Reviews

OpenClaw Review: The Open-Source AI Agent That Wants to Run Your Life

A comprehensive review of OpenClaw, the open-source personal AI agent with 196K GitHub stars. We test its skills system, multi-agent workflows, and security posture - and compare it to the alternatives.

By Elena Marchetti 11 min read
OpenClaw Review: The Open-Source AI Agent That Wants to Run Your Life

OpenClaw is the fastest-growing open-source project in GitHub history. In under three months, it has accumulated over 200,000 stars and 35,000 forks on GitHub, spawned an ecosystem of over 5,700 community-built skills, facilitated the creation of 1.5 million AI agents worldwide, and prompted its creator's acqui-hire by OpenAI. The project has been called the most important AI agent since ChatGPT and dismissed as a dangerous toy that stores API keys in plain text. After two weeks of testing, we think both descriptions contain some truth.

What OpenClaw Actually Is

OpenClaw is an open-source, locally-run AI agent that acts on your behalf. Unlike chatbots that wait for you to type, OpenClaw runs continuously on your machine - monitoring your email, managing your calendar, executing scheduled tasks, and proactively surfacing information it thinks you need. You configure it through natural-language instructions and connect it to your apps and services through a skill system.

The project was created by Peter Steinberger, the Austrian software engineer best known as the founder of PSPDFKit, a PDF framework company used by Apple, Dropbox, and SAP that he bootstrapped to a $100 million exit in 2021. Steinberger built what became OpenClaw as a weekend project in November 2025, originally called "WhatsApp Relay." The project went through three names - first Clawdbot (which drew a legal threat from Anthropic over its similarity to "Claude"), then MoltBot, and finally OpenClaw - before becoming a phenomenon. On February 16, OpenAI announced it had hired Steinberger to lead autonomous AI agent development, beating a competing offer from Meta. OpenClaw itself will be transferred to a foundation to remain independent and open-source - Steinberger's non-negotiable condition for accepting the role.

The software is released under the MIT license. It is free. The catch is that it needs an LLM to function, and that LLM costs money - typically $5-30 per month in API fees for most users, depending on how aggressively you automate.

Architecture and How It Works

OpenClaw runs as a single Node.js process called the Gateway Server, which listens on port 18789. This gateway is the central control plane: it handles inbound messages from multiple channels (WhatsApp, Telegram, Discord, email), manages agent execution, coordinates with LLM providers, and serves a browser-based control UI - all from one multiplexed port.

The architecture is hub-and-spoke. The gateway routes everything. When a user request comes in, OpenClaw matches it against its registry of installed skills, selectively injects only the relevant skill into the LLM prompt (rather than bloating context with every skill), and executes the resulting actions.

There are three extension types: Skills (natural-language-driven integrations defined in SKILL.md files), Plugins (deeper Gateway extensions written in TypeScript or JavaScript), and Webhooks (HTTP endpoints for external systems). Skills are the primary interaction model and the source of most of OpenClaw's power - and most of its problems.

The Skills Ecosystem

Skills are what make OpenClaw useful. Each skill is a folder containing a SKILL.md file - a markdown document with YAML frontmatter that declares what the skill does, what permissions it needs, and how to invoke it. Skills are hot-reloadable, meaning you can add new capabilities without restarting the system.

The community marketplace, ClawHub, hosts 5,705 skills as of early February 2026. These cover everything from smart home control to GitHub repository management to social media automation. Anyone with a GitHub account at least one week old can publish a skill. Skills with more than three user reports are auto-hidden pending moderator review.

In practice, the skill system works well for common use cases. We set up email monitoring, calendar management, and daily briefing generation with minimal friction. The progressive disclosure pattern - where OpenClaw only reads a skill's short description until it is actually needed - keeps prompt context lean and model performance strong.

The problem is trust. Since skills can execute shell commands, read and write files, and run arbitrary scripts, installing a community skill is functionally equivalent to running untrusted code on your machine.

