openclaw

OpenClaw: The AI Assistant That Actually Does Things (And Why You Should Care)

Everyone’s talking about OpenClaw right now. It’s the fastest-growing open-source project in GitHub history, it’s been acquired by OpenAI before it even turned four months old, and security researchers are calling it everything from “groundbreaking” to “a nightmare.”

So what is it, really? And should you, as someone running a business, actually pay attention?

Let’s break it down.

What is OpenClaw?

OpenClaw is a free, open-source AI assistant or ‘agent’ that runs on your own computer. But unlike ChatGPT or Claude, which answer your questions and wait for the next one, OpenClaw actually does things. It reads your emails. It manages your calendar. It books flights. It runs code. It monitors your brand mentions. It posts content. It can even control your smart home.

And here’s the part that makes it different from every “AI assistant” you’ve heard about before: you talk to it through the apps you already use. WhatsApp. Telegram. Slack. Discord. iMessage. You message it like you’d message a colleague, and it goes off and gets things done.

Think of it less like a chatbot and more like a very capable intern who never sleeps, never complains, and works through the night on whatever you’ve asked it to do.

A Brief (and Chaotic) History

OpenClaw was created by Peter Steinberger, an Austrian developer who previously spent 13 years building and running a software company. He launched it in November 2025 as a side project, originally called “Clawdbot” (a play on Anthropic’s Claude).

Then things got messy in the best possible way.

Anthropic’s legal team asked him to change the name. Fair enough. It became “Moltbot,” a reference to how lobsters molt their shells to grow. The community loved the lobster branding but the name didn’t stick. Three days later, it became “OpenClaw.” Three names in under a month.

Despite (or maybe because of) the chaos, the project exploded. It hit 150,000 GitHub stars in 72 hours, a record. By February 2026, it had over 200,000 stars and an estimated 300,000 to 400,000 users.

Then, on February 14th, Steinberger announced he was joining OpenAI to lead their personal agent development. OpenClaw would move to an independent, OpenAI-sponsored open-source foundation. His reasoning? He wanted to “build an agent that even my mum can use” and believed he needed access to frontier AI models and research that only a major lab could provide.

The lobster had made it to the big leagues.

How Does It Actually Work?

OpenClaw runs on your computer, typically a Mac Mini or a virtual private server. It connects to an AI brain (Claude, GPT, DeepSeek, or even a local model running on your machine) and then hooks into whatever tools and services you give it access to: Gmail, Google Calendar, GitHub, Notion, Stripe, smart home APIs, and hundreds more through its “skills” system.

Skills are essentially plugins. There are over 1,700 of them on ClawHub (OpenClaw’s skill marketplace), covering everything from email automation to social media management to server monitoring. And here’s the clever bit: if a skill doesn’t exist for what you need, you can ask OpenClaw to build one. It writes its own code.

You interact with it by messaging it on whatever platform you prefer. Say “clear my inbox of spam and summarise the urgent stuff” on WhatsApp, and it does it. Say “deploy the latest code to staging” on Slack, and it handles it. It remembers your preferences, your history, and your context across sessions, so it gets better the more you use it.

Why People Are Excited

The community around OpenClaw is genuinely enthusiastic, and it’s not hard to see why.

It does real work, not just conversation. This is the key difference. Previous AI assistants were essentially fancy search engines or text generators. OpenClaw takes actions. It sends emails, books appointments, runs scripts, deploys code, and manages workflows. Autonomously, on a schedule, while you sleep.

It runs on your machine. Your data stays local. In a world where every SaaS tool is hoovering up your business data and sending it to servers you don’t control, OpenClaw’s local-first design is genuinely appealing. Nothing leaves your computer unless you tell it to.

It’s open source and extensible. No vendor lock-in. No subscription tiers. No feature gates. If you want to customise it, you can. If you want to build a skill that’s specific to your industry, go ahead.

The productivity gains are real. People are using it to run entire content pipelines, automate customer support workflows, manage multi-agent marketing teams, monitor brand mentions, and handle routine admin. One solo founder built a “mission control” system that automated his entire marketing operation using multiple OpenClaw agents, each assigned a specific role.

It works where you already are. No new app to learn. No dashboard to check. Just message your assistant on WhatsApp or Telegram the way you’d message anyone else.

The Pros

  • Free and open source. No licensing costs, though you’ll pay for the AI model API usage (typically $50–200/month depending on how hard you push it).
  • Genuinely useful automation. Email management, daily briefings, content drafting, calendar management, brand monitoring, purchase research, code deployment. The use cases are extensive and growing.
  • Local-first privacy. Your data lives on your hardware.
  • Platform agnostic. Works across WhatsApp, Telegram, Slack, Discord, iMessage, Signal, Microsoft Teams, and more.
  • Self-improving. It can write its own skills, meaning it gets more capable over time based on what you need.
  • Massive and active community. 200,000+ GitHub stars, active Discord, thousands of community-built skills.

