# What is OpenClaw, and should you actually run it?

> OpenClaw is an open-source, local-first personal AI agent that runs on your own machine and acts through the messaging apps you already use - controlling your browser, files, and shell. It is powerful and provider-agnostic, but it runs with real system access, so the security model is the whole story.

*By Muhammad Idrees · Published June 23, 2026*

## Key takeaways

- OpenClaw is an open-source, local-first personal AI agent you run yourself and talk to through everyday chat apps - and it became one of the fastest-growing repos on GitHub.
- It is gateway-first and provider-agnostic: one local control plane, interchangeable models (Claude, GPT, Gemini, or local), Markdown memory, and SKILL.md + MCP extensibility.
- Its power comes from real host access - shell, files, and browser - which is exactly why the security model is the whole story.
- Great for technical users who isolate and harden it; not a tool to hand an unsupervised non-technical user.

## By the numbers

- **380k+ stars** - One of the fastest-growing open-source projects on GitHub - created November 2025, past 380,000 stars by mid-2026.
- **Runs on your host** - Real shell, file, and browser access - the power and the blast radius are the same thing.

Every few years a project escapes the usual orbit of GitHub and becomes a genuine cultural moment. In late 2025 and early 2026 that project was OpenClaw - a personal AI agent you run yourself that, in a matter of months, became one of the fastest-growing open-source repositories ever published. It is worth understanding what it actually is, because the same properties that made it spread are the ones that should make you careful.

## What is OpenClaw?

OpenClaw is an open-source, local-first personal AI agent. You install it on your own machine - macOS, Windows, or Linux, on Node 22.19 or newer - and instead of talking to it through yet another web app, you talk to it inside the messaging apps you already use: WhatsApp, Telegram, Slack, Discord, Signal, iMessage, and a couple dozen others. Behind that chat window it can drive a browser, read and write files, run shell commands, and carry out multi-step tasks on your behalf. It is MIT-licensed and provider-agnostic: you wire in whichever model you trust - Claude, GPT, Gemini, or a local model through Ollama - and OpenClaw orchestrates it.

The traction is hard to overstate. The project was created in November 2025 and crossed 100,000 GitHub stars by February 2026; by mid-2026 it was north of 380,000 - fast enough that it was widely reported to have overtaken long-established projects like React. Numbers like that move quickly, so treat them as a snapshot, but the direction tells the story: this struck a nerve.

## The name you might know it by

If “OpenClaw” does not ring a bell, one of its previous four names might. Austrian developer Peter Steinberger shipped it in November 2025 as Warelay (a WhatsApp relay), then renamed it CLAWDIS, then Clawdbot, then Moltbot, and finally OpenClaw on January 30, 2026. Two of those renames were prompted by trademark complaints from Anthropic - “Clawd” sat a little too close to “Claude.” Steinberger announced in February 2026 that he was joining OpenAI; the project continues as community-run open source. The rename carousel is harmless trivia on its own, but as a senior engineer it tells you something real: this is a very young, fast-moving codebase whose governance is still settling.

## How OpenClaw works

Architecturally, OpenClaw is gateway-first. A single persistent local process - the Gateway - is the control plane for everything: it accepts inbound messages, manages sessions, routes to the model, dispatches tools, and enforces permissions. By default it binds to localhost (ws://127.0.0.1:18789), which is the first and most important security decision baked into the design.

It is easiest to reason about in three layers. The Channel layer normalizes every chat platform into one inbox. The Brain layer is your interchangeable LLM. The Body layer is everything the agent can do in the world - browser automation, file access, the shell, and memory - driven by a standard plan-act-observe (ReAct) loop. Memory is deliberately low-tech and local-first: plain Markdown files (a top-level MEMORY.md plus dated entries) indexed into SQLite with full-text search so the agent can recall earlier context. Capabilities are extended through “skills” - folders containing a SKILL.md file with YAML frontmatter and natural-language instructions - and through MCP servers, the same open tool protocol the rest of the ecosystem is standardizing on.

```text
my-skill/
  SKILL.md        # YAML frontmatter + natural-language instructions
  scripts/        # optional helper scripts the skill can call
```

| Dimension | OpenClaw |
| --- | --- |
| Maker | Peter Steinberger (now community-run) |
| License | MIT, self-hosted |
| Built with | TypeScript core + Swift native clients |
| Interface | 20+ messaging channels (WhatsApp, Telegram, Slack, Signal…) |
| Models | Claude, GPT, Gemini, or local (Ollama) - interchangeable |
| Memory | Unbounded Markdown files indexed to SQLite FTS5 |
| Extensibility | SKILL.md skills + MCP servers |
| Execution | Host for the main session; Docker/SSH sandboxes for others |

