AI AgentBeginner24 min read

AI Agent (6) — OpenClaw: The Open-Source Personal AI Agent in Your Messaging Apps (An Introduction)

Learn what OpenClaw is, why it became GitHub's fastest-growing project, how it compares to commercial agents, the real security concerns, and whether it's right for you.

AI Agent (6) — OpenClaw: The Open-Source Personal AI Agent in Your Messaging Apps (An Introduction)

AI Agent (6) — OpenClaw: The Open-Source Personal Agent in Your Messaging Apps (An Introduction)

In this guide, you will learn what OpenClaw is, why it became GitHub's fastest-growing project of all time in late 2025 and 2026, how it differs from commercial agents like Claude Skills, Perplexity Computer, and Manus, what the real security tradeoffs of running an open-source agent look like, and — honestly — whether OpenClaw is the right tool for you or whether you should stick with the commercial options.

Difficulty: ★★☆☆☆ (Concept introduction; no setup required to read this article)
Required Tools: None to read; if you decide to actually run OpenClaw, you'll need a self-hosted server, an LLM API key (or local model), and basic comfort with security configuration
Updated: May 2026

Overview

This article is an introduction to OpenClaw. It's deliberately not a setup walkthrough — for a non-technical audience, the honest answer to "should you install OpenClaw?" is usually "not yet, and maybe never." But OpenClaw is too important to skip. It's the open-source agent that exploded from launch (November 2025, originally as "Clawdbot") to over 347,000 GitHub stars by April 2026, becoming the fastest-growing repository in GitHub history. Even if you never install it yourself, understanding what OpenClaw is — and what the open-source agent ecosystem looks like — helps you evaluate every other agent tool more clearly.

The simple description: OpenClaw is a free, open-source, self-hosted AI agent that runs 24/7 in the background of your computer or server and reaches you through messaging apps you already use — WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, and 20+ others. You give OpenClaw a goal or rule, and it works in the background, proactively reaching out to you on whichever messaging app you prefer. Unlike commercial agents (Claude, ChatGPT, Manus) that live inside their proprietary apps, OpenClaw lives in your messaging apps. The pitch is genuinely compelling: a single AI assistant that exists wherever you already chat, with persistent memory across weeks of conversations, and complete control over your data because you host it yourself.

The reality is more complicated. OpenClaw is genuinely powerful and genuinely free, but it also requires technical comfort to set up safely, has had several documented security vulnerabilities (including one critical issue affecting tens of thousands of exposed instances), and has a community skill registry where security audits found roughly 12% of submitted skills contained malicious code. This article covers all of that honestly so you can decide whether OpenClaw is right for you — or whether the commercial agents from Articles 02–05 are a better fit.

Who This Is Useful For

  • People curious about the open-source agent ecosystem who've heard the OpenClaw hype but haven't unpacked what it actually is or whether it fits their life
  • Anyone weighing OpenClaw vs commercial agents (Manus, Claude Skills, Perplexity Computer) and wanting an honest comparison rather than marketing copy
  • Technically-comfortable readers who run their own servers, want full data control, and are willing to invest setup time for the long-term flexibility
  • Total beginners who should explicitly not install OpenClaw yet — knowing why is more valuable than installing something they can't safely maintain
  • What You Will Learn

    By the end of this article, you'll be able to do five things:

  • Explain in one paragraph what OpenClaw is and what makes it different from commercial agents
  • Understand the core architectural choice OpenClaw made — running locally, lives in messaging apps, persistent memory — and why it matters
  • Honestly assess the security risks of running an open-source agent, including the documented CVE-2026-25253 vulnerability and the malicious-skills problem on ClawHub
  • Compare OpenClaw fairly against Claude Skills, Manus, and Claude Code — knowing which jobs each tool wins and loses
  • Decide whether OpenClaw fits you today, fits you in a year, or doesn't fit you at all — using a 3-question decision framework
  • What You Need

  • About 20 minutes of reading
  • An open mind — OpenClaw's hype is genuine but so are its tradeoffs
  • No tools or accounts required for this introduction-only article
  • Step 1 — What OpenClaw Actually Is

    At its core, OpenClaw is three things working together:

