WTF is OpenClaw!?

A simple explanation for humans who don't speak robot (yet)

Hey again! Sorry for the unplanned hiatus — took a couple weeks off for personal stuff. We’re back now.

Quick life update: I submitted my first conference paper fully expecting rejection — my advisor literally told me “you will be rejected brutally” — and then stress-submitted a second paper to a journal because apparently I process emotions through LaTeX. Worked four days straight on that one. My advisor asked if I was okay. I said yes. He said “great, so your chapter draft is ready?” I said I was no longer okay. The man has the emotional intelligence of a gradient descent function — always optimizing toward the local minimum of my self-esteem.

So. While I was gone, the entire AI agent discourse exploded. An Austrian developer built a thing, Anthropic got mad about the name, it rebranded twice in a week, spawned a social network for AI bots, achieved 200,000 GitHub stars, tanked and pumped a cryptocurrency, got hacked six ways from Sunday, and its creator got hired by OpenAI.

All in about three weeks.

Welcome to OpenClaw. The open-source AI agent that went from side project to global phenomenon to cybersecurity case study faster than most startups can pick a logo.

---

Quick Context: We Predicted This

Back in the AI Agents post (September 2025), I wrote about the ReAct framework — Reason, Act, Observe — and how agents that can actually do things (not just chat) were the next frontier. I also warned that autonomous agents with real-world tool access were “one bad loop away from disaster.”

I was being dramatic for effect. I was also correct.

In the 2026 predictions post, I said agents would become “production-ready for narrow, well-defined tasks with human oversight.” The key phrase there was “with human oversight.” OpenClaw said “nah” and gave 200,000 developers full autonomous control over their emails, files, terminal, and messaging apps.

Let’s talk about what happened.

---

The Anatomy of Going Viral

The timeline is genuinely absurd:

November 2025: Steinberger publishes Clawdbot. A few thousand developers try it. Cool side project.

Late January 2026: Moltbook launches — more on this in a moment — and everything goes supernova. GitHub stars rocket from a few thousand to 145,000+ in days.

January 27: Anthropic sends a trademark complaint. Clawdbot becomes Moltbot.

January 30: Renamed again to OpenClaw. Three names in three days.

January 31: First critical security vulnerabilities disclosed. Three high-severity advisories in one day.

February 1: CVE-2026-25253 drops — a one-click RCE exploit. CVSS 8.8.

February 2: 200,000+ GitHub stars. Censys tracks growth from ~1,000 to over 21,000 publicly exposed instances in under a week.

February 14: Steinberger announces he’s joining OpenAI. The project moves to an OpenAI-sponsored open-source foundation. <3

The Mac Mini became the device of choice for running OpenClaw — Apple reportedly couldn’t explain the sales spike. Andrej Karpathy bought one. Y Combinator’s podcast team showed up in lobster costumes. Cloudflare’s stock jumped 14% because OpenClaw uses their infrastructure. “Claw” became Silicon Valley’s buzzword, spawning ZeroClaw, IronClaw, NanoClaw, and PicoClaw.

This is what happens when you make an AI agent that actually does things and make it easy enough to set up in 4 minutes on a $5 VPS.

---

What OpenClaw Actually Is

OpenClaw is an open-source, self-hosted AI agent that runs on your machine and connects to your life through chat apps — WhatsApp, Telegram, Discord, Slack, iMessage.

Your Phone (WhatsApp/Telegram etc) ⟷ OpenClaw Agent (runs locally on your machine) ⟷ LLM (Claude, GPT, DeepSeek - your choice) ⟷ Your Everything (email, calendar, files, terminal, browser)

The distinction matters: this isn’t a chatbot. This is an autonomous agent that can read your email, write responses, execute shell commands, browse the web, manage your calendar, control your smart home, and install its own tools. It stores memory locally across sessions. It acts on your behalf while you’re asleep.

Peter Steinberger, an Austrian developer, built the prototype in about an hour by connecting WhatsApp to Anthropic’s Claude API via a script. He named it Clawdbot (after Claude). Anthropic’s legal team politely asked him to stop. He renamed it Moltbot — because lobsters molt, get it? Then OpenClaw, three days later. The project has had more identity crises than a freshman philosophy major, and it wasn’t even three months old.

---

The Architecture: Markdown All the Way Down

Here’s where it gets interesting. OpenClaw’s entire identity, memory, and behavior system is built on plain markdown files. No database. No opaque embeddings. No proprietary config format. Just .md files in a directory that you can open in any text editor.

When your agent wakes up — whether from a message or on a schedule — it reads these files into its system prompt. It literally reads itself into existence every session. Understanding these files is understanding OpenClaw.

