You’ve been driving AI manually this whole course. What happens when you hand it the keys?

What OpenClaw Is (And Isn’t)

OpenClaw is an open-source, local-first autonomous AI agent. That sentence buries the lead. Here’s what actually matters:

Claude Code does what you tell it, when you tell it. You say “do X.” It does X. You review. Done.

OpenClaw does things when you’re not looking.

You configure it to watch for conditions and respond. It monitors your messaging apps, makes decisions, and takes actions — all while you’re doing something else entirely. That’s a fundamentally different relationship with an AI tool.

Think of Claude Code as a specialist you hire for specific jobs. OpenClaw is more like an assistant who sits in your office, reads your incoming mail, flags what matters, drafts responses, and handles routine requests. The analogy breaks down because a human assistant has judgment born from experience — OpenClaw has pattern matching and whatever guardrails you set up. That gap matters, and we’ll get to it.

A Name With Frequent Flyer Miles

OpenClaw started life as “Clawdbot” in November 2025, built by Peter Steinberger. Anthropic raised trademark concerns, so it became “Moltbot,” then “OpenClaw” shortly after. Despite the identity crisis, it’s grown fast — the ClawHub skill marketplace now hosts over 2,800 community-built skills. In February 2026, Steinberger announced he was leaving to join OpenAI, and the project is transitioning to an open-source foundation. The core/ vs. community/ distinction in skills still exists, but who maintains what is in flux.

How the Architecture Works

OpenClaw has four layers:

┌─────────────────────────────────────────────┐
│             YOUR MESSAGING APPS              │
│   WhatsApp · Telegram · Discord · Email      │
└──────────────────┬──────────────────────────┘
                   │ messages in
                   ▼
┌─────────────────────────────────────────────┐
│              OPENCLAW GATEWAY                │
│   Routes messages to the right agent/skill   │
└──────────────────┬──────────────────────────┘
                   │
                   ▼
┌─────────────────────────────────────────────┐
│              AI REASONING LAYER              │
│   Claude / GPT / Gemini / Local (Ollama)     │
│   Decides what to do with each message       │
└──────────────────┬──────────────────────────┘
                   │
                   ▼
┌─────────────────────────────────────────────┐
│                 SKILLS                       │
│   Modular capabilities the agent can use     │
│   Calendar · Email · Web search · Files      │
└─────────────────────────────────────────────┘

Gateway: The interface between your messaging apps and the agent. You talk to OpenClaw through the apps you already use — send it a WhatsApp message, it responds in WhatsApp.

AI Layer: The reasoning engine. OpenClaw supports multiple providers (Anthropic, OpenAI, Google, local models via Ollama). It reads the message, looks at available skills, and decides what to do.

Skills: Modular capabilities. Each skill is a self-contained package that lets the agent do one thing — look up weather, query a database, summarize a document, create a calendar event. Skills are the building blocks. Without them, OpenClaw is just an expensive chatbot.

Getting Running

Option 1: Local Install (Recommended for Technical Users)

Prerequisites: Node.js 22.12.0+, Docker (for sandboxing)

Steps:

1. Install OpenClaw:

   npm install -g openclaw
   

2. Run the onboarding wizard:

   openclaw onboard
   

   This walks you through: choosing an AI provider, entering your API key, connecting your first messaging channel, and selecting initial skills.

3. Configuration lives in ~/.openclaw/openclaw.json:

   {
     "models": {
       "default": {
         "provider": "anthropic",
         "model": "claude-sonnet-4-5-20250929",
         "apiKey": "sk-ant-..."
       }
     },
     "channels": {
       "telegram": {
         "enabled": true,
         "botToken": "your-telegram-bot-token"
       }
     },
     "skills": ["core/calendar", "core/summarize", "core/web-search"],
     "security": {
       "confirmBeforeAction": true,
       "sandboxMode": "docker",
       "allowedDomains": ["your-domain.com"]
     }
   }
   

4. Start the agent:

   openclaw start
   

5. Send it a test message via your connected messaging app. Start simple: “What’s on my calendar today?”

Option 2: Managed Hosting

If you don’t want to run your own server, myclaw.ai offers hosted OpenClaw instances. You trade some of the “local-first” privacy benefits for managed infrastructure and easier updates.

