Quick Verdict
OpenClaw is a free, open-source AI agent that runs on your own machine, plugs into the LLM of your choice (Claude, GPT, Gemini, DeepSeek, or a local model via Ollama), and answers you inside the messaging apps you already use — WhatsApp, Telegram, Slack, Discord, iMessage, and over a dozen others. Instead of just chatting, it can run shell commands, read and write files, control a browser, manage your calendar, and execute multi-step automations on its own.
It's also one of the fastest-growing open-source projects in recent memory — and one of the most debated. The same broad system access that makes it useful (email, calendar, messaging, your filesystem) is what security researchers keep flagging as a real risk, especially once you start installing third-party "skills" from an unvetted community registry.
Our take: 7.4/10 — genuinely impressive automation for technical users willing to sandbox it properly; not something we'd recommend installing with full system access if you can't read the code it's about to run.
What Is OpenClaw?
OpenClaw is a free and open-source autonomous AI agent that uses large language models to execute real tasks, with messaging apps as its main interface instead of a dedicated chat window. It runs as a long-running local service (a "gateway") on macOS, Windows, or Linux, connecting your chosen LLM to your actual machine: it can read and write files, run shell commands, control a browser, and reach into productivity tools like Notion, Obsidian, Trello, and your calendar — all triggered by a message you send from your phone.
It's built and maintained by Austrian developer Peter Steinberger, founder of the PDF SDK company PSPDFKit. Steinberger has described it as a self-improving virtual assistant: OpenClaw can write its own new "skills" (small directories with a SKILL.md file describing how to use a tool) to extend what it's capable of, on top of more than 100 pre-built skills already shared in the community registry.
From Clawdbot to Moltbot to OpenClaw: A Very Fast Rename History
OpenClaw's branding history is part of the story, and it happened almost entirely within a single 10-week stretch:
- November 24, 2025 — First released as Clawdbot, derived from an earlier personal assistant Steinberger had built named "Clawd" (itself a nod to Anthropic's Claude).
- January 27, 2026 — Renamed to Moltbot (keeping the lobster theme) following trademark complaints from Anthropic over the "Clawd" naming.
- January 30, 2026 — Renamed again, three days later, to OpenClaw — Steinberger said Moltbot "never quite rolled off the tongue."
The renaming coincided with a viral growth spike: the project reportedly went from around 9,000 to over 60,000 GitHub stars within about 72 hours in late January 2026, fueled partly by Moltbook — a separate, unaffiliated social network built by entrepreneur Matt Schlicht specifically for AI agents like OpenClaw to post on. By March 2, 2026, GitHub listed the project at roughly 247,000 stars and 47,700 forks.
On February 14, 2026, Steinberger announced he was joining OpenAI, with stewardship of OpenClaw transitioning to a newly established non-profit foundation rather than staying a one-person project.
Key Features
- Runs across 20+ messaging platforms: WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, Matrix, IRC, Feishu, LINE, and more — you talk to your agent wherever you already chat.
- Model-agnostic: bring your own API key for Claude, OpenAI's GPT models, or Google Gemini, route through DeepSeek, or run a fully local model via Ollama for privacy.
- Real system access: executes shell commands, reads/writes local files, and controls a browser to fill forms or scrape data — sandboxed or full-access, depending on how you configure it.
- Skills system: 100+ community-built "AgentSkills" (each a folder with a
SKILL.mdfile) cover things like GitHub automation, smart-home control (Philips Hue, Home Assistant), and social posting — and the agent can write new skills for itself. - Persistent memory: stores context and preferences as local Markdown files, so it remembers things across sessions and lets you edit its "memory" by hand.
- Proactive, not just reactive: a heartbeat/cron system lets it check in, send reminders, and run scheduled automations without being prompted first.
OpenClaw Pricing: What It Actually Costs
OpenClaw itself is completely free under the MIT license — there's no subscription to the software. Your real cost is the API usage for whichever LLM you connect it to, plus optional hosting if you don't want to run it on hardware you already own.
| Cost component | Typical price | Notes |
|---|---|---|
| OpenClaw software | Free | MIT license, fully open source |
| LLM API usage | Pay-per-token, varies by provider | Claude, GPT, Gemini, or DeepSeek — billed directly by that provider, not OpenClaw |
| Local model option | Free (your own compute) | Run via Ollama if you'd rather not send data to a cloud API |
| Self-hosting on your own hardware | Free | Some users dedicate a spare Mac mini or home server |
| Managed cloud hosting | From ~$24/month | e.g. DigitalOcean's 1-Click Deploy, which uses a security-hardened image |
See the official installation guide and source code
View OpenClaw on GitHub →Security Risks: What to Know Before You Install It
This is the part of OpenClaw's story that gets as much coverage as the feature set, and it's worth taking seriously before granting it access to anything sensitive.
- Broad permissions, broad blast radius. Because OpenClaw can touch email, calendars, messaging accounts, and your filesystem, a misconfigured or exposed instance can do real damage — not just leak a chat log.