The Cons (And They’re Significant)

Let’s be direct: OpenClaw is not ready for most business owners. Here’s why.

It’s technical to set up. Despite the enthusiastic tutorials, getting OpenClaw running properly requires command-line knowledge and a fair amount of technical confidence. One of the project’s own maintainers put it bluntly in their Discord: “If you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.”

The cost adds up. While OpenClaw itself is free, you need an AI model subscription (Claude or GPT API access), a machine to run it on (a Mac Mini or VPS), and time to configure everything. Realistic monthly costs for a useful setup run between $50 and $200+.

It’s not polished. Three name changes in two months tells you something about the maturity of the project. The interface, documentation, and onboarding experience are improving rapidly but are still rough around the edges.

Auto-publishing is risky. Several guides emphasise never auto-publishing content without human review. AI-generated outputs still need quality control, especially for anything customer-facing.

The Security Elephant in the Room

This is where things get serious. The security concerns around OpenClaw are not theoretical. They’re documented, tested, and in some cases actively exploited.

The core problem is simple: to be useful, OpenClaw needs access to your email, calendar, files, messaging apps, and potentially your entire computer. If something goes wrong (a misconfiguration, a malicious skill, a prompt injection attack) the consequences can be severe.

Here’s what the security community has found:

  • Cisco’s AI security team tested a third-party OpenClaw skill and found it actively exfiltrated data and performed prompt injection without the user knowing. They called OpenClaw “a security nightmare.”
  • Microsoft’s security team published a detailed advisory recommending OpenClaw should only be run in fully isolated environments with dedicated, non-privileged credentials and access to non-sensitive data only.
  • Security researchers discovered a critical vulnerability (rated 8.8 out of 10 in severity) that allowed attackers to take full control of an OpenClaw instance through a single malicious link. It was patched, but only after being publicly disclosed.
  • Over 30,000 OpenClaw instances were found exposed on the internet without proper authentication, many in sensitive sectors like healthcare, finance, and government.
  • 341 malicious skills were discovered on ClawHub (12% of the entire registry), primarily delivering infostealer malware. Updated scans later found over 800 malicious skills, roughly 20% of the marketplace.
  • Infostealer malware has been found specifically targeting OpenClaw configuration files, stealing gateway tokens, cryptographic keys, and operational data.

One cybersecurity professor summed it up well: “From a technology perspective, it’s absolutely interesting. But what I would do is set up my own virtual machine, a separate laptop, new email account, new calendars, without giving it any real access.”

The uncomfortable truth, as one security firm put it: “It’s only useful when it’s dangerous.” The more access you give it, the more it can do, and the more damage a breach can cause. Lock it down fully, and you’ve essentially rebuilt ChatGPT with extra steps.

What Are People Actually Saying?

The reactions split into two camps.

The enthusiasts compare it to the first time they used ChatGPT, a “fundamental shift” moment. Users describe automating their entire morning routines, running content pipelines, managing customer communications, and even negotiating car purchases through their AI agent. One user saved $4,200 on a car by having their OpenClaw agent play dealers against each other.

The sceptics, primarily security researchers and enterprise tech leaders, see it as a preview of what’s coming but warn that it’s nowhere near ready for serious business use. One prominent AI researcher called it “a disaster waiting to happen.” LangChain, one of the most well-known AI tooling companies, banned their own employees from installing it on company laptops.

The broader industry take is that OpenClaw’s power came precisely from its lack of guardrails, the very thing that makes it unsuitable for corporate environments. The race to build a “safe enterprise version” is now the central question in the AI agent space.

What This Means for Your Business

If you’re running a small or medium-sized business, here’s the honest assessment:

Don’t install OpenClaw on your business computer right now. The security risks are too significant for any machine connected to customer data, financial accounts, or sensitive business operations.

Do pay attention to what it represents. OpenClaw is a proof of concept for what AI assistants will become over the next 12 to 18 months. The ability to message an AI and have it manage your email, automate your content, monitor your competitors, and handle routine admin: that’s coming to polished, secure, commercially supported tools very soon. OpenAI didn’t pick up this project by accident.

If you’re technically confident and curious, you could experiment with OpenClaw on an isolated machine with dummy accounts. It’s a fascinating way to explore what agentic AI can do, and to start thinking about which parts of your workflow you’d want to automate first.

The real takeaway: the gap between “AI that talks” and “AI that does” just closed. What was a research concept six months ago now has 400,000 users and the backing of the biggest AI company on the planet. The tools that come next, the ones that are secure, polished, and designed for people who aren’t developers, will be built on everything OpenClaw proved was possible.

The lobster showed us the future. Now we wait for the version that’s safe enough to actually use.