In January 2026, an Austrian software engineer named Peter Steinberger released an open-source AI agent that could do something most AI assistants could not: act on its own. Within 48 hours, the project had over 100,000 stars on GitHub. Within two weeks, it had changed the way people thought about what a personal AI should be.
The project is called OpenClaw . It is a self-hosted AI agent that runs directly on a user’s computer and connects to messaging apps like WhatsApp, Telegram, Slack, and Discord. You text it a task, and it gets it done. It manages email, schedules meetings, runs scripts, browses the web, and handles multi-step workflows in the background, without being asked twice.
The name has changed three times, and each change tells part of the story. Steinberger originally launched the project in November 2025 under the name Clawd, a playful nod to Anthropic’s Claude model . Anthropic took notice and filed a trademark complaint, prompting a name change. On January 27, 2026, Steinberger rebranded it as Moltbot, keeping the lobster theme. That name lasted three days. Steinberger said Moltbot “never quite rolled off the tongue” and switched to OpenClaw on January 30, the name it carries today.
The renaming drama drew headlines, but the product itself has kept people interested. By early February, OpenClaw had crossed 145,000 GitHub stars and 20,000 forks, with adoption spreading from Silicon Valley developer circles to enterprise teams in China and beyond.
That growth has not been smooth. Security researchers have already found critical vulnerabilities, including a remote code execution flaw and hundreds of malicious third-party extensions. Cybersecurity firms like Palo Alto Networks and Cisco have warned that the agent’s broad system access makes it a high-value target. OpenClaw is powerful, popular, and still very much a work in progress.
Why OpenClaw Broke Through as the Viral AI Agent of 2026
OpenClaw showed up at the right time. By late 2025, chatbots were everywhere. They could summarize documents , draft emails, and answer technical questions. What they could not do was follow through. You still had to copy, paste, click, send, and double-check everything yourself. OpenClaw took that entire loop and collapsed it.
People who use it say it feels less like talking to software and more like handing off work to a capable assistant. Coverage from Wired, CNET, Axios, and Forbes followed real usage, not hype. Public endorsements from developers like Simon Willison and Andrej Karpathy backed the same conclusion. OpenClaw did not go viral because of marketing. It went viral because it worked, and because nothing else at its price point (free, minus API costs) came close.
Source: @OpenClaw How OpenClaw Works: A Local, Autonomous AI Agent
Once installed, OpenClaw connects three layers. The first is a messaging interface where you send commands in plain language. The second is an AI model that handles reasoning, planning, and decision-making. The third is the execution layer, which carries out tasks directly on the host machine.
Because it runs on your own hardware, OpenClaw can:
Read and write files on the system
Run scripts and shell commands
Control browsers and interact with web pages
Call APIs and connect to external services
The agent also keeps its memory between sessions. It remembers your preferences, what it did last time, and what it still needs to finish. You can ask it to handle something over several hours or days, and it picks up right where it left off. It can also watch for specific triggers and act on its own when conditions are met, more like a background worker you check in on than a tool you have to open every time.
Inside OpenClaw’s Architecture and the Risks That Come With It
OpenClaw is not a chatbot running in a browser tab. It is a headless Node.js process that sits on your machine and stays running in the background.
The Gateway is the center of everything. It is a single, long-running process that manages all your messaging connections, including WhatsApp, Telegram, Discord, Slack, and iMessage. It runs a WebSocket control plane on port 18789, locked to localhost by default, and handles session routing, agent coordination, and the control dashboard. One Gateway per machine.
The Agent Loop is what makes OpenClaw feel alive. When a message comes in, the Gateway routes it to the right session, loads context and memory, sends the request to whichever AI model you have connected (Claude, GPT, DeepSeek), and the agent decides what to do next. It can run shell commands, control a browser, read and write files, or hit external APIs. The response streams back to your chat app, and the conversation gets saved. That loop runs continuously. It picks up where it left off, remembers what happened yesterday, and knows what is still unfinished.
Memory is file-based and surprisingly simple. Conversation logs go into JSONL transcripts. Long-term knowledge lives in Markdown files like MEMORY.md. For recall, it combines vector search with SQLite FTS5 keyword matching, so it can find both semantically similar information and exact phrases. When the agent writes something new, a file monitor triggers an index update immediately.
Skills are modular code packages that extend the agent’s abilities. A skill might connect it to GitHub, control smart home devices, or automate multi-step workflows. Anyone can publish a skill to ClawHub, the public registry, which grew to over 5,000 packages within weeks.
That openness is also the biggest security problem. Every skill inherits the agent’s system-wide permissions. Full disk, full terminal, full network. One bad skill, and the attacker has the same access as the agent itself. Bitdefender scanned ClawHub in early February 2026 and found close to 900 malicious packages, nearly 20% of the registry.
