
You want to own your data and infrastructure
Hold off if
You want a chatbot. Use Claude or ChatGPT directly. OpenClaw is overkill.
You’ve never used a command line. The learning curve is steep. Start with Claude Code first.
You need enterprise support. This is community-driven open source.
Next Steps
Install:
npm install -g openclaw(~5 min)Configure with your Claude or GPT API key (~2 min)
Connect Telegram as your delivery channel (~10 min)
Have your first agent conversation
Set up your first cron job
That’ll get you a working agent on your own machine in under 30 minutes. You configure behavior by editing a markdown file, not writing code. The official docs walk through each step.
If you’d rather see it before committing to setup, I’m running a live session where paid members can interact with my OpenClaw directly: through my Telegram, on my server. No installation on your end. If you’re curious about how it works in practice but don’t want the overhead of configuring everything just to find out it’s not for you, this is the way to try it first.
What I’m diving into next:
Meet My AI Team — the full tour of what my agents produce and the real output
OpenClaw, n8n, Claude Code — when to use which
The Complete OpenClaw Setup Guide — zero to running agent, done securely
How I Host OpenClaw for $0/Month — exact cost breakdown, every piece of free infrastructure
Give Your AI Agent Permanent Memory — the PostgreSQL + pgvector memory system
AI Cron Jobs That Work — the exact configurations, prompts, and lessons
The free articles show you what’s possible. The paid guides give you the blueprints.
Frequently Asked Questions
Is OpenClaw safe to use after the security issues?
The core framework is safe if you configure it properly: bind to localhost, skip third-party ClawHub skills, and run behind a firewall. The vulnerabilities were in default settings and the skill marketplace, not the core runtime. The community has added scanning and warnings, but the safest approach is still to avoid installing skills you haven’t personally reviewed.
How much does it cost to run OpenClaw?
The infrastructure can be completely free (Oracle Cloud ARM, Supabase, Gemini embeddings). The real cost is the AI model API. Claude or GPT API calls are the only expense, and the amount depends on how many agents you run and how often. I’ll break down exact numbers in the next articles.
Can I use OpenClaw without coding?
You can configure agents by editing markdown files (SOUL.md for personality, jobs.json for schedules), which doesn’t require writing code. But installation and server setup do require terminal familiarity. If you’ve never used a command line, start with Claude Code first to build comfort.
What’s the difference between OpenClaw and Claude Code?
Different tools for different jobs. Claude Code is your interactive building partner: you work together in real time on code, debugging, and design. OpenClaw is your autonomous worker: it runs on a schedule, handles recurring tasks, and operates without you present. I use both daily for different purposes.
Will OpenAI make OpenClaw closed source?
The MIT license is preserved and the project moved to an independent foundation. Steinberger made this a non-negotiable condition of joining OpenAI. The foundation governance is still forming, but the legal structure protects the open-source status.
What would you hand off first if you had an agent running for you?
— Jenny
Why Upgrade · Practical AI Builder Program · Claude Hub · AI Agents
im reading all this & feel so lost. terminology, apps, code. i am soooo behind on my techie skills. (but my hand skills needed for remodeling have greatly improved.) im sure something will finally soak in & i can put something in use in my daily life. like reading ALL my email, wring me a to do action list?
This is great - thanks for publishing. I've been holding off on OpenClaw for security reasons, and at this point I feel like Claude Code has caught up enough that there's not really a reason to use OpenClaw.
Claude Code now has scheduled tasks and remote control, which were the two big differentiators of OpenClaw that I'm aware of. I use Claude Code for a combination of coding, analysis and operational tasks; it's definitely great for more than just development projects.