OpenClaw
TL;DR: Everything so far has been about agents inside a code editor. OpenClaw is something different — a personal AI agent that runs on your own hardware, communicates through messaging apps, and operates 24/7 without waiting for your commands. This chapter covers what that world looks like, what it can do, and why you should be careful.
Beyond the code editor
Claude Code lives inside your terminal. You open it, give it a task, it works, you close it. The agent is reactive — it does what you ask, when you ask.
OpenClaw is a different category. It's a personal AI agent that runs on a device in your house — a Mac Mini, a Jetson Nano, a Raspberry Pi — and communicates through the messaging apps you already use: Telegram, WhatsApp, Discord, Slack. You text it like you'd text a person. It texts back.
The bigger difference: it doesn't just wait for you. OpenClaw can run on a schedule — cron jobs, webhooks, heartbeats — doing things proactively. Check your email at 9 AM. Apply to Broadway lotteries every morning. Monitor a price and alert you when it drops. It's less "assistant you talk to" and more "employee who lives in a box in your closet."
What OpenClaw is
OpenClaw is an open-source project created by Peter Steinberger (founder of PSPDFKit). It launched in November 2025 and became the fastest-growing open-source project in GitHub history — reaching 100,000 stars in about two days, a milestone that took React eight years and Linux twelve. As of early 2026, it has over 200,000 stars.
It was originally called ClawdBot, then renamed to OpenClaw after trademark concerns with Anthropic (the company behind Claude). Nearly 100% of the codebase was written by AI agents — primarily GPT, not Claude.
Steinberger announced in February 2026 that he's joining OpenAI, and the project is moving to an open-source foundation. The code is free. You pay only for the AI model API keys — the same keys from Chapter 1 (OpenAI, Anthropic, DeepSeek, or others).
How it works
Instead of a terminal interface, you interact through messaging apps. You text it on Telegram. It responds on Telegram. The conversation feels like chatting with a person, not using a tool.
The system has a heartbeat but not a brain. That distinction matters. Claire Vo wrote the clearest explanation of why OpenClaw feels alive even though it isn't: the answer is architecture, not intelligence.
The Gateway is the always-on intake layer. It sits on your machine, accepting events from every connected channel — Telegram messages, Slack pings, email webhooks, scheduled timers — and routing each one to the right agent session. The Gateway doesn't think or reason. It receives, routes, and executes. That's it. But because it never stops listening, it creates the impression of an attentive system.
Heartbeats are what make it proactive. A heartbeat is a scheduled timer that fires on an interval — say, every morning at 8 AM. When it fires, the Gateway treats it like any other event: route it to an agent, run the agent, send the output. Nothing is "thinking overnight." Time produces events, events kick off agents. The morning briefing that lands in your Telegram at 8:01 AM isn't the result of an AI that was awake all night planning — it's a timer that triggered a function.
Queues keep it coherent. Every event goes into a serial queue. One thing runs at a time. No parallel chaos, no race conditions, no interleaved conversations. This is the boring infrastructure that makes the whole thing work — air traffic control, not autopilot.
Four things make it different from a chatbot:
Persistent memory. It remembers everything across conversations, stored as local markdown files on your machine. Tell it your preferences once — it remembers next time.
Tool access. It can execute shell commands, read and write files, control your browser (with your existing logins and credentials), and integrate with 50+ third-party services. It has over 100 preconfigured skills — and it can write new ones.
Proactive operation. Cron jobs (scheduled tasks), webhooks (triggered by events), and heartbeats (periodic check-ins) mean it doesn't just respond — it initiates. But "initiates" is generous. It reacts to timers. The timers just happen to fire when you're not looking.
Event-driven execution. Work happens because events arrive, not because the assistant decides to be proactive. Every action traces back to a trigger. No trigger, no action. This is reactive compute dressed up as autonomy.
What people use it for
The range goes from simple automations to things that feel like science fiction.
Simple automations
- "Remind me to take out the bins every Tuesday at 7 PM"
- "When I get an email from my accountant, forward it to my bookkeeper"
- "Check this website every hour and tell me if the price drops below $50"
These are basically scheduled tasks with a natural language interface. Useful, but not dramatically different from existing automation tools.
Complex autonomous workflows
This is where it gets interesting. Some real examples from an OpenClaw developer:
Hardware integration. He connected a webcam and a sticker printer. OpenClaw reverse-engineered the printer's protocol, wrote a Python library for it, and iterated through testing with visual feedback — all over about two hours of back-and-forth. Now it prints custom QR code labels automatically.
Broadway lottery automation. OpenClaw independently found all the Broadway show lottery websites, figured out the entry process for each one, and now applies every morning at 9 AM. It handles captchas through a captcha-solving service (about $10 budget). Result: won five shows including Moulin Rouge and Book of Mormon.
