Skip to content

OpenClaw

Open-source personal AI agent created by peter-steinberger. Started late 2025; by April 2026: 30,000+ GitHub stars, ~2000 contributors, ~30,000 PRs, ~30,000 commits. Peter's friend called the growth curve "stripper-pole growth" — not a hockey stick, a straight vertical.

What it is

A local-first, extensible, personality-carrying agent. Runs on your own hardware (cloud or Mac Mini). Works with any model — OpenAI, Anthropic (formally "a company that starts with A" — Peter's framing), local open-weight models, Chinese labs (Tencent, ByteDance, MiniMax, Kimi, Alibaba).

Competes philosophically with closed SaaS agents that demand Gmail/data connectors. OpenClaw instead clicks-through-websites-as-a-user to bypass corporate API silos — "my clanker can click on any website and happily checks I'm not a bot."

Architecture (current)

Rebuilt from "spaghetti codebase mess" into an extension/plug-in architecture. Memory, dreaming, wiki, Slack integration, Telegram, WhatsApp — all swappable plug-ins. "Like Linux where you just can install your own parts."

Notable plug-ins: - Slack integration (maintained by a Slack engineer) - MS Teams plug-in (maintained by a Microsoft engineer) - Dreaming — memory reconciliation loop inspired by human sleep consolidation; converts session logs into long-term memory. Confirmed Anthropic is working on similar (per source-code leak). - Memory / wiki — overlapping with llm-knowledge-bases direction Karpathy has been vocal about.

Security reality

  • 1,142 security advisories in ~5 months (≈16.6/day) — roughly 2× Linux kernel, 2× curl's all-time total.
  • 99 critical, 469 published, ~60% closed.
  • Peter's rule: "The higher they scream how critical it is, the more likely it's slop." See agent-security-slop.
  • Nation-state attacks: "ghost-claw" rootkit attempt (likely North Korea) via typo-squatted npm package.
  • Supply-chain hits via dependency chains (Axios, MS Teams/Slack SDKs).
  • Real risk vector: legal trifecta — agents with (a) data access + (b) untrusted content + (c) communication ability = systemic risk. Not OpenClaw-specific.

Governance

openclaw-foundation — explicitly modeled on Ghostty's governance (mitchell-hashimoto connection). "Switzerland" for corporate contributors so no single company owns the project. Being set up via US bank system as of the talk. Funds full-time maintainers.

Notable users

  • andrej-karpathy — runs OpenClaw to manage his home.
  • Marin Dre (podcaster, TBD wiki entry).
  • Home-automation use case is "underrated but real" — works specifically because consumer IoT has terrible security, which OpenClaw can exploit in a user-controlled way.

Architecture (Krentsel deep-dive, 2026-05)

alex-krentsel's UC Berkeley talk reverse-engineers the OpenClaw source into three layers. Use this as the canonical architectural reference.

Layer 1 — Connectors (least consequential, most hacky). Interfaces with human communication tools: WhatsApp, iMessage, Discord, Gmail, Telegram. Each is a reverse-engineering hack — e.g. the WhatsApp connector mimics a web client using the token captured from the QR-code login flow. Two deployment choices: attach the user's real phone+email (maximum context, maximum risk) or give the agent a dedicated phone+email (Krentsel's choice).

Layer 2 — Gateway Controller (where most of the magic lives). Routes incoming messages, coordinates system state, manages future actions. Core abstraction: the session — which maps to an OS process. Each session has isolated context, permissions, optional sandbox. Within a session, sub-agents spawn as threads. Two special system sessions: a main session (admin/UI) and a heartbeat session.

Gateway-controller subcomponents: - Cron manager + heartbeat — the two time-control primitives. Heartbeat fires every 30 minutes (configurable), pastes heartbeat.md plus heartbeat history into an LLM call, lets the agent schedule its own check-ins. Cron handles specific future-dated jobs. - Memory management — exposed as tools (memory_search, memory_get), NOT prefetched. The agent decides whether to recall. - Configuration as markdown — four auto-populated files: user.md (who the user is; populated by web-searching on first launch), soul.md (personality, self-evolving), agents.md (operational + security guidance — Krentsel notes "a lot of the privacy/security stuff is just encoded in text files, so I imagine it's not that hard to trick"), tools.md (tips for using specific tools). Bootstrap begins with bootstrap.md: "You just woke up. Time to figure out who you are."

Layer 3 — Agent Runtime. Providers (OpenAI, Anthropic, Gemini, local, Chinese labs), environment/bash, tools, skills. All paths ultimately produce a single templated LLM call. The actual template starts "You're a personal assistant. The tools you have are..." then stitches skill headers (capped at 150 skills or 30k chars; filtered above), optional memory hints, workspace info, heartbeat info. Krentsel notes: "that is the extent of security that's built into OpenClaw. It's not a particularly secure system." See agent-security-slop.

Skills as the primary extensibility surface

OpenClaw bundles Anthropic-style three-fidelity skills: header / body / linked files. Skills beat MCP servers in practice — Krentsel adds many skills, never had to add a tool. Skills can be self-installed: a friend's agent can email skills to yours; yours reads them and asks for approval.

ACP and sub-agent spawning

The template references ACP — a spin-up mechanism for other managed agents (Claude Code, Codex) that are not sub-agents but peers. This is how OpenClaw orchestrates heavier coding workloads: it delegates to a fresh Claude Code or Codex session rather than doing the work in-process.

Autonomy case studies (Krentsel's personal setup, agent named "Ludwig")

  • Autonomous website deployment. Told to build an attention-explainer site, Ludwig coded it locally, tested it, provisioned a fresh exc.dev VM via CLI, copied files over, started a web server, bound a public port, reported back. End-to-end autonomy across services.
  • Paper reproduction. Reproduced Krentsel's NSDI input-validation paper with a better ML-based solution: wrote an ML pipeline, ran training remotely, babysat it, fixed bugs, produced a Google Doc with graphs.
  • Autonomous YouTube channel. Given only a Google account and the goal "make an educational channel," Ludwig created the banner/profile/description, discovered Manim (3Blue1Brown's animation library), wrote scripts, generated voice via OpenAI TTS, stitched with FFmpeg, discovered a YouTube-upload skill, and distilled the whole pipeline into a self-authored skill. 31 videos published, zero human per-video review.

Workflow patterns

  • Discord hub (from Krentsel's friend Mehdi Qazi): dedicated Discord server, one channel per project, so each project thread gets its own context without cross-talk. Better than Slack for this because channels are discoverable without manual invite.
  • Lightweight hosting: a single exc.dev VM ($20/month, Tailscale-style by Tailscale co-founder's new company Shelly) runs OpenClaw fine. No Mac Mini needed. Krentsel moved to local Beelink hardware only after research compute demands exceeded 20GB storage.

Cross-references