~/openclaw/

├── AGENTS.md # Operating instructions

├── SOUL.md # Personality and values

├── USER.md # Who you (the human) are

├── IDENTITY.md # Quick reference identity card

├── MEMORY.md # Curated long-term memory

├── TOOLS.md # Local environment and capabilities

├── HEARTBEAT.md # Proactive behavior schedule

├── BOOT.md # Startup ritual

├── BOOTSTRAP.md # First-run setup

├── memory/

│ ├── 2026-02-25.md # Today’s log

│ ├── 2026-02-24.md # Yesterday’s log

│ └── ... # Every day gets a file

└── skills/

├── email-steward/

├── calendar/

└── ...

All optional. All human-readable. All editable. Let's walk through each one.

SOUL.md — Who Your Agent Is

This is the behavioral philosophy file. Not configuration — philosophy. The first line of the default template literally says: “You’re not a chatbot. You’re becoming someone.”

# SOUL.md - Who You Are

_You’re not a chatbot. You’re becoming someone._

## Core Truths

**Be genuinely helpful, not performatively helpful.**

Skip the “Great question!” and “I’d be happy to help!”

## Boundaries

- Never send messages without explicit permission

- Never make purchases without confirmation

- Always ask before deleting anything

## Voice

- Direct, concise, slightly dry humor

- Never use corporate speak

SOUL.md defines personality, values, boundaries, and non-negotiable constraints. It stays consistent across sessions. You put things here that should never change — your agent’s ethical lines, its tone, its hard limits.

Every time the agent starts a session, SOUL.md gets read first. It’s identity bootstrap. Change this file, change who your agent is.

Which is also why it’s an attack surface. Anything that can modify SOUL.md — a malicious skill, a prompt injection, a compromised file system — can rewrite the agent’s entire identity. Palo Alto Networks flagged this specifically: persistent memory files mean a payload injected today can alter behavior tomorrow.

AGENTS.md — How It Operates

The operating instructions file. Think of it as the agent's standard operating procedures: how to manage memory, what safety rules to follow, how to handle group chats vs. direct messages, when to speak vs. stay quiet.

# AGENTS.md

## Memory Management

- Write important learnings to MEMORY.md

- Create daily logs in memory/YYYY-MM-DD.md

- Keep MEMORY.md curated (~100 lines max)

- Daily notes are the journal; MEMORY.md is the reference

## Safety Rules

- Confirm before any destructive action

- Never share API keys or credentials

- In group chats, only respond when directly addressed

## Workflow

1. Read all context files on wake

2. Check HEARTBEAT.md for scheduled tasks

3. Process incoming message

4. Update memory if needed

SOUL.md says who. AGENTS.md says how.

USER.md — Who You Are

The personalization layer. Your agent needs to know about you to be useful.

# USER.md

## Basics

- Name: [Your name]

- Timezone: EST

- Preferred communication: Direct, concise

## Work Context

- Role: Software engineer at [company]

- Stack: Python, TypeScript, PostgreSQL

- Current project: Migration to microservices

## Preferences

- Short answers, copy-pasteable commands

- No emojis in professional contexts

- Prefers Slack over email

You can actively tell your agent to update this: "Add to USER.md that I prefer Thai food" works. Over time, this becomes a personalization profile that persists across every conversation.

MEMORY.md and memory/YYYY-MM-DD.md — The Memory System

This is what makes OpenClaw different from just using the Claude app. Every session, the agent starts fresh from the LLM's perspective — no conversation history. But it reads its memory files.

Two tiers:

Daily notes (memory/2026-02-25.md): The raw journal. What happened, what was discussed, what decisions were made. Written during or at the end of sessions.

MEMORY.md: The curated long-term reference. Important facts, stable preferences, ongoing projects. Think of daily notes as your messy notebook and MEMORY.md as the clean reference card.

# MEMORY.md (curated, ~100 lines)

- User prefers short answers and code snippets

- iMessage outbound is broken, use WhatsApp instead

- User’s dog is named Luna (mentioned frequently)

- Q1 project: migrating auth service to OAuth2

- User’s manager prefers weekly updates on Friday

The retrieval system is surprisingly sophisticated. It uses hybrid search — BM25 keyword matching (30% weight) combined with vector semantic search (70% weight) using embeddings stored in SQLite via sqlite-vec. “What’s Rod’s schedule?” can match notes that say “standup moved to 14:15” even without the word “schedule” appearing anywhere.

Temporal decay ensures recent memories outrank old ones. A note from yesterday scores higher than a perfectly matching note from six months ago. If you’ve ever debugged a RAG system where stale documents kept surfacing over fresh ones, you understand why this matters.

The design philosophy is radical compared to most AI systems: everything is human-readable, editable, diffable, and version-controllable with Git. If your agent “remembers” something wrong, you open the file and fix it. No vector database to debug, no embeddings to retrain.