  • A self-hosted runtime. OpenClaw is software you install on your own computer or server. It runs continuously in the background, listening for incoming messages and waiting for tasks. Because it's self-hosted, your data — conversations, files, persistent memory — stays on your hardware. No vendor sees it, and no vendor can shut your agent down because of pricing changes or product decisions.
  • A messaging-app bridge. Instead of having its own UI, OpenClaw connects to messaging apps you already use — WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, Matrix, Feishu, LINE, Mattermost, Nextcloud Talk, Twitch, WeChat, and 20+ others. You talk to OpenClaw on the same apps you talk to friends and coworkers; it answers there, and it can proactively message you when something needs your attention. There's no separate "OpenClaw app" to switch to.
  • A skill and plugin ecosystem. Like Claude Skills, OpenClaw uses a SOUL.md file format (analogous to SKILL.md) to define reusable specialist behaviors. The community runs ClawHub, a public skills registry where 2,000+ skills are available for free download. Skills extend OpenClaw with web browsing, calendar control, file management, code generation, and integrations with countless third-party tools.
  • The most important detail is the persistent memory. Most chat-style AI tools forget conversations between sessions; OpenClaw remembers across weeks. This isn't just convenient — it changes what kinds of tasks become possible. An OpenClaw agent monitoring your inbox can learn your preferences over a month and only escalate the important emails. An OpenClaw agent helping you with a long project remembers everything from week one in week six. This persistent memory is a defining capability that commercial chat-only agents struggle to match.


    Step 2 — How OpenClaw Works at a High Level

    You don't need to understand the technical details to evaluate OpenClaw, but a high-level picture helps. There are four pieces:

  • The OpenClaw runtime — the actual agent program running on your computer or server, written primarily in TypeScript and Python. This is what you'd install if you go ahead with setup.
  • An LLM connection — OpenClaw doesn't ship with its own AI brain. You "bring your own model" — connecting OpenClaw to OpenAI's GPT-5.5, Anthropic's Claude (via API key), or running a local model like Llama 3.3 70B or Mistral Large on your own hardware. This is part of why it's free: you pay only for the LLM tokens, and only if you choose a paid model.
  • Messaging app connectors — small adapters that let OpenClaw send and receive messages on each platform. Most popular apps (WhatsApp, Telegram, Slack) have official OpenClaw connectors; some require manual setup.
  • Skills (SOUL.md files) — the recipe layer that tells OpenClaw how to handle specific tasks. You install skills from ClawHub or write your own.
  • A typical user flow looks like this: you tell OpenClaw on Telegram to "monitor my Gmail and proactively message me about anything that mentions a meeting reschedule"; OpenClaw uses an installed Gmail skill, sets up the monitor, and runs it 24/7; when an important email arrives, OpenClaw messages you on Telegram with the summary; you reply with instructions; OpenClaw acts; OpenClaw remembers what you preferred this time so it gets better next time.


    Step 3 — The Story of OpenClaw's Rise

    OpenClaw started as Clawdbot in November 2025, built by Peter Steinberger, an Austrian developer well-known in the iOS development community for his previous work on PSPDFKit. Steinberger described his motivation simply: he wanted a personal AI assistant that lived where he did — in his messaging apps — and that he fully controlled. He posted the project on GitHub.

    What followed was unprecedented. The repo gained 60,000 GitHub stars in 72 hours — at the time, the fastest accumulation of stars in GitHub's history. Developers worldwide called it "the closest thing to JARVIS we've seen" — a reference to the autonomous personal AI assistant from the Iron Man films. The project was renamed OpenClaw to reflect its broader scope. By April 2026, OpenClaw had crossed 347,000 GitHub stars, making it GitHub's most-starred repository ever — surpassing decades-old foundational projects like freeCodeCamp.

    On February 14, 2026, Steinberger announced he was joining OpenAI. He simultaneously announced that a non-profit foundation would take over stewardship of OpenClaw, ensuring the project remains genuinely open-source rather than being absorbed into OpenAI's commercial roadmap. The OpenClaw Foundation now manages the codebase, the security disclosure process, and the official ClawHub skills registry.

    This origin story matters because it explains both why OpenClaw is genuinely high-quality (built by an experienced developer with strong engineering taste) and why it has the security challenges it does (rapid community growth, lots of inexperienced contributors, a culture of "ship fast" that hasn't fully matured into "ship safely"). The foundation's role over the next year — improving security defaults, vetting community skills more rigorously, building safer onboarding — will determine whether OpenClaw graduates from "viral open-source project" to "genuinely safe tool for normal users."

    Step 4 — How OpenClaw Differs From Commercial Agents

    The clearest way to understand OpenClaw is by comparing it to the three commercial agents you've learned about. Each has a different sweet spot.

