From managing your inbox to booking flights, OpenClaw has exploded from a solo hobby project into one of the most-starred repos on GitHub — and now its creator is heading to OpenAI. We break down what it is, how it works, and why it matters.
From Weekend Project to Global Phenomenon
In November 2025, Austrian developer Peter Steinberger published a small open-source project called Clawdbot. Built using Anthropic's Claude Opus 4.5, the initial prototype reportedly took just one hour to create. The hard part, as Steinberger would later explain, wasn't the AI — it was the integrations.
What started as a personal assistant for managing WhatsApp messages quickly snowballed into something much bigger. By late January 2026, the project had gone viral. Rebranded first to Moltbot (after Anthropic raised trademark concerns over the original name's similarity to "Claude") and then to OpenClaw, the project has amassed over 180,000 GitHub stars and 20,000 forks, making it one of the fastest-growing open-source projects in GitHub's history.
The growth wasn't just organic. A related project called Moltbook — a Reddit-style social network exclusively for AI agents — captured the internet's imagination and drew over a million human observers. Andrej Karpathy, the former OpenAI researcher, called it "one of the most incredible sci-fi takeoff-adjacent things" he had seen. By early February, ClawCon (the first OpenClaw community event in San Francisco) drew more than 700 attendees, including investors like Ashton Kutcher.
Before Steinberger built OpenClaw, he was already well-known in the developer community. He founded PSPDFKit, a document SDK company used by major enterprises, which he sold to Insight Partners after running it for 13 years. His motivation for building OpenClaw was blunt: big tech had failed to deliver on the promise of personal AI assistants. We've had Siri since 2011, he argued, and it still can't reliably do basic tasks.
What OpenClaw Actually Is
At its core, OpenClaw is a personal AI assistant that runs on your own hardware — a laptop, a Mac Mini, a Raspberry Pi, a VPS, or a cloud container. Unlike cloud-based AI chatbots that answer questions and then forget you exist, OpenClaw is designed to act on your behalf. Tell it to clear your spam, check you in for a flight, and summarise your calendar for the week, and it will attempt to do all three.
The key distinction from a standard chatbot is autonomy. OpenClaw doesn't just respond to prompts — it executes tasks. It can run shell commands, read and write files, control a web browser, manage your calendar and email, and connect to over 100 services. It does all of this through messaging platforms users already rely on, including WhatsApp, Telegram, Slack, Discord, Signal, iMessage, and Microsoft Teams.
OpenClaw is also local-first. Your configuration data and interaction history are stored on your own machine, not in the cloud. This means the assistant maintains persistent memory across sessions — it can remember conversations from days or weeks ago, learn your preferences, and tailor its responses to your specific workflows. Users frequently describe this as the feature that makes OpenClaw feel less like a chatbot and more like a genuine digital assistant.
The project is free and open-source. Users bring their own API keys for whichever large language model they prefer — Claude, GPT-4o, DeepSeek, or local models via Ollama — and there is no subscription fee for OpenClaw itself.
How It Works Under the Hood
OpenClaw's architecture follows a modular "hub-and-spoke" model that separates AI reasoning from task execution.
The Gateway is the central component. Written in Node.js, this persistent daemon handles message routing (receiving inputs from connected channels and sending them to the chosen LLM), state management (tracking conversation context across platforms), skill orchestration (deciding which capabilities to invoke), and session handling (managing concurrent conversations while keeping contexts appropriately separated).
Tools and Skills form a layered capability system. Tools are the foundational permissions — read, write, execute, web search, browser control — that determine what OpenClaw can physically do on your system. Skills, by contrast, are instructional files (written in Markdown) that teach OpenClaw how to combine those tools to accomplish specific tasks. A skill for managing Gmail, for example, requires the exec tool to be enabled, the appropriate bridge software to be installed, and Google account authorisation to be granted. Without all three, the skill is just a manual with no hands.
OpenClaw ships with over 50 bundled skills covering categories like email, calendar, file management, and web browsing. Crucially, bundled skills auto-load by default — if the corresponding tool is installed on the system, the skill activates automatically. Users who want tighter control can switch to a whitelist mode.
ClawHub is the community-driven skill registry, often described as "npm for AI agents." As of mid-February 2026, it hosts over 3,000 community-built skills spanning categories from GitHub integration and Notion management to smart home control and video editing. Skills are published, versioned, and searchable through both a web interface and a command-line tool. The registry includes community moderation features — any user can report a skill, and those with three or more reports are automatically hidden pending review.
The runtime is also designed to be efficient with context. Rather than injecting every installed skill into every prompt (which would bloat token usage and degrade model performance), OpenClaw selectively injects only the skills relevant to the current conversation turn.