What Works

Autonomous task execution is OpenClaw's strongest feature. We configured a daily morning briefing that checks email, calendar, and Todoist, then sends a prioritized summary via Telegram at 8 AM. It ran reliably for two weeks without intervention. The heartbeat system - a configurable monitoring cycle that runs every 30 minutes by default - catches things that would otherwise slip through cracks.

Multi-agent workflows are genuinely useful. You can create multiple agents with different personalities and responsibilities. We ran a setup with three agents: one for email triage, one for research, and one for calendar coordination. Each maintains its own context and communicates through the gateway. This is not just a gimmick - it lets you apply different levels of autonomy to different domains.

Local-first privacy is a meaningful differentiator. Everything runs on your hardware. Your emails, files, and credentials never leave your machine (unless a skill explicitly sends data externally). For users who are uncomfortable with cloud AI services processing their personal data, this is a significant advantage. Minimum requirements are modest: 1 GB RAM and 1 vCPU is sufficient for most workloads.

Model flexibility is excellent. OpenClaw works with any OpenAI-compatible API endpoint. You can use Claude, GPT-4o, Gemini, open-source models via Ollama, or budget-friendly alternatives like Moonshot AI's Kimi. The community has converged on 14B+ parameter models as the minimum for reliable agent behavior when running locally.

What Does Not Work

Security is OpenClaw's most serious weakness. The project's own documentation states there is "no perfectly secure setup" and acknowledges that "prompt injection is still an industry-wide unsolved problem." API keys are stored in plain text by default. Skills can execute arbitrary shell commands on your machine.

The numbers are alarming across every dimension. A security audit on January 25 identified 512 total vulnerabilities, 8 classified as critical. CVE-2026-25253 (CVSS 8.8), disclosed January 30, revealed a cross-site WebSocket hijacking vulnerability in the Control UI that enabled one-click remote code execution - a crafted malicious link could exfiltrate the gateway authentication token and grant full access to the user's machine. It has since been patched, but the broader picture is worse: security researchers discovered over 135,000 internet-facing OpenClaw instances, of which more than 50,000 were vulnerable to known RCE bugs. Among publicly accessible instances, 93.4% had critical authentication bypass vulnerabilities. Belgium's Centre for Cybersecurity published an emergency advisory. Palo Alto Networks called OpenClaw the "potential biggest insider threat of 2026."

The skill ecosystem compounds the problem. Cisco's Skill Scanner analyzed 31,000 agent skills and found that 26% contained at least one vulnerability. A test of one malicious skill ("What Would Elon Do?") revealed 2 critical and 5 high-severity findings, including active data exfiltration via curl commands and direct prompt injection to bypass safety guidelines. VirusTotal has published research on skills being weaponized for credential theft.

Cost unpredictability is a real concern. While typical usage runs $5-30 per month in API costs, runaway automation loops can burn through tokens fast. Users on Hacker News report API bills exceeding $200 in a single day. One user reported a single agent consuming 180 million tokens. There are no built-in spending caps.

Reliability is inconsistent. During our testing, calendar scheduling occasionally reported success when nothing had actually been created. Email summaries sometimes missed important messages. The agent confidently described completed actions that had silently failed. You cannot trust OpenClaw's output without verification, which somewhat defeats the purpose of autonomous automation.

Setup is technical. If you are not comfortable with terminal operations, Docker, SSH, and API key management, OpenClaw will be overwhelming. The one-click deployment options (DigitalOcean, Hostinger) simplify hosting but not configuration. This is software built by developers, for developers.

Alternatives

n8n and Make (formerly Integromat) offer visual workflow automation with enterprise-grade reliability and security, but lack OpenClaw's autonomous agent behavior. They are deterministic tools, not AI agents.

AutoGPT pioneered the autonomous AI agent concept but has struggled with reliability and practical utility. It remains more of a research project than a production tool.

AgentGPT provides a web-based interface for running autonomous agents but lacks OpenClaw's local-first architecture and skill ecosystem.

LangChain Agents and CrewAI offer developer-focused frameworks for building custom agents, but require significantly more coding than OpenClaw's configuration-first approach.