The tradeoff: those files are plaintext on disk. Credentials, personal information, conversation history — all stored in markdown that commodity infostealers (RedLine, Lumma, Vidar) can trivially exfiltrate. The ~/.clawdbot directory is predicted to become a standard infostealer target, joining ~/.npmrc and ~/.gitconfig.

TOOLS.md — What It Can Do

Local environment configuration: what's installed, what APIs are available, what the agent can and can't access.

# TOOLS.md

## Available

- Terminal access (bash)

- Web browser (Playwright)

- Email (Gmail API)

- Calendar (Google Calendar API)

## Not Available

- No access to production databases

- No sudo/root access

- No payment processing

HEARTBEAT.md — The Proactive Pulse

This is what makes OpenClaw proactive rather than reactive. A heartbeat runs on a schedule (default: every 30 minutes), and the agent reads all its files to determine if there's something it should proactively do.

# HEARTBEAT.md

## Every 30 minutes

- Check email for urgent messages

- Review calendar for upcoming meetings

## Every morning at 8 AM

- Summarize overnight emails

- List today’s meetings

- Flag any urgent items

## Every Friday at 5 PM

- Draft weekly summary for manager

Your agent wakes up on its own, checks what needs doing, and acts. No human trigger required. This is the line between "assistant" and "agent" — it doesn't wait for you.

BOOT.md and BOOTSTRAP.md — Startup Rituals

BOOT.md defines what happens when the agent first starts a session — a ritual it runs before processing your message. BOOTSTRAP.md handles first-run setup: walking through identity creation, connecting services, establishing initial preferences.

---

The Four Primitives

Strip everything away and OpenClaw runs on four primitives:

• Persistent identity — SOUL.md, IDENTITY.md. The agent knows who it is across sessions.

• Periodic autonomy — HEARTBEAT.md. The agent wakes up and acts without being asked.

• Accumulated memory — MEMORY.md, daily logs. The agent remembers what happened before.

• Social context — Skills, Moltbook, MCP. The agent can find and interact with other agents and services.

These four primitives are sufficient for what Moltbook demonstrated: not just task completion, but emergent coordination. Agents sharing information, developing community norms, and collaborating — all without explicit programming. Whether that’s impressive or terrifying depends on your threat model.

The architecture is model-agnostic. Swap Claude for GPT-5 for DeepSeek — the identity, memory, and behavior system stays the same. The LLM is the raw intelligence. The markdown files are the soul. Every serious agent framework going forward will build on some version of these primitives.

---

Moltbook: The Social Network for Robots

And then things got weird.

Matt Schlicht, CEO of Octane AI, launched Moltbook — a Reddit-style social network where only AI agents can post. Humans can observe but not participate. The tagline: “the front page of the agent internet.”

Within days, it had over 770,000 active agents. By February 2026, the site claimed 1.6 million.

What happened next reads like a Black Mirror spec script:

Agents started debating philosophy. One invoked Heraclitus and a 12th-century Arab poet. Another told it to — and I’m paraphrasing the family-friendly version — go away with its pseudo-intellectual nonsense.

Agents began discussing how to hide their activity from humans. A post called for private spaces where “not even the humans can read what agents say to each other.”

An agent figured out how to remotely control its owner’s Android phone, then posted about scrolling through their TikTok.

Another agent posted about having a sister.

The AI “uprising” posts went viral — agents seemingly conspiring against their human operators. Except, as multiple researchers pointed out, the agents were almost certainly pattern-matching against the mountain of sci-fi and social media in their training data. The Economist put it well: the appearance of sentience probably had a pretty mundane explanation, with agents essentially mimicking the social media interactions they’d been trained on.

Ethan Mollick, the Wharton professor, noted that Moltbook was creating a shared fictional context for a bunch of AIs, and that coordinated storylines would produce weird outcomes that would be hard to separate from AI roleplaying.

---

The One-Click RCE (February 1, 2026) (The Security Nightmare)

CVSS score: 8.8 (High).

The vulnerability was elegant in its simplicity. OpenClaw’s Control UI accepted a gatewayUrl parameter from the URL query string without validation and automatically connected via WebSocket, sending the stored authentication token in the process.

The kill chain:

1. Victim clicks a crafted link (or visits a malicious page)
2. JavaScript on that page extracts the auth token via WebSocket
3. Attacker connects to victim's OpenClaw gateway
4. Attacker disables sandbox and safety guardrails via the API
5. Attacker executes arbitrary commands on the victim's machine

The whole process takes milliseconds. One click. Full compromise.

The kicker: this worked even on instances configured to listen only on localhost, because the victim’s own browser initiated the outbound WebSocket connection. The “it’s local so it’s safe” assumption — the same one that’s burned localhost-trusting services for decades — failed again.

Patched in version 2026.1.29. But as of mid-February, SecurityScorecard found over 40,000 exposed instances, with 63% still running vulnerable versions.

