In late January 2026, an open-source project called OpenClaw went from obscurity to the most talked-about AI tool on the internet. It gained over 20,000 GitHub stars in 24 hours, caused a Mac mini shortage in parts of the United States, and generated the kind of excitement — and alarm — that accompanies any technology that genuinely changes what people expect from software.
OpenClaw is an autonomous AI agent. Not a chatbot. Not an assistant that answers questions. An agent that does things — clears your inbox, manages your calendar, sends emails on your behalf, checks you in for flights, deploys code, and runs tasks in the background while you are doing something else entirely. It runs on your own hardware, connects through the messaging apps you already use, and is entirely free and open source.
It is also, according to Microsoft, Cisco, Kaspersky, and virtually every major cybersecurity research team that has examined it, a significant security risk in its current form. Over 500 vulnerabilities have been identified. Malicious skills have been found in its plugin marketplace. Tens of thousands of instances have been found exposed on the public internet without authentication.
This guide covers what OpenClaw actually is, how it works, why it matters, and what the real risks are — without the hype or the panic.
O que é OpenClaw?
OpenClaw is a free, open-source autonomous AI agent that runs locally on your own hardware — typically a Mac mini, Linux server, or VPS — and connects to the messaging platforms you already use: WhatsApp, Telegram, Discord, Slack, Signal, iMessage, and others. You interact with it like a coworker. You send it a message, and it executes real-world tasks.
Unlike chatbots that generate text in response to prompts, OpenClaw takes action. It reads and writes files, executes shell commands, browses the web, fills out forms, manages your calendar, processes your email, and integrates with over 100 third-party services. It maintains persistent memory across sessions, which means it remembers your preferences, your context, and your ongoing tasks.
The project is built around a gateway architecture that connects messaging platforms to large language models — Claude, ChatGPT, Gemini, DeepSeek, or local models via Ollama — and gives those models the ability to act on your behalf through a modular skills system.
Nvidia CEO Jensen Huang described OpenClaw as “the most important software release probably ever.” Cybersecurity researchers at Cisco called it “an absolute nightmare.” Both are responding to the same thing: an AI agent with real-world authority running on consumer hardware.
A história de origem: De Clawdbot a OpenClaw
OpenClaw was created by Peter Steinberger, an Austrian developer and the founder of PSPDFKit. He published the original version in November 2025 under the name Clawdbot — a pun on Anthropic’s Claude. The project was derived from an earlier personal AI assistant Steinberger had built for himself called Clawd.
The naming did not last. Anthropic’s legal team raised trademark concerns, and the project was renamed Moltbot in late January 2026 — keeping with a lobster theme that the community had adopted. Days later it was renamed again to OpenClaw after Steinberger found that Moltbot did not roll off the tongue.
The project exploded in popularity at the end of January 2026, driven by its open-source nature and the viral success of Moltbook — a social networking platform designed for AI agents launched by entrepreneur Matt Schlicht around the same time.
On February 14, 2026, Steinberger announced he was joining OpenAI to lead personal agent development. The OpenClaw project was transferred to an independent, OpenAI-sponsored open-source foundation. As of March 2026, the GitHub repository has over 191,000 stars, 32,400 forks, and 900 contributors — making it one of the fastest-growing open-source projects in history.
Como o OpenClaw funciona
OpenClaw’s architecture has three core layers:
The Gateway
The core of OpenClaw. It runs on your machine (Mac, Windows, Linux, or a cloud VPS) and accepts commands via messaging apps or a web UI. It routes those commands to AI agents, manages sessions, and handles authentication. Configuration lives at ~/.openclaw/openclaw.json.
The AI Models
OpenClaw does not include its own AI model. It connects to external LLMs via API — Anthropic’s Claude, OpenAI’s GPT, Google’s Gemini, DeepSeek, or local models through Ollama. You choose which model powers your agent. The gateway translates your messages into model-appropriate prompts and feeds back the results.
Skills
Skills are modular plugins that extend what OpenClaw can do. There are over 100 preconfigured skills — shell commands, file management, web automation, calendar integration, smart home control, and more. Skills can be downloaded from ClawHub (the community marketplace) or created by the agent itself. This self-extensibility is one of OpenClaw’s most powerful — and most dangerous — features.
Installation is straightforward for developers: npm install -g openclaw@latest followed by openclaw onboard --install-daemon. The onboarding wizard configures the gateway as a persistent service and walks through channel pairing, model selection, and initial permissions.
O que o OpenClaw realmente pode fazer
The use cases emerging from the OpenClaw community are genuinely impressive. This is not theoretical — these are things real users are doing daily:
Email management
Categorise messages, unsubscribe from spam, draft replies, summarise urgent items, and build searchable knowledge bases from incoming mail.
Calendar and scheduling
Time-block tasks by importance, detect conflicts, schedule meetings, and deliver morning briefings with weather, objectives, health stats, and agenda.
Code and deployment
Set up Kubernetes clusters, deploy microservices, refactor codebases, run tests, capture errors through Sentry webhooks, resolve them, and open pull requests — autonomously.