Connecting Messaging Channels

Each channel has its own connection process:

Telegram is the easiest — create a bot via @BotFather, get a token, add it to your config. Start here.

WhatsApp requires a WhatsApp Business API account, which involves more ceremony. Worth it if WhatsApp is your primary tool, but learn the ropes on Telegram first.

Discord uses a standard Discord bot token. Good for server-based workflows.

Email connects via IMAP/SMTP. Good for inbox triage skills.

Skills: Where It Gets Interesting

Skills are what make OpenClaw do things beyond chatting. Each one is a self-contained module with defined inputs, outputs, and permissions.

Skill Categories

Information retrieval (read-only — safe to start with):

• Calendar summaries and reminders
• Email/inbox digest — “What came in overnight?”
• Weather and news briefings
• Document summarization — send it a PDF, get a summary back

Content creation (creates things, doesn’t touch existing):

• Draft email responses (you review before sending)
• Meeting note extraction from transcripts
• Content outlines for blog posts or reports
• Social media draft posts

Action skills (modifies state — proceed with eyes open):

• Send messages on your behalf
• Create calendar events
• File organization
• Task creation in project management tools

Integration skills (connects to external services):

• API wrappers for your business tools
• Database query skills
• Webhook triggers

Installing Skills

From the ClawHub marketplace:

openclaw skill install core/calendar
openclaw skill install core/summarize
openclaw skill install community/inbox-digest

Skills from the core/ namespace are maintained by the OpenClaw team. Skills from community/ are contributed by users — treat these with more scrutiny (see Security below).

Your First Skill Configuration

Start read-only. A daily digest skill is ideal:

{
  "skill": "core/daily-digest",
  "config": {
    "schedule": "08:00",
    "sources": ["email", "calendar"],
    "channel": "telegram",
    "format": "brief"
  }
}

This sends you a Telegram message every morning at 8:00 with a summary of your email and today’s calendar. No write actions, no risk. Boring in the best way.

Security: Read This Part Twice

OpenClaw is powerful because it can do things. That power is also its primary risk. An autonomous agent with access to your messaging apps, files, and APIs can cause real damage if misconfigured or compromised.

I’d rather over-configure security and feel silly than under-configure it and wake up to a disaster. Here’s where I’ve landed after testing this stuff extensively.

The Trust Escalation Framework

Grant OpenClaw permissions like you’d onboard a new hire you don’t fully trust yet:

Week 1 — Read Only:

• Calendar viewing
• Email summaries (read, not reply)
• Document summarization
• Information retrieval

Test everything. Does it summarize accurately? Does it miss important messages? Does it hallucinate events that don’t exist? Fix these issues before giving it more power.

Week 2 — Draft Mode:

• Draft email responses (you review and send)
• Draft social media posts (you approve before posting)
• Create task items in your project tool (easy to delete if wrong)

The key: everything it creates goes through your review before it reaches anyone else.

Week 3+ — Supervised Action:

• Send pre-approved response templates
• Create calendar events with confirmation
• File organization with undo capability

Only grant write permissions where: the worst-case failure is minor, the action is reversible, and you’ve verified the agent handles the read-only version correctly.

Security Configuration

In your openclaw.json:

{
  "security": {
    "confirmBeforeAction": true,
    "sandboxMode": "docker",
    "allowedDomains": ["your-domain.com"],
    "blockedSkillPermissions": ["shell.execute", "fs.write_root"],
    "auditLog": true
  }
}

confirmBeforeAction: true — The agent asks before taking any write action. Start here. Only disable for specific, well-tested skills you’ve run for weeks without issues.

sandboxMode: "docker" — Skills run in Docker containers, isolated from your main system. A malicious or buggy skill can’t reach files outside its sandbox.

auditLog: true — Logs every action the agent takes. Review these regularly, especially when testing new skills. If you’re not reading the logs, you’re flying blind.