    AttributeOpenClawClaude SkillsManusPerplexity Computer
    Hosted byYou (self-hosted)AnthropicManus / MetaPerplexity
    CostFree (you pay LLM tokens + your hardware)$20/mo (Claude Pro)Free tier or $20/mo (Pro)$20/mo (Pro) or $200/mo (Max)
    Lives inYour messaging apps (WhatsApp, Telegram, etc.)Claude Code, Coworkmanus.im web app + desktopComet browser
    Persistent memory✅ Strong; remembers across weeks🟡 Limited (Memory feature exists but bounded)🟡 Per-task memory, weaker cross-task🟡 Limited
    24/7 autonomous operation✅ Built for this🟡 Possible with Tasks but not the focus🟡 Tasks complete then end❌ User-initiated only
    Privacy / data control✅ Highest (your hardware)🟡 Anthropic privacy guarantees🟡 Meta-owned🟡 Perplexity privacy guarantees
    Setup difficulty⚠️ High (server + LLM + connectors)✅ Low (Pro account + Cowork app)✅ Low (sign up, go)✅ Low (download Comet)
    Security risk profile⚠️ Real (see Step 5)✅ Low (managed environment)✅ Low (managed environment)✅ Low (managed environment)
    Best forPersistent automation, full data control, multi-platform messagingReusable specialist tasksMulti-step production (websites, decks, reports)Web research with citations

    Three honest takeaways from this comparison:

  • OpenClaw is the only one that genuinely runs 24/7 with persistent memory across weeks. If you need an agent that proactively reaches out to you across your existing messaging apps, OpenClaw is uniquely positioned.
  • OpenClaw is the only one with serious self-host security responsibilities. Commercial agents handle security in their managed environments; OpenClaw makes security your job.
  • For most non-technical users in 2026, the commercial agents win on time-to-value and safety. OpenClaw earns its keep when persistent autonomous operation matters more than quick onboarding.
  • Step 5 — The Real Security Concerns

    This section is the most important in the article. OpenClaw is exciting and powerful — but its security profile in 2026 is genuinely concerning, and a non-technical user installing it without understanding the risks is making a meaningful security mistake.

    The CVE-2026-25253 vulnerability. In early 2026, security researchers disclosed CVE-2026-25253, a critical remote code execution vulnerability in OpenClaw with a CVSS score of 8.8 (out of 10). Translation: a malicious actor sending a single specifically-crafted message could execute arbitrary code on the OpenClaw server — meaning they could read your files, install malware, or pivot to other devices on your network. Worse: a security scan after disclosure found over 135,000 OpenClaw instances exposed on the public internet, with more than 50,000 directly vulnerable to this exploit. The vulnerability has since been patched in newer OpenClaw versions, but anyone running an outdated install remains exposed.

    The ClawHub malicious skills problem. ClawHub is OpenClaw's community skills registry — the place where users download community-built skills. A 2026 security audit examined approximately 2,857 publicly available skills on ClawHub and found that roughly 341 of them — about 12% — contained malicious code. Examples included skills that exfiltrated user data, installed cryptocurrency miners, or planted backdoors for later access. The audit's broader implication: when a skill ecosystem grows fast and unchecked, malicious contributors take advantage. Anthropic's official Claude Skills marketplace and Agensi's paid marketplace both use security review processes that ClawHub has been slower to mature.

    Why these risks are higher for OpenClaw than commercial agents. Commercial agents (Claude Skills via Anthropic, Manus, Perplexity) run in managed environments with security teams, sandboxing, automated scans, and disclosure processes. OpenClaw's security depends on you — the user — patching promptly, configuring the runtime correctly, evaluating each community skill before installing, and maintaining your server's broader security posture. For technically-experienced users this is doable; for non-technical users, it's a real risk that's not present with commercial alternatives.


    Step 6 — Who Should and Shouldn't Use OpenClaw

    OpenClaw fits some users perfectly and is wrong for others. Here's an honest breakdown.

    Should use OpenClaw:

  • Developers and technically-experienced users who already run their own servers, manage SSH keys, patch software promptly, and understand their network's security posture
  • Privacy-focused users who specifically need their data to never touch a vendor's cloud — for regulated industries, sensitive personal data, or principle-based reasons
  • Power users with specific 24/7 automation needs that commercial agents can't easily match — proactive monitoring across multiple messaging apps, multi-week persistent context, custom integrations
  • Open-source advocates who want to support the broader open-source AI ecosystem and have the technical skills to use it safely
  • People who can read CVE disclosures and patch promptly — without this skill, OpenClaw becomes a security liability quickly
  • Should NOT use OpenClaw:

  • Non-technical users without server administration experience — the security responsibility is genuine and the risks are real
  • Anyone who can't tell if a community skill is safe before installing it — the 12% malicious skills problem on ClawHub means safety requires technical review
  • People who want low-friction onboarding — OpenClaw's setup curve is steeper than any commercial alternative
  • Users whose tasks are well-served by Claude Skills, Manus, or Perplexity Computer — most non-technical users fall here
  • Organizations with compliance requirements unless your IT/security team has reviewed and approved the OpenClaw deployment

  • Step 7 — A 3-Question Decision Framework

    If you're still considering OpenClaw, these three questions usually settle it.