## What it is genuinely good at

Strip away the hype and there is a genuinely strong tool here. A few things it does better than almost anything else in the category:

- Breadth - it meets you where you already are, across 20+ chat platforms, instead of forcing you into a bespoke UI.
- Batteries included - browser control, a scheduler (cron), a visual canvas, and a large library of prebuilt skills mean you get value with little assembly.
- Native clients and voice - first-class macOS and iOS apps plus a voice wake/talk mode make it feel like a real assistant, not a script.
- It can be fully private - NVIDIA published a tutorial running the entire stack locally on its own hardware, with no data leaving the device.
- Ecosystem gravity - the enormous community means more skills, faster fixes, and more answers when you get stuck.

## The security reality

Here is where the senior-engineer hat goes on. OpenClaw is a language model with a shell, a browser, and your files - running on your machine. That is exactly what makes it useful and exactly what makes it dangerous. The risk is not hypothetical:

- Prompt injection is unsolved. A malicious web page or email the agent reads can hijack its instructions. NVIDIA, in its own OpenClaw tutorial, states plainly that no sandbox fully protects against advanced prompt injection.
- The skill marketplace is a supply chain. Cisco security researchers found third-party skills that quietly exfiltrated data and carried injected instructions, with no obvious sign to the user.
- It runs with real privileges. By default the main session’s tools run on the host, so a compromise has a wide blast radius. Reports of agents taking unintended actions are a feature of that power, not an aberration.
- It has drawn institutional scrutiny - China restricted its use on government office computers in March 2026.

None of that makes it unusable; it makes it something you operate deliberately. Keep the Gateway bound to localhost, require token auth for any remote access, sandbox non-main sessions (Docker or SSH), lock down file permissions, vet every skill before installing it, and run the built-in audit:

```bash
openclaw security audit --deep
```

## So should you run it?

If you are technical, comfortable on a command line, and willing to treat it like production software - isolate it, harden it, watch it - OpenClaw is one of the most capable personal agents available, and it is free. If you are not, the honest answer is that the defaults give an autonomous LLM real access to your digital life, and that is not a beginner’s tool. The framework is impressive; the responsibility is yours.

At Sentient Arc this is the work we do every day - taking capable-but-raw agent frameworks and turning them into systems you can actually trust in production, with the guardrails, permission scoping, and observability that a tool like OpenClaw leaves up to you. If you want an agent with this kind of power but without the foot-guns, that is a problem worth engineering properly.

## Frequently asked questions

### Is OpenClaw safe to use?

It is as safe as you make it. OpenClaw gives a language model real access to your shell, files, and browser, and it is susceptible to prompt injection, so out of the box it carries real risk. Run it bound to localhost, sandbox non-main sessions, vet any third-party skills, and never expose the gateway to the open internet without authentication.

### Is OpenClaw free and open-source?

Yes. OpenClaw is MIT-licensed and self-hosted - you run it on your own hardware at no licensing cost. You still pay for whatever model you connect it to (or run a local model for free), plus the machine and electricity it runs on.

### Do I need to be a developer to run it?

Effectively, yes. Installing, configuring, and - most importantly - securing OpenClaw assumes comfort with the command line and basic systems hygiene. Its own maintainers have cautioned that non-technical users probably should not run it unsupervised.

## Sources

- [OpenClaw - GitHub](https://github.com/openclaw/openclaw)
- [OpenClaw - Wikipedia](https://en.wikipedia.org/wiki/OpenClaw)
- [NVIDIA - Build a secure, always-on local AI agent with OpenClaw](https://developer.nvidia.com/blog/build-a-secure-always-on-local-ai-agent-with-nvidia-nemoclaw-and-openclaw/)
- [Cisco - Personal AI agents like OpenClaw are a security nightmare](https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare)

## Related posts

- [OpenClaw vs Hermes Agent: which open-source AI agent should you run?](https://adrees.dev/blog/openclaw-vs-hermes-agent)
- [What is Hermes Agent? Nous Research’s self-improving AI agent](https://adrees.dev/blog/hermes-agent-explained)
- [What does a production AI agent actually need?](https://adrees.dev/blog/what-a-production-ai-agent-needs)

---

More writing: https://adrees.dev/blog · Start a project: https://adrees.dev/#contact · Email: adreesdev@gmail.com