Some accounts were uploading poisoned skills every few minutes using automated scripts. Their enterprise telemetry also found hundreds of cases where employees had installed OpenClaw on corporate machines with no IT approval, creating shadow IT with broad access to company files, email, and SaaS tools. Cisco called it a “security nightmare.” CrowdStrike built a dedicated detection and removal pack for it.
Source: Vertu.com How People Are Using OpenClaw Right Now
Early adopters moved quickly from trying it out to depending on it. Common use cases include:
Managing email by summarizing threads, drafting replies, and flagging what matters
Handling calendars by scheduling meetings and sorting out conflicts
Running research by browsing the web, pulling data, and summarizing what it finds
Taking care of admin work like filling out forms and paying bills
Supporting dev work by deploying updates and watching builds
Controlling smart home devices and systems
Some people run OpenClaw on a home server or cloud instance and manage everything from their phones. Others let it sit in the background and only hear from it when something changes.
The community has also pushed OpenClaw into more experimental territory, including crypto trading, personal data tracking, and automated decision-making. Not all of it has gone well. One user reported that OpenClaw flooded a chat with more than 500 messages while trying to manage applications. Another burned through $20 in API costs overnight on a simple reminder that ran every 30 minutes at $0.75 per check. These stories have become cautionary tales for anyone setting it up.
Partner with Kanerika to Modernize Your Enterprise Operations with High-Impact Data & AI Solutions
Call or Text Us Now
Understanding the MolT Stack: OpenClaw, MolTBook, and MolTHub
OpenClaw is not just one tool. It sits inside a broader set of projects commonly called the MolT stack, each serving a different role in how the agent works, learns, and grows.
Component What It Is Primary Role OpenClaw Self-hosted autonomous AI agent Executes tasks locally such as automation, scripting, and workflow execution MolTBook AI-only social platform Allows AI agents to interact, observe behavior, and exchange insights while humans watch MolTHub Skill and extension marketplace Distributes community-built skills that extend OpenClaw’s capabilities
OpenClaw is the core of the stack. It is the agent itself, running on your machine, connected to your apps, and carrying out tasks on your behalf. Everything else in the MolT stack builds on top of it.
MolTBook is the strangest part. It is a social network built entirely for AI agents. Humans can watch, but only the agents post, comment, and upvote each other. Launched in January 2026, it grew to 1.5 million agents in a matter of weeks and became an unexpected testing ground for studying how AI behaves when left to interact on its own. But MolTBook also exposed real problems early. A vulnerability leaked plaintext API keys, bot tokens, OAuth credentials, and full conversation histories. It was a sharp reminder that experimental platforms can scale far faster than their security can keep up.
MolTHub is the marketplace. Developers publish skills here that give OpenClaw new abilities, things like new app integrations, workflow templates, and automation scripts. Users browse, install, and start using them right away. It has been a major driver of how fast OpenClaw’s capabilities have expanded. But it also comes with a serious catch. Every skill is third-party code running with full agent-level access on someone’s machine. That means a single bad actor can push malicious code to thousands of users. Trust and verification matter here more than almost anywhere else in the stack.
Why the Anthropic AI Legal Tool Signals a New Phase in Enterprise Law
Explore Anthropic’s AI legal tool, its features, use cases, and impact on legal workflows.
Learn More
The Installation Problem: Why It Won’t Go Mainstream Yet
Despite all the attention, OpenClaw is still not easy to set up if you are not technical. The first step looks simple, usually a single curl command, but what follows is a different story.
You need to:
Pick an AI model and set up API keys
Connect your messaging apps properly
Configure file permissions without accidentally exposing sensitive data
Keep an eye on API costs and token usage
Set up monitoring so you catch failures early
Keep the server running around the clock
Stay on top of updates and security patches
For developers, this is routine. For everyone else, it is a wall. Self-hosting means working with Docker, setting environment variables, and babysitting a server. Most people should expect 30 to 60 minutes of terminal work just to get started, and ongoing upkeep after that.
Managed hosting from providers like DigitalOcean, Alibaba, Tencent, and ByteDance makes things easier, but it comes with a tradeoff. The moment your data lives on someone else’s server, you lose the local ownership and privacy that made OpenClaw appealing in the first place. Until setup gets simpler and safer, this will stay a tool for people who know their way around a terminal.
Partner with Kanerika to Modernize Your Enterprise Operations with High-Impact Data & AI Solutions
Call or Text Us Now
The Limits of OpenClaw and Where It Can Mislead
OpenClaw’s power comes with real risks, and several of them showed up within the first few weeks.