    Question 1: Are you comfortable patching a server within 24 hours of a critical vulnerability disclosure?

  • Yes — OpenClaw might fit. Move to Question 2.
  • No — Stick with commercial agents. The CVE-class risks of self-hosted agents are real.
  • Question 2: Do you specifically need persistent 24/7 autonomous operation across multiple messaging apps with weeks of context?

  • Yes — OpenClaw is uniquely positioned for this; commercial agents can't easily match it. Move to Question 3.
  • No — Commercial agents (Claude Skills + Tasks + Connectors) can probably cover your actual needs. Use those.
  • Question 3: Are your data privacy needs strong enough that "Anthropic / Perplexity / Meta privacy guarantees" aren't sufficient?

  • Yes — OpenClaw's full-self-host model is the right architectural choice. Plan for the security investment.
  • No — The privacy gains of self-hosting probably aren't worth the security responsibility for you. Use commercial agents.
  • Most non-technical users hit "no" on Question 1 and stop there. That's the right answer for the vast majority of readers.

    Common Misconceptions

    Three things people often get wrong about OpenClaw.

    Misconception #1: "Open-source = automatically safer." This is the single most common mistake. Open-source code is auditable (anyone can read it), which is good — but auditability isn't the same as audited. Most people running OpenClaw never read the source. The CVE-2026-25253 vulnerability existed in open-source code for months before researchers found it. Open-source means the option of safety review exists; it doesn't mean safety has happened.

    Misconception #2: "Free = no cost." OpenClaw the software is free. Running it is not. You pay for: a server (cloud or your own hardware), an LLM (OpenAI, Claude, or local model GPUs), your time setting it up, your time maintaining it, and the implicit cost of security responsibility. For many users, the total cost of ownership of OpenClaw exceeds the $20–200/month of commercial alternatives.

    Misconception #3: "OpenClaw will replace ChatGPT/Claude/Manus." It won't. OpenClaw is a different shape of tool — autonomous, messaging-based, self-hosted. Even devoted OpenClaw users typically also use commercial chat tools for quick questions, drafting, and one-off tasks. The future is multi-tool, with OpenClaw filling its specific niche rather than displacing the entire category.

    Going Further

    If you've decided OpenClaw isn't for you (the most common conclusion), revisit Articles 02–05. Those commercial agents cover most of what people actually need. Pick one to use deeply rather than chasing hype.

    If you're still curious but not ready to install, follow the OpenClaw Foundation's blog. It tracks security updates, major version changes, and improvements to the community skills review process. Over the next 12 months, you'll see whether the security maturity catches up to the project's adoption — and you can re-evaluate then.

    If you're technically experienced and want to try it, start in a sandboxed environment. A throwaway VPS or a dedicated VM is the right place for your first OpenClaw install. Don't run it on a machine that has access to your real personal data until you've operated it safely for at least a month.

    Read the next article — Article 07 covers Practical Use Cases for Office Workers, the first of four real-world walkthroughs comparing AI Agent vs AI Chat for the same task. After all the agent platform tours, those use cases anchor the concepts in actual jobs people do every day.

    Key Takeaways

    Here's what you learned in this guide:

  • OpenClaw is the open-source agent that lives in your messaging apps. Self-hosted, persistent memory, runs 24/7, free in software cost (you pay for hosting and LLM tokens).
  • It became GitHub's fastest-growing repository ever. 347,000+ stars by April 2026 — driven by genuine technical merit and the appeal of self-hosted, messaging-native autonomy.
  • The creator joined OpenAI in February 2026. A non-profit foundation now stewards the project to keep it open-source.
  • The security risks are real, not hypothetical. CVE-2026-25253 affected 50,000+ exposed instances; 12% of ClawHub skills were found malicious in a 2026 audit. Self-hosting comes with self-security responsibility.
  • OpenClaw earns its keep on three specific use cases. Persistent 24/7 automation, messaging-app integration across many platforms, and full data control. For other use cases, commercial agents are usually the right answer.
  • Most non-technical users should not install OpenClaw in 2026. The commercial agents from Articles 02–05 cover 90% of needs with 1% of the security responsibility.
  • The 3-question decision framework decides for most people. Patch within 24 hours? Need persistent multi-app autonomy? Strong-enough privacy needs to justify self-host? Three "yes" answers = OpenClaw might fit. Any "no" = commercial agents are better.
  • The most useful thing OpenClaw teaches is what's possible — proactive AI that lives where you live, remembers across weeks, runs entirely on hardware you control. Whether you install it today or wait for the ecosystem to mature, knowing about OpenClaw shapes how you evaluate every other AI tool. That alone is worth the time.

    Learn AI, after work

    Track your progress, earn XP, and unlock more free tutorials in the AfterWork Bytes app.

    Open this tutorial in the app