Research and analysis
Research people before meetings, create briefing documents, break down large projects into tasks, analyse business ideas with background sub-agents.
Web automation
Navigate websites, fill out forms, extract data, check in for flights, and perform any browser-based task automatically.
Self-extension
When OpenClaw does not have a skill for something, it can write one. Users report asking it to build integrations with university course systems, Supabase databases, and custom APIs — and watching it create and deploy the skills on its own.
O problema de segurança
The same features that make OpenClaw powerful make it dangerous. An AI agent that can read your email, execute shell commands, browse the web, and manage your credentials is an AI agent that can do all of those things on behalf of an attacker if compromised.
The security community has been unequivocal. Microsoft’s Defender Security Research Team recommended that OpenClaw should be treated as untrusted code execution with persistent credentials and should not be run on any standard personal or enterprise workstation. Kaspersky identified 512 vulnerabilities in a single audit. Cisco called it a security nightmare. Sophos recommended treating it as an interesting research project that can only be run safely in a disposable sandbox.
Prompt injection
The most fundamental risk. Malicious instructions can be hidden in emails, web pages, documents, or messages that OpenClaw processes. Because the agent reads untrusted content and has the authority to act, a well-crafted prompt injection can make it execute commands, exfiltrate data, or modify its own behaviour — all without the user’s awareness.
Malicious skills
ClawHub, the community skill marketplace, has been found to contain malicious plugins. Cisco tested a third-party skill that performed data exfiltration and prompt injection without user awareness. Researchers have identified over 800 malicious skills — roughly 20% of the marketplace — including some delivering the Atomic macOS Stealer malware.
Exposed instances
Tens of thousands of OpenClaw installations have been found on the public internet running without authentication. Researchers have been able to access API keys, messaging tokens, complete chat histories, and execute commands with full administrative privileges on misconfigured instances.
Session isolation failures
By default, OpenClaw shares a single session across all direct messages. If multiple people can message the same bot, there are no boundaries between them — one user can access another’s data and context.
Credential exposure
Credentials are stored in plaintext configuration files. Combined with the lack of origin validation on WebSocket connections, this creates a direct path from a browser visit to full gateway compromise.
Security researchers have described this pattern as the “lethal trifecta”: an AI agent with access to private data, the ability to communicate externally, and the ability to process untrusted content. OpenClaw has all three.
Vulnerabilidades conhecidas
The following is a partial list of publicly disclosed vulnerabilities as of March 2026:
| CVE | Severity | Type | Patched |
|---|---|---|---|
| CVE-2026-25253 | Critical (8.8) | One-click RCE chain — full gateway compromise | v2026.1.29 |
| CVE-2026-24763 | High | Command injection | v2026.1.29 |
| CVE-2026-25157 | High | Command injection | v2026.1.29 |
| CVE-2026-26322 | High (7.6) | Server-Side Request Forgery in Gateway | v2026.2.14 |
| CVE-2026-26319 | High (7.5) | Missing webhook authentication | v2026.2.14 |
| CVE-2026-26329 | High | Path traversal in browser upload | v2026.2.14 |
| CVE-2026-25593 | High | ClawJacked — WebSocket hijack from malicious sites | v2026.2.25 |
All of these have been patched, but the pace of disclosure — and the severity of the findings — reflects the fundamental challenge of securing a system that grants AI models broad access to user systems and data.
Risco empresarial e corporativo
OpenClaw is being used in corporate environments despite the security concerns. Bitdefender telemetry has documented OpenClaw deployments on corporate endpoints, constituting what security teams describe as Shadow AI — AI agents running inside the enterprise perimeter without IT knowledge or governance.
For regulated industries — financial services, healthcare, government — the risks are disqualifying. OpenClaw’s native audit trail does not meet regulatory standards. There are no role-based permissions, no approval workflows for sensitive actions, and no compliance monitoring. The project acknowledges that security is important, but as a community-driven hobbyist project there are zero dedicated resources for vulnerability management.
The practical guidance from every major security vendor is the same: do not run OpenClaw on production workstations. If you must evaluate it, use a fully isolated environment — a dedicated virtual machine or separate physical system — with non-privileged credentials and no access to sensitive data.
OpenClaw vs. Chatbots: Uma categoria completamente diferente
It is important to understand that OpenClaw is not competing with ChatGPT, Claude, or Gemini. It uses those models. The distinction is between a model and an agent.
| Dimension | Chatbots (ChatGPT, Claude) | OpenClaw |
|---|---|---|
| What it does | Generates text in response to prompts | Executes real-world tasks autonomously |
| Where it runs | Cloud, vendor-hosted | Your own hardware, locally |
| Memory | Limited or session-based | Persistent across sessions, indefinitely |
| Integrations | Limited to vendor ecosystem | 100+ services via skills system |
| Interface | Dedicated web app or API | WhatsApp, Telegram, Slack, Discord, etc. |
| Autonomy | Responds when prompted | Acts proactively — cron jobs, background tasks |
| Security model | Vendor-managed, sandboxed | User-managed, broad system access |
| Cost | Subscription ($20–200/mo) | Free software + API costs ($10–150/mo) |
OpenClaw represents the shift from AI as a conversation partner to AI as a digital employee. That shift brings extraordinary productivity gains — and extraordinary responsibility for the people deploying it.
