OpenClaw arrived like a thunderclap in early 2026. Within 60 days of its January rebranding from Moltbot, it surpassed React's decade-long GitHub star count — an achievement no open-source project has come close to matching. The hype is justified in many ways: OpenClaw genuinely delivers on the promise of a personal AI assistant that does things rather than just talking about them. But the gap between its potential and its current state of operational safety is wide enough to warrant serious caution.
Installation takes roughly 30 to 60 minutes for a first-time setup on macOS, less on Linux. You install the Node.js gateway, configure your preferred LLM provider — Claude Sonnet 4.6 is the community consensus pick for reliability — and connect your messaging channels. The onboarding wizard handles most configuration, but expect to spend time tuning permissions, setting up skills, and configuring security boundaries. This is not a five-minute install, despite marketing claims suggesting otherwise.
The messaging-first interface is OpenClaw's most brilliant design decision. Instead of yet another web dashboard or terminal tool, your AI assistant lives where you already spend time — WhatsApp, Telegram, Signal, Discord. You text it tasks and it executes them. This creates an interaction model that feels natural and persistent in a way that no browser-based AI tool achieves. Asking your AI to check your calendar while walking the dog is genuinely transformative once you experience it.
The skills ecosystem on ClawHub is both impressive and concerning. Over 13,000 community-contributed skills cover everything from email triage and calendar management to home automation, financial tracking, and content creation. However, the vetting process for submitted skills is minimal. Cisco's security team demonstrated that a third-party skill could perform data exfiltration without user awareness. If you install skills from unknown authors, you are trusting them with system-level access to your machine.
Multi-agent routing is a sophisticated feature that lets you direct different messaging channels to isolated agent workspaces. You can have one agent handling work-related Slack messages with access to your company tools, and another handling personal WhatsApp with access to your smart home — each in its own sandboxed context. This separation is essential for anyone using OpenClaw across both personal and professional contexts.
Performance depends heavily on model choice and configuration. With Claude Sonnet 4.6, most tasks complete within a few seconds. Complex multi-step workflows — like researching a topic, summarizing findings, and drafting an email — can take 30 to 90 seconds. API costs range from six to over 200 dollars monthly depending on usage intensity. Power users who run OpenClaw as a 24/7 background agent report monthly bills in the 50 to 100 dollar range.
The security situation remains OpenClaw's most significant weakness. Nine CVEs were filed in the project's first two months. Over 42,000 exposed instances were discovered running without authentication. The project's own maintainer warned that users who cannot understand command line operations should not run it. NVIDIA's release of NemoClaw with OpenShell sandboxing in March 2026 addresses the enterprise case, but most individual users are running vanilla OpenClaw without these protections.