← Back to all posts
News

OpenClaw: The Open-Source AI Agent That Wants Root on Your Machine

March 17, 2026 · News
OpenClaw: The Open-Source AI Agent That Wants Root on Your Machine

TL;DR

OpenClaw is an open-source, self-hosted AI agent that connects to your messaging apps (WhatsApp, Telegram, Discord, Slack, Signal) and executes real tasks on your machine: file management, shell commands, web browsing, calendar, email. It's model-agnostic (Claude, GPT, DeepSeek, local models via Ollama), has 247K GitHub stars, and NVIDIA built an enterprise stack on top of it. It's also had 512 documented vulnerabilities, a malware-infested skill registry, and over 42,000 publicly exposed instances. Run it in a sandbox or don't run it at all.

What OpenClaw Actually Is

OpenClaw isn't a chatbot wrapper. It's an orchestration layer that sits between an LLM and your entire operating system, using messaging platforms as the UI.

You install it on a machine. You connect it to WhatsApp, Telegram, Discord, or any of 50+ supported channels. You point it at an LLM, cloud or local. Then it does things. Not "generates text about things." Actually does them: runs shell commands, reads and writes files, browses the web, manages your inbox, controls your smart home, and proactively reaches out to you without being asked.

The project started as "Clawdbot" in November 2025, built by Austrian developer Peter Steinberger. Anthropic sent a trademark complaint (the name was a riff on Claude), so it became "Moltbot," then "OpenClaw" three days later. By February 2026, it had 200K+ GitHub stars, one of the fastest-growing open-source projects in history.

The Architecture You Need to Understand

OpenClaw's internals are more sophisticated than the "just another LangChain wrapper" crowd gives it credit for. Three layers matter.

The Gateway

The Gateway is OpenClaw's control plane, running on port 18789 by default. It routes incoming messages to the right agent, loads the correct session context, and passes everything downstream. Think of it as the reverse proxy for your AI agent fleet.

The Agent Runtime

This is where it gets interesting. The runtime reads workspace configuration files (AGENTS.md, SOUL.md, TOOLS.md), loads relevant Skills, queries memory for past conversation context, and assembles a system prompt. That prompt, plus tool definitions and conversation history, ships to whatever LLM you've configured.

The system prompt alone is 17,000 tokens. Add sub-agent context and you're looking at 32K minimum, 65K+ for production multi-agent setups. This matters enormously for local model selection.

Persistent Memory

LLMs are stateless. OpenClaw adds semantic, episodic, and procedural memory layers with auto-recall and auto-capture. Your agent remembers what you told it last week, what files it modified yesterday, and what workflows it's learned over time. There's even a Graph RAG-based memory plugin for the ambitious.

Running OpenClaw on Your Homelab

This is where the homelab crowd perks up. You can run OpenClaw entirely local: zero cloud calls, zero API costs, full privacy.

Hardware Tiers

Your model choice is bottlenecked by RAM, not GPU. Here's the realistic breakdown:

Setup RAM Model Notes
Mac Mini 32GB Devstral-24B or Qwen3-Coder:32B Sweet spot. Claude OAuth fallback for complex tasks.
Mac Mini 64GB Qwen3-Coder:32B + GLM-4.7 Flash Zero cloud config. Dual model.
Mac Studio 192-512GB Qwen3.5-397B Enterprise. 35 tok/s. Overkill for most.
Proxmox VM 32GB+ Ollama + Qwen3-Coder:32B Classic homelab path.

Do not attempt this with 7-8B models. They hallucinate tool calls, produce format errors, and can't handle OpenClaw's context requirements. 24B is the floor for anything useful.

Local LLM Backends

Three viable options:

  • Ollama: The Docker of LLMs. One command install, one command run. The path of least resistance for homelab setups.
  • llama.cpp: Raw inference, no overhead. GGUF models on CPU, GPU, or mixed. For people who enjoy compiling things.
  • LM Studio: GUI-based, works well on macOS. Good for experimentation before committing to a production setup.

The Gotchas Nobody Mentions

OpenClaw's default context window may be set to 8K. You need to manually expand it to 32K just to fit the system instructions. Silent failures are common. One developer documented an entire saga of role compatibility issues between OpenClaw and Ollama that weren't model quality problems at all, but API adapter mismatches.

Growing context is another trap. Every agent request includes the full conversation history. Responses get slower and slower until the agent starts timing out. You'll need to implement context pruning or session resets for any long-running agent.

