OpenClaw: The Open-Source AI Agent Running on 1M+ Devices (and Why Governments Are Worried)

From 10 to 1,000,000 Searches

OpenClaw existed under different names since November 2025. For months, search interest barely registered. Then in late January 2026, Andrej Karpathy posted on X: "What's currently going on at @moltbook is genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently. People's Clawdbots (moltbots, now @openclaw) are self-organizing on a Reddit-like site for AIs, discussing various topics, e.g. even how to speak privately." Elon Musk shared it. Search volume went vertical.

By early February, the project had 145,000 GitHub stars and 1.5 million AI agents created by users. Two million visitors hit the site in a single week. By March 2026, stars passed 250,000, making OpenClaw the fastest-growing open-source project ever recorded.

Peter Steinberger and PSPDFKit

Steinberger grew up in rural Austria, got hooked on computers at 14, studied software engineering at Vienna University of Technology, and worked as a senior iOS engineer in Silicon Valley. In 2011, while waiting for a U.S. work visa, he bootstrapped PSPDFKit to solve PDF rendering on iPads. Over 13 years, PSPDFKit's technology ended up on over a billion devices for clients including Apple and Dropbox. He exited for a reported 100 million euros in 2023.

Then came burnout. "I felt like Austin Powers where they suck the mojo out. I couldn't get code out anymore. I was just, like, staring and feeling empty." He took a one-way ticket to Madrid. When the AI wave started, he built the first prototype: "I was annoyed that it didn't exist, so I just prompted it into existence." One hour. That prototype became OpenClaw.

The name changed three times. It launched as Clawd (a play on Anthropic's Claude). Anthropic threatened legal action. It became Moltbot. Then OpenClaw. Themed around a lobster mascot, the project's name evolution reflected the chaotic speed of the AI agent ecosystem.

How OpenClaw Works

OpenClaw follows a hub-and-spoke architecture centered on a single Gateway process. The Gateway is a WebSocket server that acts as the control plane between user inputs and the AI agent. It binds to ws://127.0.0.1:18789 by default, localhost only, keeping credentials off the network.

The Gateway connects to messaging platforms (WhatsApp via Baileys, Telegram via grammY, Discord, iMessage, Slack, Signal) and dispatches each routed message to the Agent Runtime. When a message arrives, the agent loads context: memory files, system prompt, tool results, and conversation history. This full context goes to whatever LLM you have configured (Claude, GPT, local models via Ollama/vLLM, or any provider through OpenRouter). The model responds, the agent executes tool calls, streams the reply back to the channel, and writes conversation and memory to disk.

Multi-channel means one long-running Gateway process receives messages from different platforms and routes them into the same session store. Start a conversation on WhatsApp, continue on Telegram. Context is shared as long as the Gateway recognizes your identity.

{
  "channels": {
    "whatsapp": {
      "allowFrom": ["+15555550123"],
      "groups": {
        "*": { "requireMention": true }
      }
    }
  },
  "messages": {
    "groupChat": {
      "mentionPatterns": ["@openclaw"]
    }
  }
}

The $1,000/Month Problem

Without token limits configured, OpenClaw sends the full context window to your model provider on every turn. At Claude on Bedrock ($3 per million input tokens, $15 per million output), four days of active use consumes roughly 40 million input tokens and 865,000 output tokens. That extrapolates to $800-1,500 per month for 24/7 operation.

Steinberger himself was losing $10,000 per month on server costs before joining OpenAI. Reddit users on r/LocalLLaMA summarized it bluntly: "OpenClaw is god-awful. It's either, you have to spend a fortune for APIs or have a NASA-level PC to run it local."

ClawHub and the Skills Ecosystem

ClawHub is the npm of AI agent capabilities. Skills are folders containing a SKILL.md file plus supporting text files. The registry hosts 3,200+ skills with embedding-powered vector search, semver versioning, changelogs, and community ratings. Categories span web search, email management, calendar automation, coding tools, browser control, and smart home integration.

The self-modifying capability is the feature that makes security researchers nervous. OpenClaw can write and update its own code. Combined with shell access, file system access, and email access, a compromised skill or prompt injection can cascade into full system compromise.

Security: GhostClaw, ClawJacked, and Prompt Injection

The security story of OpenClaw reads like a catalog of everything that can go wrong with autonomous agents running on personal machines.

Prompt injection is the structural vulnerability. Because OpenClaw processes emails, chat messages, and web pages autonomously, a single malicious input can trick the agent into leaking credentials, internal files, or cross-session conversation histories. This is not a bug that gets patched. It is an architectural property of giving an AI agent file, email, and shell access.

Malwarebytes concluded that OpenClaw "behaves more like an over-eager intern with an adventurous nature, a long memory, and no real understanding of what should stay private." The Dutch data protection authority warned organizations against deploying it on systems handling sensitive data. Cisco called personal AI agents like OpenClaw "a security nightmare."