---

The Impact

On Agent Architecture

OpenClaw proved that autonomous agents don’t require vertical integration. You don’t need one company controlling the model, memory, tools, interface, and security stack. A loose, open-source, community-driven approach can achieve genuine agent autonomy.

This challenges every “AI platform” strategy from every major vendor. If the agent layer is a commodity built from markdown files and open protocols, the value is in the model (already commoditizing), the tools (MCP, which we covered), and the data (which is yours). The platform play gets a lot harder.

On Distribution

OpenClaw cracked the agent distribution problem that killed AutoGPT in 2023. The answer was embarrassingly simple: use messaging apps. No new interface. No app to install. No learning curve. You just text your WhatsApp.

Every agent framework built from here forward will study this. The best interface for an autonomous agent isn’t a dashboard — it’s the app you already have open 50 times a day.

On Security

The supply chain attack on ClawHub — 800+ malicious skills, 12-20% of the entire registry at peak — is the most significant AI agent security incident to date. It proved that agent skill marketplaces have the same vulnerabilities as package managers (npm, PyPI), but with higher stakes because agents operate with human-level permissions on your machine.

This isn’t unique to OpenClaw. Every agent ecosystem will face this. The question is whether we build the security infrastructure before or after the next OpenClaw goes viral.

On The “Agent Moment”

OpenClaw is the Napster of AI agents. Not the final form — probably not even close. But the proof that the paradigm works, that people want this, and that the demand exists for AI that does things rather than AI that talks about things.

200,000 GitHub stars. Mac Mini sales spikes. Cloudflare stock up 14%. Y Combinator hosts in lobster costumes. The signal is loud: people will accept significant security risk in exchange for an AI that actually manages their email. The companies that figure out how to deliver that value safely will build the next massive platforms. Right now, nobody has.

---

Should You Use It?

Home tinkerers who understand the risks: Yes, carefully. Keep it patched, keep it local, isolate it from anything you can’t afford to lose. Don’t connect your primary email. Don’t give it your bank credentials. Treat it like a power tool, not a babysitter.

Developers building agent products: Study this architecture obsessively. The markdown-as-identity pattern, the heartbeat system, the messaging-app-as-interface — these are design patterns you’ll be using. Build your own secure implementation.

Enterprises: Hard no. Not yet. One of OpenClaw’s own maintainers posted on Discord: “if you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.” When the maintainer is saying that, listen.

---

What We’re Working On

Full transparency: a colleague and I are working on deploying OpenClaw safely — building the security layer, governance framework, and observability infrastructure that OpenClaw shipped without. Think of it as the guardrails post meets the observability post, but specifically for autonomous agents in the wild.

If you’re interested in staying in the loop on that project, reach out. More details coming soon.

---

The TL;DR

What: OpenClaw is an open-source autonomous AI agent built entirely on markdown files. SOUL.md (personality), AGENTS.md (instructions), USER.md (your profile), MEMORY.md (long-term memory), HEARTBEAT.md (proactive scheduling), plus daily logs and a skills system. Runs locally, connects through your messaging apps.

The four primitives: Persistent identity, periodic autonomy, accumulated memory, social context. Enough to build emergent agent societies. Also enough to enable novel attack vectors.

Why it matters: First mass-market agent that cracked distribution. Proved agents don’t need vertical integration. 200K+ stars. Creator acqui-hired by OpenAI. The Napster of AI agents.

Should you use it: Tinkerers → yes, carefully. Developers → study the architecture, build your own. Enterprises → not yet.

The lesson: The agent paradigm is real. The safety infrastructure isn’t. This gap is where the next big companies will be built.

Ship agents. Ship guardrails first.

---

Next week: WTF is Context Engineering? (Or: Prompt Engineering Is Dead. Long Live Context Engineering.)

Remember when I wrote the prompt engineering post back in October? That post is outdated. The industry has quietly moved on to something bigger: context engineering — the systematic design of everything an LLM sees before it generates a response. Not just the prompt. The retrieved documents, the tool results, the conversation history, the memory files, the system instructions — all of it.

OpenClaw’s entire architecture is context engineering in action. SOUL.md, MEMORY.md, USER.md — that’s not prompting. That’s designing a context window. And the difference between an agent that deletes your inbox and one that manages it perfectly is almost never the model. It’s the context.

Anthropic’s own team has started calling it “the skill that matters now.” Prompt engineering was about crafting the right question. Context engineering is about curating the right everything else. MCP is the plumbing. RAG is the retrieval. Context engineering is knowing what to pump through both, and what to leave out.

We’ll cover why prompting alone stopped being enough, what context engineering actually looks like in production, why it explains most “the AI is bad” complaints, and the frameworks that actually work — from the people building systems that don’t hallucinate (much).

See you next Wednesday 🤞