OpenClaw: The open-source AI agent everyone is talking about — but is it safe?

OpenClaw is the open-source AI agent that has gained 196,000 GitHub stars and 2 million weekly visitors in under two months. On February 15, 2026, Sam Altman announced that OpenAI hired creator Peter Steinberger — but the project remains open-source under a dedicated foundation.

The hype is massive. But behind the impressive numbers lies a technology that deserves far more critical attention than it's getting.

What is OpenClaw?

OpenClaw is an autonomous AI agent that runs locally on your devices. Instead of opening a separate AI app, you message it through the channels you already use — WhatsApp, Telegram, Slack, Discord, Signal, iMessage, and more.

The difference from ChatGPT is fundamental: OpenClaw acts instead of just answering. It can run shell commands, manage files, control a browser, send emails, and automate workflows — all autonomously.

Who's behind it?

OpenClaw was created by Peter Steinberger, an Austrian developer known for PSPDFKit. The project started as a personal experiment in December 2025 and exploded in popularity. In February 2026, Steinberger was hired by OpenAI, but OpenClaw remains open-source under an independent foundation with its own governance.

Technical architecture

OpenClaw runs as a local server (gateway) on your machine. The architecture looks like this:

[WhatsApp/Slack/Telegram] → [OpenClaw Gateway] → [Agent Runtime]
                                                      ↓
                                              [AgentSkills]
                                              - Shell access
                                              - File system
                                              - Browser control
                                              - Email
                                              - Calendar
                                              - Custom skills

Core components

• Gateway: A local server that receives messages from your messaging platforms and forwards them to the agent
• Agent Runtime: Runs the AI model (typically via OpenAI, Anthropic, or local models) and decides which actions to execute
• AgentSkills: Over 100 predefined skills — from running shell commands to controlling a browser
• Workspace: Local configuration defining which channels, skills, and models are used
• Long-term memory: Persistent storage that remembers your preferences and context across conversations

What makes it different?

The crucial difference is that OpenClaw is agentic — it acts autonomously. When you write "monitor my server and notify me if it goes down," it:

1. Sets up a monitoring script
2. Runs it as a background service
3. Sends you a message via WhatsApp/Slack if something goes wrong
4. Can even attempt to fix the problem automatically

This is fundamentally different from asking ChatGPT for help and then executing the steps yourself.

Key features

Security risks: What nobody is talking about

1. Full shell access to your machine

OpenClaw can execute arbitrary shell commands on your computer. This means:

• It can read, write, and delete files anywhere on your system
• It can install software, change configurations, and start processes
• It has access to SSH keys, API tokens, and other credentials in your filesystem
• It can access databases, cloud configurations, and hosting panels

Unlike for example Claude Code, which has an explicit permission system where you approve actions, OpenClaw's default setup is more trust-based. It's up to you to restrict what the agent can do.

2. Access to your messaging channels

When you connect WhatsApp, Slack, or iMessage, you give OpenClaw access to:

• Read all your messages — including private conversations, client communications, and sensitive information
• Send messages on your behalf — the agent can reply to customers, colleagues, and friends
• Access shared files and links in your conversations

For businesses handling customer data, this is a GDPR challenge. Your customers' data is being processed by an AI agent — do you have consent for that?

3. Self-improving code = unpredictable behavior

OpenClaw's "self-improving" ability means the agent can write new code and execute it. This is powerful, but also risky:

• The agent can create skills you haven't asked for
• It can change its own behavior in unpredictable ways
• Bugs in self-generated code can have consequences on your system
• There's no formal verification of the code the agent generates

4. Supply chain risk

OpenClaw is installed via npx or brew and fetches dependencies from npm. This opens the door to:

• Dependency attacks: Malicious packages in the dependency chain can compromise your machine
• Typosquatting: Incorrect package names that install malware
• Community plugins: Third-party plugins don't necessarily undergo security audits

With 196,000 GitHub stars, OpenClaw is an attractive target for supply chain attacks. The more popular an open-source project is, the more valuable it is to compromise.

5. No robust permission model

Compared to Claude Code (which requires explicit approval for destructive actions) and even ChatGPT's sandbox environment, OpenClaw takes a more open approach:

• No granular permission control per skill
• No mandatory "human-in-the-loop" for critical actions
• Audit logging is limited in the default configuration
• It's the user's responsibility to configure security boundaries

6. Steinberger at OpenAI — what does it mean?

The creator of OpenClaw now works at OpenAI. While the project is in a foundation, it raises questions:

• Will OpenAI's interests influence the project's direction?
• Who ultimately controls the foundation's governance?
• Could OpenAI use insights from OpenClaw to strengthen their own closed products?

This isn't necessarily negative, but it's worth watching.

What should you do?

If you're considering OpenClaw, I recommend:

1. Run it in an isolated VM or container — not directly on your primary machine
2. Don't connect personal messaging channels with sensitive data
3. Review the code before installing (it's open-source, so you can)
4. Only use official plugins from verified sources
5. Set up logging and monitor what the agent does
6. Avoid giving access to production servers without strict isolation

Getting started (safely)

Relevance for web developers

As a WordPress developer, OpenClaw can theoretically:

• Automate deployments directly from a Slack message
• Monitor sites and send alerts through your preferred channels
• Run shell commands on servers without opening a terminal
• Handle file operations like backups and migrations
• Answer simple customer support based on your knowledge base

But ask yourself: do you want to give an AI agent full shell access to your clients' servers? For most professionals, the answer is no — at least not without very strict isolation and monitoring.

OpenClaw vs. other AI assistants

Who is OpenClaw for?

Good fit:

• Technically experienced developers who understand the risks and can isolate the environment
• Hobbyists and experimenters who want to explore agentic AI
• Teams with dedicated DevOps who can set up proper security

Not a good fit (yet):

• Businesses with strict compliance requirements (GDPR, HIPAA)
• Freelancers handling client data without isolated infrastructure
• Non-technical users who can't evaluate the security risk

Conclusion

OpenClaw represents an exciting new generation of AI assistants: open-source, local, and integrated into the tools you already use. With Steinberger at OpenAI and the project in a dedicated foundation, it has a strong foundation.

But the hype overshadows an important discussion about security. Giving an AI agent full access to your computer, your files, and your messaging channels isn't something you should do without careful consideration. Open-source doesn't automatically mean safe — it means you can inspect the code, not that everyone does.

My recommendation: follow the project, experiment in an isolated environment, but hold off on giving it access to production data and client systems until the security model has matured.