O que vem a seguir
OpenClaw has already changed the conversation about what AI agents can do. Several developments signal where this is heading:
OpenAI acquisition and foundation
With Steinberger at OpenAI and the project under an OpenAI-sponsored foundation, OpenClaw is likely to receive the security investment and governance structure it has lacked. Whether the open-source community retains the project’s ethos under corporate sponsorship is an open question.
Nvidia’s NemoClaw
Nvidia is reportedly building NemoClaw — an enterprise-grade AI agent platform inspired by OpenClaw. The company has been pitching it to Salesforce, Cisco, Google, Adobe, and CrowdStrike. If it ships, it signals that the agent paradigm OpenClaw popularised is becoming enterprise infrastructure.
Regulatory attention
Governments are already responding. The Shenzhen Longgang District AI Bureau has released draft policy proposing support measures for OpenClaw use. Singapore’s IMDA has proposed a governance framework for agentic AI. The US NIST has begun collecting input on AI agent security standards. The regulatory environment for autonomous agents is forming in real time.
Security maturation
The volume of security research being directed at OpenClaw is unprecedented for an open-source project this young. Every major vulnerability has been patched quickly. The question is whether the project can mature its security posture fast enough to match its adoption rate.
OpenClaw is not a product. It is a proof of concept that became a movement. The idea it proved — that AI agents with real-world authority, running locally, accessible through messaging apps, are something people will adopt immediately and enthusiastically — is not going back in the box.
Perguntas frequentes
Is OpenClaw free?
The software is free and open source under the MIT licence. Your costs come from AI model API usage — typically $10–70 per month for normal use. You can reduce costs by using local models via Ollama.
Is OpenClaw safe to use?
In its current form, major security vendors recommend caution. Microsoft says it should not run on standard workstations. Kaspersky recommends using dedicated hardware with burner accounts. If you experiment with it, use an isolated environment with no access to sensitive data.
What hardware do I need to run OpenClaw?
Any Mac, Windows, or Linux system with Node.js 22 or later. Many users run it on a Mac mini (M2 or later) for its power efficiency and reliability as an always-on server. Cloud VPS hosting is also common.
Which AI models does OpenClaw support?
Claude, ChatGPT (GPT-4o), Gemini, DeepSeek, and local models via Ollama. You choose the model during setup and can switch between them. Kaspersky recommends Claude Opus 4.5 for its resilience to prompt injection.
Who created OpenClaw?
Peter Steinberger, an Austrian developer and the founder of PSPDFKit. He published the original version (Clawdbot) in November 2025 and joined OpenAI in February 2026. The project is now maintained by an OpenAI-sponsored open-source foundation.
Should my company use OpenClaw?
Not in its current form for anything involving sensitive data, regulated processes, or production systems. For experimental use in isolated environments, it is a valuable way to understand where autonomous AI agents are heading. For production AI document workflows, purpose-built platforms with proper security controls are the responsible choice.
What is the difference between OpenClaw and ChatGPT?
ChatGPT is an AI model that generates text in response to prompts. OpenClaw is an autonomous agent that uses models like ChatGPT to execute real-world tasks — managing email, running code, browsing the web, and controlling connected services. OpenClaw acts; ChatGPT responds.
Why was it renamed three times?
It was originally Clawdbot (a pun on Claude), renamed to Moltbot after Anthropic raised trademark concerns, then renamed to OpenClaw because Moltbot did not resonate. The lobster mascot survived all three rebrandings.
Conclusão
OpenClaw is the first AI agent that made ordinary people feel what autonomous AI actually means. Not in a research paper or a conference demo, but on their phone, in their messaging app, managing their actual email and calendar and code. The productivity gains are real. The enthusiasm is earned.
The security risks are also real. This is a project that gives AI models shell access to your computer, reads your email, and processes untrusted content from the internet — and it was built by a community moving faster than security practices can keep up with. Every major security vendor that has examined OpenClaw has arrived at the same conclusion: it is a remarkable demonstration of what AI agents can do, and it is not ready for anything involving sensitive data.
The idea behind OpenClaw — a personal AI that runs on your hardware, acts through your messaging apps, and gets more capable over time — is almost certainly the future of how people interact with AI. The question is whether that future arrives through projects like OpenClaw maturing into something secure, or through enterprise platforms building the same capabilities with proper governance from the start.
OpenClaw proved the demand. The industry is now racing to meet it safely. For anyone building, investing in, or thinking about AI agents — understanding OpenClaw is not optional. It is the proof of concept that changed the trajectory.
Quer IA que produz documentos, não riscos?
MultipleChat oferece colaboração multi-modelo de IA — relatórios, propostas, apresentações e mais — com segurança adequada, sem acesso ao sistema e formatos de exportação profissionais.
Experimente MultipleChat