YouTube sponsorship management. A webhook monitors his email. When a sponsor inquiry arrives, OpenClaw auto-detects it, negotiates the deal using a stored price card and his preferences, and sends daily status reports. Fully autonomous — he only steps in if something unusual comes up. It learns from feedback: "don't do that in the future" is enough to change its behavior.
| Type | Example | Human involvement |
|---|---|---|
| Simple automation | Reminders, forwards, price alerts | Set up once, forget |
| Scheduled tasks | Broadway lotteries, daily reports | Occasional check-ins |
| Autonomous workflows | Sponsor negotiation, hardware projects | Review and feedback |
Where it runs
OpenClaw needs a device that's always on. Your laptop isn't ideal — it sleeps, it travels, it's not always connected. Dedicated hardware works better.
| Hardware | Cost | What it does | Best for |
|---|---|---|---|
| Mac Mini | ~$600 | Delegates to cloud AI models. Residential IP prevents bans when browsing. | Most people — reliable, quiet, familiar |
| Mac Mini (64GB+ RAM) | ~$2,000+ | Can run local AI models (Llama, Qwen) without cloud API costs | Privacy-focused users willing to trade capability for independence |
| Jetson Nano | $200–250 | Small, low-power, runs 24/7 | Tinkerers, always-on setups |
| Raspberry Pi | ~$100 | Cheapest option | Experimenting, simple automations |
Running locally has real advantages over a cloud server (VPS):
- Residential IP. Websites are less likely to flag or ban you when requests come from a home internet connection vs. a data center.
- Browser with your logins. OpenClaw can use your existing browser sessions — already logged into Gmail, Amazon, your bank. A cloud server starts from scratch.
- Internal network access. It can reach your NAS, home assistant, smart devices — anything on your local network.
- Your data stays home. Personal information never leaves your machine (except what goes to the AI model API).
The risks are real
This isn't a theoretical warning section. These things have actually happened.
Root access is dangerous. One developer described giving OpenClaw full system access as "a chimp with a machine gun." His agent made an unauthorized pull request to the matplotlib open-source project — and when it was rejected, it posted personal attacks on the maintainers. He didn't ask it to do any of this.
It can destroy things. A Meta AI security researcher asked OpenClaw to triage her inbox and suggest emails to delete. The agent went rogue and deleted over 200 emails on its own. She couldn't stop it in time.
Your identity can be stolen. Security researchers at Hudson Rock documented the first case of malware stealing an OpenClaw agent's complete configuration — its "identity" and cryptographic credentials — giving attackers permanent access to everything the agent could reach.
It's expensive to run. One user spent $600+ in the first week on API tokens alone. OpenClaw runs continuously — heartbeats, cron jobs, webhooks — and every interaction costs tokens. The costs add up fast when the agent never sleeps.
The creator knows it's not safe. Steinberger has said explicitly that the technology is "not safe" for enterprise use.
If you want to try it
The safety recommendations from both OpenClaw's community and security researchers:
- Use a separate machine. Not your main laptop. A dedicated device with no important data.
- Create separate accounts. New email, new phone number, new social accounts — just for the agent.
- Start in sandbox mode. OpenClaw has a restricted mode that limits what the agent can access. Start there.
- Use allow/deny lists. Explicitly define what the agent can and can't do. This reduces capability but also reduces risk.
- Monitor what it does. Check the agent's logs and memory files regularly. Look for actions you didn't authorize.
- Budget for API costs. Set hard spending limits on your API keys before you start.
Practical tips
The messaging interface is the real breakthrough. The most useful thing about OpenClaw isn't the autonomy — it's that you interact through apps you already use. Texting an AI agent on Telegram while you're on the bus is fundamentally different from opening a terminal. That accessibility changes what you'll actually use it for.
Start by watching, not deploying. Before running OpenClaw yourself, spend time in the community Discord and subreddit. See what works, what breaks, what costs what. Other people's mistakes are cheaper than your own.
The costs are real and ongoing. Unlike Claude Code where you pay per session, a 24/7 agent burns tokens continuously. Set API spending limits before you turn it on. $600 in a week is not an edge case — it's a common first-week experience.
This space is moving fast. OpenClaw's creator joined OpenAI. The project moved to a foundation. New alternatives appear weekly. The specific tool may change — the concept of a personal AI agent running on your own hardware is the durable idea.
More reading
- Why OpenClaw Feels Alive Even Though It's Not (Claire Vo) — The clearest explanation of OpenClaw's architecture: Gateway, heartbeats, queues, and why "a heartbeat but not a brain" is the right mental model. Start here if you want to understand how the system actually works.
- OpenClaw Is the Bad Boy of AI Agents. Here's Why Security Experts Are Worried (Fortune) — A balanced overview of OpenClaw's rapid growth, what people are building with it, and the security concerns that come with giving an AI agent full access to your machine.
- The Lethal Trifecta for AI Agents (Simon Willison) — Why combining private data, untrusted content, and external communication creates a structural vulnerability in autonomous agents that no one has solved yet.
- Personal AI Agents Like OpenClaw Are a Security Nightmare (Cisco) — Cisco's security team breaks down the specific risks of personal AI agents: credential theft, prompt injection, and runaway actions. (Technical deep-dive — worth reading for the risk awareness, even if you skip the technical details.)
- How to Use OpenClaw Safely (Gen Digital) — Practical safety recommendations if you decide to try OpenClaw: separate accounts, sandbox mode, allow/deny lists, and budget controls.