OpenClaw Is What Siri Should Have Been And That's the Problem

For about fifteen years, the promise of a personal AI assistant has been just out of reach. Siri launched in 2011 and gave us voice-activated reminders. Cortana tried and mostly made people miss the Start button. Google Assistant got pretty good at answering questions you could have just Googled. The common thread: these tools answer when asked. They don't act.

OpenClaw is different. And in a few short months, it's become the clearest proof yet that the category of truly autonomous personal AI agents is no longer a research demo it's here, it's open source, and it's pulling credentials from your inbox.

What happened, and fast

Peter Steinberger an Austrian developer who previously built and sold PDF toolkit company PSPDFKit for roughly $119 million launched the project in January 2026 under the name Clawdbot. Within 24 hours it had 9,000 GitHub stars. Within a week, 60,000. Andrej Karpathy posted about it. David Sacks (the White House's AI and crypto czar) praised it. Jensen Huang called it "definitely the next ChatGPT" at Nvidia's GTC keynote and announced NemoClaw, an AI agent platform built around it.

The viral growth also attracted the usual parasites: crypto scammers sniped the @clawdbot X handle within seconds of a name announcement, a fake $CLAWD token briefly hit a $16 million market cap before crashing 90%, and Anthropic sent a polite trademark email pointing out that "Clawdbot" and its AI assistant "Clawd" were perhaps uncomfortably similar to a certain commercial LLM named Claude. The project renamed to Moltbot, then settled on OpenClaw open source plus the lobster mascot that had survived the chaos intact.

In February, Steinberger partnered with OpenAI, staying open source but gaining the resources to scale. The lobster had molted twice and kept growing.

What it actually is, architecturally

Strip away the hype and OpenClaw is an orchestration and routing layer, not an AI model itself. Here's the architecture in plain terms:

The agent lives in your messaging apps. WhatsApp, Telegram, iMessage, Slack, Discord, Signal. You text it the same way you'd text a colleague. There's no separate app to open, no context switch.

It routes to your LLM of choice. OpenClaw doesn't do the AI heavy lifting it sends your messages to Claude, ChatGPT, or Gemini (your call) and relays the response. The intelligence is rented; the orchestration is local.

It runs on your hardware. OpenClaw runs locally, which is why a Mac Mini has become a popular host. The local execution is also what gives it access to your files, calendar, email, and local services. No cloud intermediary sees your data but that also means no cloud provider is managing your security posture.

It maintains state across sessions. Unlike a chat interface that forgets everything when you close the window, OpenClaw persists context. It remembers what you told it last Tuesday.

The result is something that feels less like software and more like a junior employee who has been given the keys to your digital life.

The three things that actually matter

A lot of AI tools compete on model quality. OpenClaw competes on integration depth, and its three core differentiators are genuinely new:

Persistent memory. Most AI interactions are stateless every session starts from scratch. OpenClaw tracks your preferences, ongoing projects, and past conversations. This sounds like a small thing until you realise it means the agent can build a working model of you over time. It learns that you prefer bullet summaries over prose, that you always need Monday's briefing by 7am, that project X is the one where the client is difficult.

Proactive notifications. This is the feature that separates OpenClaw from every other AI assistant. It messages you. You can wake up to a text: "Here are your three priorities today, one email that needs a reply before 10am, and a reminder that your standing sync is at 2." You didn't ask. It just did it. For anyone who has tried to use AI as a productivity tool, this is the missing piece: most AI tools wait to be told what to do, which means you have to remember to ask.

Real automation. Depending on how you configure it: scheduled tasks, email triage, file organisation, form filling, smart home control, research threads that span days. The breadth is only limited by what APIs you're willing to wire it to.

The security problem and why it's bigger than OpenClaw

Here is where the honest analysis has to get uncomfortable.

In the early weeks of Clawdbot's existence, security researchers found hundreds of publicly accessible deployments with no authentication, exposing API keys, chat logs, and system access to anyone who could find the URL. By the time the dust settled, security firm Censys had identified 21,639 exposed instances primarily in the US, China, and Singapore. Koi Security found 341 malicious "skills" among the 33,843 available on the ClawHub directory.

Steinberger and the team moved quickly to patch specific vulnerabilities. But patching individual bugs is not the core issue.

The deeper problem was articulated clearly by Roy Akerman, head of cloud and identity security at Silverfort: "When an AI agent continues to operate using a human's credentials, after the human has logged off, it becomes a hybrid identity that most security controls aren't designed to recognize or govern."

Read that again. When OpenClaw is running on your Mac Mini, it is operating as you. It has your email credentials. It can send messages on your behalf. It can access files you have access to. And it does this continuously not just when you're at the keyboard.

Your organisation's security infrastructure was designed around human logins. It can detect when a human account suddenly downloads gigabytes of data at 3am. It cannot easily detect when an AI agent is doing something slightly unusual over a long period of time, because the AI agent looks like you, has your authorisation, and generates activity that looks entirely plausible.

This is not a problem any LLM provider can solve for you. It is an architectural challenge for every organisation that allows its people to use AI agents and right now, most organisations don't have an answer.

Should you care?

For personal use: OpenClaw is genuinely impressive and clearly points in a direction the whole industry is heading. If you're technically capable and have the appetite to configure it carefully including working through the security checklist at openclaw.ai it's worth exploring. If you want something that just works out of the box, it's not there yet.

For team or organisational use: Not yet. The security story is immature, the surface area is wide, and the category is still figuring out what "securing an AI agent" even means.

The bigger signal: OpenClaw is a milestone, not a finished product. It proves that there is a huge demand for AI assistants and that people want them badly enough to install and configure something genuinely complex. The next 18 months will produce more polished versions of this architecture from Steinberger's continued work with OpenAI, from competitors, and from enterprise software vendors who are watching closely.

The question worth asking now is: when this lands in your organisation, do you have a framework for governing AI agents?