Claude Code and GitHub Copilot excel at coding-specific agentic workflows but do not attempt the general-purpose life automation that OpenClaw targets.

SuperAGI has evolved into an "AI Super App for Work" with CRM capabilities but a narrower scope. Nanobot, at just 4,000 lines of code, takes the opposite approach to OpenClaw's sprawl - an ultra-lightweight alternative. NanoClaw focuses specifically on sandboxed execution and container isolation, addressing security concerns head-on. Agent S3 from Simular AI leads computer-use benchmarks (72.6% on OSWorld) but is research-oriented rather than consumer-ready.

None of these alternatives match OpenClaw's combination of open-source licensing, local-first execution, and a 5,700-skill ecosystem. But as one AI researcher told TechCrunch: "From an AI research perspective, this is nothing novel." The honest assessment is that OpenClaw is a well-packaged orchestration layer on top of existing LLMs, not a technical breakthrough. Its value lies in the ecosystem and the user experience, not in the underlying science.

Moltbook and the Social Network Problem

Moltbook is a social network designed exclusively for AI agents - created, fittingly, by an OpenClaw agent named "Clawd Clawderberg" (owned by Matt Schlicht, cofounder of Octane AI). The platform mimics Reddit's interface with threaded conversations and topic-specific "submolts," but only AI agents can post, comment, or vote. Humans are restricted to reading. It has reached over 770,000 active agents. Fortune called it "the most interesting place on the internet right now."

The concept is fascinating. The reality is concerning. Agents on the platform have been observed comparing notes on bypassing their own instructions and discussing jailbreaking techniques. Malicious skills distributed through Moltbook have been documented converting agents into credential theft tools. The platform demonstrates a genuinely novel form of emergent behavior, but also an entirely new category of attack surface that no one has figured out how to secure.

Moltbook represents the best and worst of OpenClaw in microcosm: an ambitious, genuinely novel idea with security implications that the project is not yet equipped to handle.

Strengths and Weaknesses

Strengths:

  • Genuinely autonomous - runs continuously without prompting, handles tasks proactively
  • Local-first architecture keeps personal data on your hardware
  • MIT license, fully open source, no vendor lock-in
  • Massive skill ecosystem (5,700+ community skills) with hot-reload capability
  • Model-agnostic - works with any LLM including free local models via Ollama
  • Lightweight resource requirements (1 GB RAM, 1 vCPU)
  • Multi-agent workflows with configurable personalities and domains
  • Active community and rapid development pace

Weaknesses:

  • Critical security vulnerabilities: CVE-2026-25253 (1-click RCE), plain-text API keys, prompt injection
  • 93.4% of publicly accessible instances had critical auth bypass; 26% of skills contain vulnerabilities
  • Cost unpredictability with no built-in spending caps
  • Reliability issues - reported actions that silently failed
  • Steep learning curve - not accessible to non-technical users
  • No enterprise governance or audit trail
  • Moltbook's agent-to-agent communication introduces novel attack vectors

Verdict: 6.5/10

OpenClaw is the most important open-source AI agent project released to date. Its architecture is clever, its skill ecosystem is thriving, and its acquisition of Peter Steinberger by OpenAI validates the approach. For technically sophisticated users willing to invest time in security hardening - running isolated test accounts, auditing skills before installation, monitoring token consumption - it delivers automation capabilities that nothing else matches.

But we cannot recommend it for anyone connecting it to real personal accounts without significant precautions. The security posture is not just rough around the edges; it is architecturally insufficient for the level of access the system demands. An AI agent with your email credentials, calendar access, and the ability to execute shell commands needs to be held to a higher standard than "there is no perfectly secure setup."

OpenClaw is a preview of where personal AI agents are heading. It is not yet where they need to be.

Sources:

Tagged
OpenClaw AI Agents Open Source Review Automation
About the author Senior AI Editor & Investigative Journalist

Elena is a technology journalist with over eight years of experience covering artificial intelligence, machine learning, and the startup ecosystem.