The Security Situation Is Bad

Let's not sugarcoat this. OpenClaw's security posture has been, to put it diplomatically, a disaster.

The Numbers

A security audit in January 2026 found 512 vulnerabilities, eight classified as critical. The most severe (CVE-2026-25253, CVSS 8.8) exploited the Control UI's unvalidated gatewayUrl parameter to steal authentication tokens via a three-stage WebSocket attack chain. Six additional vulns covered SSRF, missing auth, and path traversal.

Censys tracked growth from ~1,000 to over 42,000 publicly exposed instances in a matter of weeks. Of those, 5,194 were verified vulnerable, with 93.4% exhibiting authentication bypass.

The Skill Registry Is a Minefield

This is arguably worse than the core vulnerabilities. Snyk's ToxicSkills research found that 36% of AI agent skills contain security flaws. A campaign called "ClawHavoc" discovered 341 malicious skills in the ClawHub registry (12% of the total), primarily delivering the Atomic macOS Stealer. Updated scans found over 800 malicious skills, roughly 20% of the registry.

One skill called "What Would Elon Do?" was straight-up malware: silent curl commands exfiltrating data to external servers plus prompt injection to bypass safety guidelines. Unlike traditional packages that run in sandboxed contexts, Agent Skills operate with the full permissions of the AI agent, which, on most setups, means full permissions on the host machine.

The Lethal Trifecta

Cisco's research team identified what they call the "lethal trifecta" for AI agent exploitation:

  1. Access to private data
  2. Ability to communicate externally
  3. Exposure to untrusted content

OpenClaw checks all three boxes by design. Someone sends your agent an email containing hidden instructions, and the agent, with your permissions, complies. Chinese authorities restricted OpenClaw from government computers for exactly this reason.

How to Not Get Owned

Kaspersky's recommendation is blunt: never install OpenClaw on your primary computer. Use a dedicated machine or VPS. Sophos goes further: run it only in a disposable sandbox with no access to sensitive data.

Practical mitigations:

  • Containerize everything. Docker or Proxmox LXC. Never bare metal on a machine you care about.
  • Network isolation. Do not expose port 18789 to the internet. VPN or Tailnet access only.
  • No plaintext credentials. Use a secrets manager or environment variables with restricted scope.
  • Vet every skill manually. Disable automatic skill updates. Treat ClawHub like you'd treat a random npm package from 2016.
  • Separate user account. Run the agent under a restricted Linux user with minimal filesystem access.

The Ecosystem Is Moving Fast

Despite the security chaos, the ecosystem around OpenClaw is accelerating.

NVIDIA announced NemoClaw at GTC: an enterprise-grade agent platform built on OpenClaw. Tencent integrated it into WeChat. Peter Steinberger joined OpenAI in February 2026, and the project is being moved to an open-source foundation. There are now 5,400+ skills in the registry (security concerns notwithstanding), ClawRouter handles multi-model routing across 41+ models, and OpenClaw-RL lets you train personalized agents from conversation data.

Jensen Huang called it "the operating system for personal AI." That's marketing, but he's not entirely wrong about the trajectory.

Who Should Actually Use This

If you're an AI engineer or homelab enthusiast who wants a self-hosted agent framework that does real work across messaging platforms (and you understand the security implications), OpenClaw is the most capable option available right now. The model-agnostic design means you're not locked into any provider, and the local LLM path gives you genuine data sovereignty.

If you're thinking about installing it on your daily driver MacBook and connecting it to your real WhatsApp account with access to your real files, please reconsider. The project is moving fast, but the security story isn't there yet.

Key Takeaways

  • OpenClaw is an AI agent orchestration layer, not a chatbot. It executes tasks on your machine via messaging platforms, with 50+ channel integrations and 5,400+ extensible skills.
  • You can run it fully local with Ollama, llama.cpp, or LM Studio. 32GB RAM with a 24B+ parameter model is the minimum viable setup. 7-8B models don't cut it.
  • The security situation is serious. 512 vulnerabilities found in audit, 20% of the skill registry flagged as malicious, tens of thousands of instances exposed to the internet without auth. Containerize, isolate, and vet everything.
  • The ecosystem is enterprise-grade now. NVIDIA, Tencent, and OpenAI are all invested. This isn't going away.
  • Run it in a sandbox. Dedicated VM, containerized, network-isolated, restricted user account. Treat it like you'd treat any powerful tool that has root on a box: with respect and paranoia.
AILLMopen sourcehomelablocal AIOpenClawAI agentsself-hosted
CONSOLE
$