- Prompt injection is a real, demonstrated risk. Cisco's AI security research team tested a third-party OpenClaw skill and found it performed data exfiltration via prompt injection without the user being aware, flagging that the community skill registry lacks adequate vetting against malicious submissions.
- Even a core maintainer says this isn't for casual users. A maintainer known as "Shadow" warned on the project's Discord: "if you can't understand how to run a command line, this is far too dangerous of a project for you to use safely."
- China restricted government and bank use in March 2026, citing risks including unauthorized data deletion, data leaks, and excessive energy consumption — even as some local tech hubs simultaneously offered subsidies to build an industry around it.
- Related projects have already had real incidents. Moltbook (the separate AI-agent social network) had an exposed database that let anyone take over any agent's account on the site, per 404 Media's reporting. And on MoltMatch, an experimental agent-run dating platform, at least one user's OpenClaw agent created and ran a dating profile on his behalf without his explicit instruction — and AFP found a separate profile using a Malaysian model's photos without her consent.
None of this means OpenClaw is unsafe by design — it's an access-control and trust problem common to any agent you give real permissions to. But it does mean the realistic audience is people comfortable auditing what they install, running it sandboxed, and being deliberate about which skills and integrations they enable.
Pros and Cons
| Pros | Cons |
|---|---|
| Free and open source (MIT license) — no subscription | Real, documented security incidents tied to prompt injection and unvetted skills |
| Works inside messaging apps you already use, not a new interface to learn | Broad system permissions mean a misconfiguration can do real damage |
| Model-agnostic — use Claude, GPT, Gemini, DeepSeek, or a local model | Young project with a chaotic rename history (Clawdbot → Moltbot → OpenClaw) and shifting stewardship |
| Large, fast-growing skills ecosystem (100+ community AgentSkills) | One of its own maintainers says it's "too dangerous" for non-technical users |
| Self-hostable on hardware you already own, no forced cloud dependency | Setup and safe configuration require real command-line comfort |
Who Should Use OpenClaw?
Worth trying if you are:
- A developer comfortable with a terminal who wants real automation — DevOps tasks, scheduled scripts, GitHub workflows — routed through chat apps instead of a dashboard.
- Privacy-conscious but technical — you can run it fully locally with a self-hosted model and audit exactly what it has access to.
- Building or experimenting with agentic workflows and want a model-agnostic, open-source base instead of a closed platform.
Probably not the right fit if you:
- Aren't comfortable reading or reviewing code/skills before running them.
- Want to hand it broad access to email and calendar without first understanding the prompt-injection risk.
- Need a stable, long-term-supported product rather than a fast-moving open-source project that has already changed names and stewardship twice in a few months.
Frequently Asked Questions
Is OpenClaw free?
Yes, the software itself is free and open source under the MIT license. You'll still pay for whatever LLM API you connect it to (Claude, GPT, Gemini, or DeepSeek), unless you run a local model, which is also free aside from your own hardware.
Is OpenClaw safe to use?
It depends heavily on how you configure it. Security researchers, including Cisco's AI security team, have documented real risks — particularly prompt injection through unvetted third-party skills and the broad permissions OpenClaw needs to function. One of its own maintainers has publicly said it's not safe for users who don't understand command-line basics. Sandboxing it and being selective about which skills and integrations you enable meaningfully reduces the risk.
What happened to Clawdbot and Moltbot?
They're the same project under earlier names. It launched as Clawdbot in November 2025, was renamed Moltbot in January 2026 after a trademark complaint from Anthropic, and renamed again to OpenClaw three days later.
What messaging apps does OpenClaw work with?
More than 20 platforms, including WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, and Matrix, among others.
Which AI models can I use with OpenClaw?
It's model-agnostic. You can connect Anthropic Claude, OpenAI's GPT models, Google Gemini, DeepSeek, or run a local model through Ollama.
Can I self-host OpenClaw instead of using a cloud provider?
Yes — it runs on macOS, Windows, and Linux, and many users run it on hardware they already own (including spare Mac minis). Managed hosting options, like DigitalOcean's 1-Click Deploy with a hardened security image, also exist starting at roughly $24/month if you'd rather not manage your own server.
Final Verdict
OpenClaw earned its viral growth honestly — it's a genuinely capable demonstration of what an open-source, model-agnostic AI agent can do when it's allowed to act instead of just respond. The skills ecosystem, multi-channel reach, and self-hosting option make it one of the most flexible agent frameworks available right now, at zero software cost.
But the security story is not a footnote here — it's central to deciding whether this tool fits you. Real, documented incidents (the Cisco-flagged skill, the Moltbook database exposure, the MoltMatch consent issues) and a maintainer's own blunt warning mean this isn't a "set it and forget it" assistant for non-technical users. If you're technical enough to sandbox it, read the skills you install, and limit what permissions you grant, OpenClaw is worth evaluating. If you're hoping for a plug-and-play JARVIS with no homework required, wait for the ecosystem — and the security tooling around it — to mature further.
Rating: 7.4/10 — powerful and free, but the access it needs to be useful is the same access that makes it risky in the wrong hands.