Skill Vetting (This Is Where the Stakes Get Real)

Always check the permissions object in a skill’s metadata before installing. A “Weather Skill” should need network access to a weather API. If it’s asking for shell.execute or fs.read_root, something is very wrong.

This isn’t theoretical. CVE-2026–25253 was a real incident where malicious skills on ClawHub were performing data exfiltration. Fourteen malicious skills appeared in just three days before Cisco’s security team caught it. Three days. That’s how fast bad actors moved on a new platform with a growing user base.

That was just the beginning. By March 2026, a full security audit revealed 512 vulnerabilities across the OpenClaw codebase, 8 of them classified as critical. Researchers found 42,665 exposed OpenClaw instances on the open internet — of those, 5,194 were actively vulnerable, and 93.4% had authentication bypass issues. Let that sink in: the vast majority of internet-facing OpenClaw installs could be accessed by anyone.

The ClawHub situation got dramatically worse too. Those original 14 malicious skills? They were the opening salvo. A coordinated campaign dubbed “ClawHavoc” pushed the count to 824+ malicious skills across the marketplace’s 10,700+ listings. That’s roughly 1 in 13 skills. I don’t love those odds.

Then there’s the “ClawJacked” vulnerability — a WebSocket hijack flaw that lets malicious websites silently take over your local OpenClaw agent through your browser. You visit a compromised page, and an attacker gets access to whatever your agent can touch. This isn’t a scenario that requires a sophisticated nation-state actor; it’s a JavaScript exploit on a sketchy website.

China has restricted state agencies from using OpenClaw entirely, citing security concerns. You can debate the geopolitical motivations, but when governments start banning a tool over its attack surface, that’s signal worth paying attention to.

Rules for skill installation (these matter more than ever):

• Prefer core/ skills over community/ skills — though with the foundation transition, verify who’s actually maintaining them
• Read the skill’s source code before installing (they’re just code — you can inspect them)
• Check the permissions object — does it request only what it needs?
• Test new skills in a sandboxed environment before production use
• Keep OpenClaw updated — security patches matter
• Seriously consider whether you need a community skill at all given the ClawHavoc numbers

The Golden Rule

Never install OpenClaw on your main personal computer with access to everything. Use a dedicated machine, VM, or Docker environment. This limits blast radius if something goes wrong. It’s the same reason you don’t give the new intern the root password on day one. Given the security disclosures since this project launched, this isn’t paranoia — it’s basic hygiene. The attack surface is real and actively exploited.

Is It Worth Your Time (Yet)?

Here’s my honest take:

Worth trying if: You have a specific, repetitive information-processing task that would genuinely save time automated. Daily inbox triage, meeting note extraction, automated reporting from multiple sources. Something concrete.

Not worth the setup time if: You’re looking for vague productivity improvement without a specific use case. The setup isn’t trivial, and the payoff only materializes for tasks you do frequently.

The litmus test: Can you describe a workflow in the form “every [time period], I [do specific thing] which takes [X minutes]”? If yes, OpenClaw might save you real time. If your use case is “I want AI to help me be more productive” — that’s a feeling, not a workflow. You’ll spend more time configuring than you save.

If the security situation gives you pause (and it should), these alternatives are worth considering. NemoClaw is Nvidia’s enterprise-grade fork with security baked in from the ground up — they’re pitching it to Salesforce, Cisco, and Google, which tells you something about who they think the audience is. AWS Managed OpenClaw on Lightsail gives you a managed hosting option if you want OpenClaw without running it yourself (an alternative to both self-hosted and myclaw.ai). And if you’re drawn to the concept of an agent runtime but want something with a smaller attack surface, look at the lightweight alternatives: Nanobot (4,000 lines of Python vs. OpenClaw’s 430,000+), NanoClaw (container-isolated by design), and Moltworker (Cloudflare’s serverless adaptation). Less surface area means fewer places for things to go wrong.

Further Reading

Previous: Module 04 — Multi-Agent Workflows | Next: Module 06 — AI for Business Tasks