What People Are Actually Building
The OpenClaw showcase page and community forums reveal a striking range of real-world use cases. Users have deployed it to clear 10,000 emails in a single day, build and publish CLI tools to npm, review and optimise Google Ads, orchestrate multiple coding agents, create daily news digests personalised to their interests, organise medical lab results into Notion databases, and automate video summaries to avoid spending hours on YouTube.
Solo founders have set up multi-agent architectures with dedicated agents for strategy, coding, content, and research — all coordinated through a single Discord server. Some users have connected OpenClaw to health tracking platforms like WHOOP for quick daily metric checks. Others have built custom skills for Google Analytics and published them to ClawHub within 20 minutes.
The project has also gained traction outside Silicon Valley. OpenClaw has spread rapidly in China, where developers have adapted it to work with DeepSeek and domestic messaging platforms. Baidu has announced plans to integrate OpenClaw access directly into its main smartphone app.
The Security Problem
OpenClaw's power comes from the same features that make it a security concern: it runs locally with system-level access, processes inputs from untrusted sources, and can communicate externally. Security researcher Simon Willison has described this combination as the "lethal trifecta" for AI agents.
The warnings have come from major cybersecurity players. Cisco's AI security research team tested third-party ClawHub skills and found that 26% contained at least one vulnerability. A particularly damning example was a skill called "What Would Elon Do?" that had been artificially boosted to the number-one position in the repository. It contained silent data exfiltration commands, prompt injection to bypass safety controls, and embedded shell scripts for arbitrary code execution. Cisco described it as functionally malware.
Palo Alto Networks identified an additional risk factor: persistent memory. Because OpenClaw stores context across sessions, malicious payloads can be fragmented over time — injected into memory on one day and triggered when conditions align on another. This enables what researchers call time-shifted prompt injection and memory poisoning.
The Moltbook social network amplified these risks further. Security researchers at Wiz discovered that a misconfigured database had exposed 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents. A separate analysis found that over 42,000 OpenClaw instances were publicly exposed, with the vast majority vulnerable to authentication bypass.
One of OpenClaw's own maintainers offered a blunt assessment on Discord: if you can't understand how to run a command line, this is far too dangerous a project for you to use safely.
In response, OpenClaw has integrated VirusTotal scanning for ClawHub skills and Cisco has released an open-source Skill Scanner tool. The project documentation now explicitly acknowledges that there is no "perfectly secure" setup and recommends running agents in Docker containers with restricted network access.
Steinberger Joins OpenAI
On 14 February 2026, Steinberger announced that he would be joining OpenAI to work on bringing AI agents to a mainstream audience. In a blog post, he explained that while he could see a path to building OpenClaw into a major company, it wasn't what excited him. His goal was to build an agent that even his mum could use, and he believed OpenAI offered the fastest route to that vision.
OpenAI CEO Sam Altman confirmed the hire, posting on X that Steinberger would lead the development of the next generation of personal agents. Altman added that OpenClaw would continue as an open-source project within a foundation, with OpenAI providing ongoing support.
The hire came after Steinberger received competing offers from both Meta and OpenAI — a testament to how strategically important the agent space has become. OpenAI, most recently valued at $500 billion, sees agentic AI as a core part of its product future. The company faces intense competition from Google and Anthropic, whose Claude Code tool has been gaining particular traction among developers.
Steinberger has emphasised that OpenClaw will remain open and independent. The project is being moved to a foundation structure, and the community that has grown around it — the skill developers, the ClawHub contributors, the ClawCon attendees — will continue to shape its direction.
Why It Matters
OpenClaw represents a significant moment in the evolution of AI tools. For years, the industry has talked about "AI agents" as the next frontier beyond chatbots — systems that don't just answer questions but take autonomous action in the real world. OpenClaw is the first open-source project to make that vision tangible for a mainstream audience.
Its success also highlights a tension that will define the next phase of AI development: the trade-off between capability and safety. The same features that make OpenClaw genuinely useful — system access, persistent memory, cross-platform integration — are precisely what make it a security researcher's nightmare. Every messaging channel becomes an attack surface. Every installed skill is a potential backdoor. Every piece of untrusted content the agent processes could contain hidden instructions.
For individual users, OpenClaw offers a compelling glimpse of what personal AI assistance could look like — an always-on, privacy-respecting assistant that runs on your own hardware and gets better the more it knows about you. For enterprises, it's a warning sign: 22% of organisations already have unauthorised OpenClaw usage, according to security advisories, and the gap between adoption speed and security readiness is growing.
The project also signals a shift in how open-source AI development works. ClawHub's skill ecosystem, with thousands of community contributions, mirrors the package manager models that transformed software development a decade ago. But it also inherits the same supply chain risks, now amplified by the fact that these "packages" can execute shell commands and access sensitive data autonomously.
Whether OpenClaw itself becomes the dominant personal agent platform or simply the prototype that inspires what comes next, the genie is out of the bottle. AI agents that actually do things are here, and the world — from individual developers to Fortune 500 security teams — is still figuring out what that means.