Just one month back, Peter Steinberger's experimental AI initiative was largely unknown. Today, it has captured widespread attention in the artificial intelligence community, recently receiving support from OpenAI.
Initially launched as Clawdbot and subsequently renamed Moltbot, the project—now called OpenClaw—stunned its initial adopters with its advanced features, vividly illustrating the power of autonomous AI systems. In essence, OpenClaw transformed the theoretical idea of 'agentic AI' into a tangible application.
This development is both innovative and somewhat disorienting. For those encountering OpenClaw for the first time through this report, experts advise against proceeding with installation.
Created by Peter Steinberger, an Australian programmer recently acquired by OpenAI in an 'acqui-hire' arrangement—while the code stays open-source—OpenClaw operates directly on users' devices. With permission, it can access confidential information, including emails, schedules, web browsing history, and local documents.
OpenClaw performs optimally on devices that remain powered on continuously, enabling nonstop operations. It maintains knowledge of the user's identity and priorities through straightforward markdown documents, such as MEMORY.md and USER.md, which store particulars like the individual's name, residence, workplace, device type, family details, preferred hues, and any other shared information.
For newcomers to OpenClaw via this article, installation is strongly discouraged.
Additionally, OpenClaw features a 'soul' component—a SOUL.md file that instructs the underlying AI model (options include Anthropic's Claude, OpenAI's ChatGPT, Google's Gemini, or various cloud or local large language models) on its demeanor and responses. Meanwhile, the HEARTBEAT.md file oversees a range of tasks, permitting routine checks of calendars daily, email scans hourly, or periodic online news searches.
While numerous AI applications exist for scanning emails or delivering regular updates, OpenClaw distinguishes itself with two key innovations.
One standout element is its interaction method. Instead of relying on a web browser or terminal, OpenClaw integrates with everyday messaging platforms like WhatsApp, Telegram, Discord, Slack, Signal, and iMessage, facilitating communication from mobile devices at any time or location.
The other major advantage is its default setup, which grants OpenClaw full 'host' privileges on the host machine, equivalent to the user's own access rights. This allows it to view, modify, or remove files freely, and even to create custom scripts or applications to expand its functionality. For instance, requesting an image generator, RSS monitor, or audio transcriber prompts OpenClaw not just to recommend software, but to develop and deploy it directly on the device.
Essentially, OpenClaw functions as an action-oriented version of ChatGPT, minus the traditional interface—or, as described on its official site, an 'AI designed to perform real tasks.'
Existing solutions, such as no-code platforms, enable AI to construct software or websites via simple instructions. Tools like Claude Code from Anthropic, OpenAI's Codex, and Google's Antigravity serve as supervised coding assistants, where users monitor the process closely. In contrast, OpenClaw executes operations independently, handling duties while the user is occupied with work, rest, or other activities, embodying a genuine autonomous agent.
Deploying OpenClaw without proper expertise is comparable to providing a young child with heavy weaponry.
The potential of OpenClaw and its forthcoming variants excites observers, signaling an unavoidable shift in AI technology.
However, releasing OpenClaw on a system without adequate understanding poses significant hazards, a view shared by many in the field.
The primary concern revolves around the extensive permissions OpenClaw holds. It observes all user activities and can perform any actions the user can, including erasing single files or whole folders, risking widespread damage from a single error in judgment.
Although OpenClaw follows strict behavioral guidelines and recent updates confine it to a specific 'workspace' folder for security, altering these settings is simple, potentially granting unrestricted privileges through commands like 'sudo' in Linux environments.
The very attributes that render OpenClaw compelling also heighten its risks.
OpenClaw remains susceptible to 'prompt injection' vulnerabilities, where malicious inputs could bypass safeguards, causing data breaches, unauthorized installations, or catastrophic commands like 'rm -rf' that erase entire storage drives. Furthermore, the expanding collection of unofficial add-ons for OpenClaw may contain flaws or concealed threats.
Above all, OpenClaw's round-the-clock operation via its 'heartbeat' mechanism, combined with user directives, can yield unforeseen outcomes—from innovative to harmful—especially when linked to lower-cost AI models lacking advanced contextual awareness.
As an individual with considerable experience in large language models and self-hosting, the author has explored OpenClaw in limited ways, such as within a sandboxed Docker setup or via Discord interactions, and is currently experimenting with a custom adaptation using Gemini and Antigravity. Full deployment on personal hardware has not occurred. (Progress on this endeavor may feature in future coverage.)
Despite admiration for OpenClaw's comprehensive capabilities and their promise, the associated perils warrant caution for all users.
Ben has covered technology and consumer gadgets for over two decades. Contributing to PCWorld since 2014, he transitioned to TechHive in 2019, addressing topics from intelligent audio devices and lighting to surveillance systems. His work has graced publications including PC Magazine, TIME, Wired, CNET, Men's Fitness, and Mobile Magazine. Ben possesses a master's in English literature.