Your AI chatbot tells you what to do. OpenClaw does it for you.

In just seven days, this open-source AI agent rocketed past 100,000 GitHub stars faster than any AI project in history went viral on X, and underwent two complete rebrandings. It's the assistant developers have been waiting for: one that books your reservations, debugs your code, and messages you with morning briefings without being asked. But there's a catch that's making cybersecurity firms sound the alarm: giving an AI root access to your computer is like handing your house keys to a very smart, very obedient stranger who sometimes misunderstands instructions.

What Is OpenClaw?

OpenClaw is an open-source, self-hosted AI agent that runs locally on your computer—typically a Mac Mini that stays on 24/7. Created by Austrian developer Peter Steinberger (founder of PSPDFKit), it connects directly to the messaging apps you already use: WhatsApp, Telegram, Discord, Slack, Signal, and iMessage.

Unlike ChatGPT or Claude, which live in a browser tab and require you to copy-paste commands, OpenClaw lives inside your operating system. You text it a request via Telegram, and it doesn't just reply it executes terminal commands, manipulates files, installs software, and reports back when the job is done. Think of it as "Claude with hands and feet."

The tool isn't a new AI model; it's software that uses existing models (Claude or ChatGPT) as its "brain" and gives them the ability to actually perform tasks.

The Double Rebrand: Clawdbot → Moltbot → OpenClaw

If you search for "Clawdbot" on GitHub today, you'll hit a dead end. The project has undergone two name changes in less than a week.

January 26, 2026: Anthropic (the creators of Claude) issued a trademark notice, forcing an overnight rebrand from Clawdbot to Moltbot. The original name a play on "Claude" with a lobster mascot named "Clawd" was deemed too similar.

January 30, 2026: Just four days later, Steinberger announced a second rename to OpenClaw. This wasn't due to another legal challenge Steinberger simply disliked "Moltbot" and wanted a name that reflected the project's open-source nature. He researched trademarks thoroughly this time and even asked OpenAI for permission to ensure no future conflicts.

The chaotic rebranding sparked real-world damage: scammers exploited the confusion by creating fake crypto tokens using the "Clawdbot" and "Moltbot" names, scamming investors out of millions. Only download from the official OpenClaw repository to avoid malicious clones.

Features That Sparked the Viral Growth

1. Always-On and Proactive

Most AI assistants are reactive they wait for you to ask. OpenClaw runs continuously in the background, tracking tasks, monitoring conditions, and reaching out to you with reminders or updates without being prompted. It can send you a morning news briefing, alert you when your flight status changes, or remind you about a deadline you mentioned three weeks ago.

2. Persistent Memory

While ChatGPT and Claude reset after every session, OpenClaw maintains a long-term memory file stored locally on your disk. It remembers your ongoing projects, communication preferences, and work patterns, applying that context to every future interaction.

3. True Agent Capabilities

This is where OpenClaw separates itself from traditional chatbots. It has shell access, meaning it can:

• Write code, save it to a file, execute the script, read error logs, debug itself, and deliver the final result

• Install software dependencies when needed

• Access your browser, file system, email, and calendar including login credentials

• Build iOS apps and deploy them via TestFlight directly from chat

• Automate complex workflows across multiple services and APIs[

One user reported having OpenClaw autonomously negotiate with car dealerships. Another built a team of specialized agent "employees" to handle podcast production work. OpenClaw assistants are even building their own social network where agents communicate with each other.

Growing Marketplace and Community

OpenClaw connects to numerous services through a plugin-based architecture. The ClawdHub (now being rebranded to OpenHub) marketplace offers both official and community-built "skills" that expand functionality. The project has grown beyond Steinberger's solo work he added multiple maintainers from the open-source community this week and attracted sponsors including Dave Morin (Path founder) and Ben Tossell (Makerpad founder).

The Security Problem That Won't Molt Away

OpenClaw's explosive growth caught the attention of more than just developers. Cybersecurity firms documented serious vulnerabilities within days of the viral launch.

1. Exposed Admin Panels

Security researchers found hundreds of OpenClaw instances exposed to the internet with weak or missing authentication. In some cases, unauthenticated admin ports allowed attackers to access months of private messages, API keys, credentials, and execute commands remotely.

By the numbers: Security teams reported that 22% of their enterprise clients already have employees running OpenClaw often without IT department approval. Dark Reading called it "AI running wild in business environments".

2. Plaintext Credentials and Malware Targets

OpenClaw stores secrets in plaintext configuration files. Researchers observed popular infostealer malware families RedLine, Lumma, and Vidar already adapting to target these directory structures.

3. Supply Chain Attacks

A proof-of-concept attack demonstrated how malicious "skills" uploaded to the marketplace could execute remote commands on downstream users' machines. This mirrors the npm supply chain attacks that have plagued JavaScript developers.

Prompt Injection Risks

4. Prompt Injection Risks

VentureBeat titled their analysis: "OpenClaw proves agentic AI works. It also proves agentic AI is a security nightmare". Steinberger acknowledged these concerns and stated that "security remains our top priority," with the latest version including some hardening improvements.

The Verdict: Powerful, Chaotic, and Evolving

OpenClaw represents the future of personal computing but it arrived with growing pains.

Who should use it: Developers, security-conscious tinkerers, and power users who understand Docker, have terminal experience, and can audit the code they're running. If you have a spare Mac Mini and want a private, always-on executive assistant that you're willing to supervise closely, this is the most capable free tool available.

Who should avoid it: Anyone unfamiliar with system administration, those who can't dedicate time to security hardening, and anyone planning to use it for business data without isolated infrastructure. Forbes noted that "for everyday users seeking a better assistant, OpenClaw is not yet ready for prime time".

The bottom line: Giving an AI root access to your computer is inherently dangerous even when it's yours. If you tell OpenClaw to "clean up messy files," there's no guarantee it won't misinterpret and wipe critical folders. Unlike enterprise tools with compliance frameworks, OpenClaw puts 100% of the security burden on you.

The project became the fastest-growing on GitHub with over 100,000 stars in record time. But as cybersecurity professionals repeatedly warn: power and risk scale together. After two rebrandings, crypto scams, and intense security scrutiny, the project has emerged as what one developer called "a reset" the core vision survived, but it's finally acting like the infrastructure it accidentally became.

Official website: openclaw (verify before downloading)