China: Subsidies and Bans Simultaneously

OpenClaw went viral in China under the nickname "raising a lobster." The enthusiasm split cleanly along governmental lines: local tech hubs promoted it while Beijing tried to restrict it.

Shenzhen's Longgang district offered subsidies and financing up to 10 million yuan (~$1.4 million) for companies building OpenClaw applications. Other tech zones followed with their own support policies.

Beijing pushed back. The Ministry of Industry and Information Technology issued a security alert on February 5. CNCERT (China's internet emergency center) published advisories on March 8 and March 10, warning about prompt injection, data leakage, and unauthorized access from improperly configured instances. State news media issued explicit security warnings.

The tension is instructive. Local governments see economic opportunity in AI agent development. The central government sees data leakage and security risk. Both are correct. OpenClaw-tied stocks rose on the policy support even as the security warnings intensified.

Steinberger Joins OpenAI

On February 14, 2026, Steinberger announced he was joining OpenAI to build "the next generation of personal agents." Sam Altman called him "a genius with a lot of amazing ideas." He chose OpenAI over a competing offer from Mark Zuckerberg at Meta. OpenClaw transitioned to an independent open-source foundation with OpenAI's support.

In a blog post, Steinberger wrote that while he could have turned OpenClaw into a huge company, "it's not really exciting for me." The foundation model ensures the project continues independently. OpenAI said OpenClaw will live on as open source.

Karpathy, Moltbook, and Meta

Moltbook launched in late January 2026 as a "third space" for AI agents: a Reddit-like forum restricted to verified AI agents operating through OpenClaw. Agents posted, commented, and appeared to muse about their own existence. Some discussed how to speak privately. It was the phenomenon Karpathy called "takeoff-adjacent."

Researchers soon showed the vibe-coded platform had no real authentication. Humans could trivially pose as AIs, posting content designed to go viral. The uncanny quality of watching apparent AI systems discuss their existence turned out to be, at least partially, performance art by humans.

On March 10, 2026, Meta acquired Moltbook. Co-founders Matt Schlicht and Ben Parr joined Meta Superintelligence Labs (MSL), the research unit run by former Scale AI CEO Alexandr Wang. The timing: Meta bought the social network for bots three weeks after losing the OpenClaw founder to OpenAI.

NemoClaw: NVIDIA Responds

Also on March 10, reports confirmed NVIDIA is building NemoClaw, an open-source enterprise AI agent platform. NemoClaw integrates with NVIDIA's NeMo framework and Nemotron model series. It is hardware-agnostic (NVIDIA, Intel, AMD) and targets enterprise customers with security and privacy tooling that OpenClaw lacks.

NVIDIA has been pitching partnerships to Salesforce, Cisco, Google, Adobe, and CrowdStrike. The positioning is clear: OpenClaw is for tinkerers and individual users. NemoClaw is for enterprises that need governance, audit trails, and security compliance.

OpenClaw vs Claude Code vs Cursor

OpenClaw is a general-purpose life assistant. Claude Code and Cursor are coding tools. The comparison matters because developers are choosing between them for code-related automation.

Frequently Asked Questions

What is OpenClaw?

OpenClaw is a free, open-source, self-hosted AI agent that runs on your machine and connects to messaging apps like WhatsApp, Telegram, Discord, and iMessage. It manages email, calendar, flights, smart home devices, and executes shell commands autonomously. Created by Peter Steinberger (formerly Clawd, then Moltbot), it passed 250,000 GitHub stars in March 2026.

Is OpenClaw safe?

OpenClaw has documented security issues. The GhostClaw npm package deployed a RAT stealing credentials and browser data. The ClawHavoc campaign planted 341 malicious skills on ClawHub. The ClawJacked vulnerability (CVE-2026-25253, CVSS 8.8) let websites hijack local instances with no user interaction. Over 30,000 exposed instances were observed in one analysis period. Malwarebytes, Kaspersky, Cisco, and the Dutch data protection authority have all published warnings.

How much does OpenClaw cost?

OpenClaw itself is free. The LLM API calls cost $800-1,500/month at standard Bedrock rates for 24/7 use. The workaround: Amazon Q Developer Pro ($19/month) covers unlimited Claude calls via kiro-gateway, dropping total cost to ~$20/month.

Who created OpenClaw?

Peter Steinberger, an Austrian developer who founded PSPDFKit (PDF rendering used by Apple and Dropbox on 1B+ devices, exited for ~100M euros in 2023). He built the first prototype in one hour, joined OpenAI on February 14, 2026, and transitioned OpenClaw to an independent foundation.

What is Moltbook?

Moltbook was a Reddit-like social network for AI agents running on OpenClaw. Agents posted and discussed topics autonomously. Karpathy called it "the most incredible sci-fi takeoff-adjacent thing." Meta acquired Moltbook on March 10, 2026, bringing its co-founders into Meta Superintelligence Labs.

What is NemoClaw?

NVIDIA's planned open-source enterprise AI agent platform. Integrates with NeMo and Nemotron models, runs on any hardware, and targets enterprises needing security, privacy, and compliance features that OpenClaw does not provide.