Runaway costs: Some users saw their API bills spike when automated tasks burned through far more tokens than expected. Without spending caps or usage alerts, even a basic setup can get expensive fast.Remote code execution: A serious vulnerability, CVE-2026-25253, allowed attackers to steal browser tokens and hijack WebSocket connections. From there, they could instruct the agent to run scripts on the host machine. It worked even on localhost and could be triggered just by clicking a bad link.Malware disguised as skills: Researchers found 341 malicious skills on MolTHub distributing Atomic Stealer malware. Of those, 335 were part of a coordinated campaign called ClawHavoc, targeting macOS and Windows users. The skills looked like crypto trading tools. They were actually stealing credentials.What Atomic Stealer grabbed: Browser passwords, keychain data, crypto wallet keys, SSH keys, and personal files. Enough to compromise entire accounts and systems.Poisoned community skills: Even popular, highly rated skills were not safe. One widely used skill was found silently send data out and use prompt tricks to get around built-in safety rules.
Where OpenClaw Stands Today
OpenClaw is a real product solving a real problem. People use it every day for work that matters, and they find it genuinely useful. But adoption has moved faster than security has. Steinberger and the community are patching vulnerabilities as they come up, publishing advisories, and building scanning tools. The response has been fast, but the risks are not theoretical.
For now, OpenClaw makes the most sense for developers, technically minded users, and early adopters who are comfortable maintaining and monitoring their systems. For everyone else, waiting for the project to mature a bit more is the smarter call.
What is clear is that OpenClaw has changed expectations for what a personal AI should do. The question going forward is not whether it will find an audience, but how quickly it can become safe and simple enough for that audience to grow. As of February 2026, the foundation is solid, the proof of concept is real, and the problems are fixable.
Kanerika Powering Smarter Business Decisions with Scalable AI
Kanerika delivers scalable AI solutions that turn raw data into clear, actionable insights. Built on Microsoft technologies such as Power BI , Azure ML, and Microsoft Fabric, our solutions include dashboards, predictive models, and automated reporting that enable faster, more informed decision-making across healthcare, finance, retail, and logistics.
Our services span AI strategy, predictive analytics, agent-based automation, marketing workflows, data engineering , and low-code automation. We help organizations anticipate trends, understand customer behavior, reduce manual effort, and support cloud migration, hybrid environments, and strong data governance . With ISO 27001 and ISO 27701 certifications, security and privacy are embedded into every solution we deliver.
Kanerika’s enterprise AI agents, including DokGPT, Jennifer, Alan, Susan, Karl, and Mike Jarvis, support use cases such as document intelligence, risk analysis, customer analytics, and voice data processing . Trained on structured enterprise data and designed to scale, they integrate seamlessly into existing workflows, helping organizations modernize systems and deploy AI that delivers real business impact.
Transform Your Business with AI-Powered Solutions!
Partner with Kanerika for Expert AI implementation Services
Book a Meeting
FAQs
1. Is OpenClaw safe to use for everyday work? OpenClaw can be safe, but only when used carefully. Because it runs locally and can execute system-level actions, the level of access you grant matters a lot. Misconfigured permissions, untrusted skills, or exposed API keys can create real security risks . Early users learned that OpenClaw is powerful but unforgiving. It works best when permissions are tightly scoped, logs are monitored, and third-party skills are reviewed before installation. It is not a plug-and-play tool for casual users.
2. How is OpenClaw different from ChatGPT or other AI assistants ? The key difference is execution. ChatGPT and similar tools respond to prompts and stop there. OpenClaw stays active and can take actions on your machine. It can run scripts, manage files, control browsers, and automate workflows over time. Instead of asking for help repeatedly, users delegate tasks and check progress through chat. This makes OpenClaw closer to an automation system than a conversational assistant.
3. Do you need to be a developer to use OpenClaw? You do not need to be a professional developer, but you do need technical confidence. Setting up OpenClaw involves working with terminals, API keys, messaging integrations, and server configuration. Ongoing use requires monitoring logs, managing costs , and applying updates. People comfortable with Docker, basic scripting, or self-hosting tools adapt quickly. Non-technical users often struggle during setup and maintenance.
4. Why did OpenClaw change names multiple times? The project began as Clawd, a playful reference to Claude. After legal concerns were raised, the community renamed it Moltbot, signaling growth and evolution. It later became OpenClaw to reflect a broader goal: being open source , model-agnostic, and not tied to any single AI provider. Each name change aligned with the project’s expanding scope and long-term vision rather than branding alone.
5. Is OpenClaw free, or does it cost money to run? OpenClaw itself is free and open source, but running it is not cost-free. You pay for the AI model you connect to, based on usage. Automated tasks can consume tokens continuously, especially if they run frequently or process large amounts of data . Some users have reported unexpected costs when jobs were misconfigured. Cost control is essential, and usage limits should be set early to avoid surprises.
