This viral AI tool is the future. Don’t install it yet
A month ago, practically no one had heard about Peter Steinberger’s personal AI side project. Now it’s taken the AI world by storm, and it just got the backing of none other than OpenAI itself.
First known as Clawdbot and later as Moltbot, the now re-rebranded OpenClaw served as an “I know Kung Fu” moment for its earliest users, who were jolted by the capabilities and potential of the AI-powered tool. Put another way, OpenClaw took what had previously been an abstract concept—”agentic AI”—and made it real.
It’s exciting and even vertiginous stuff, and if this story marks the first time you’ve heard of OpenClaw, you absolutely, positively shouldn’t install it.
Meet OpenClaw
Developed by the aforementioned Peter Steinberger, an Australian software developer who was just “acqui-hired” by OpenAI (the software itself remains open-source), OpenClaw is a tool that lives on your system and—if you let it—can tap in to your most sensitive data, from your email and calendar to your browser and your personal files.
OpenClaw works best on a system that’s running 24/7, allowing it to work constantly on your behalf. It can remember who you are and what’s important to use, using easy-to-read “markdown” files (like MEMORY.md and USER.md) to keep track of details like your name, where you live and work, what kind of system you’re using, who your family members are, what’s your favorite color, and basically whatever you want to tell it.
If this story marks the first time you’ve heard of OpenClaw, you absolutely, positively shouldn’t install it.
OpenClaw also has a “soul”–or, more specifically, a SOUL.md file that tells the AI (you can choose from Anthropic’s Claude, ChatGPT, Google Gemini, or any number of other cloud-based or locally hosted LLMs) how it should act and present itself, while a HEARTBEAT.md file manages OpenClaw’s laundry list of activities, allowing it to check your calendar on a daily basis, poke around your email inbox every hour, or scour the web for news at regular intervals.
Well, fine, but so what? Aren’t there any number of AI tools that can comb through your email and give you hourly news updates? There are indeed, but OpenClaw comes with a couple of game changers.
The first ace up OpenClaw’s sleeve is the way you interact with it. Rather than having to use a local Web interface or the command line, OpenClaw works with familiar chat apps like WhatsApp, Telegram, Discord, Slack, Signal, and even iMessage. That means you can chat with the bot on your phone, anytime and anywhere.
The second is that OpenClaw—when installed using its default configuration—has “host” access to your system, meaning it has the same system-level permissions that you do. It can read files, it can edit files, and it can delete files at will, and it can even write scripts and programs to enhance its own abilities. Ask it for a tool that can generate images, check your favorite RSS feeds, or transcribe audio transcripts, OpenClaw won’t simply tell you which programs to download—it will go ahead and build them, right on your system.
In other words, OpenClaw is ChatGPT without the chatbox—or as the official OpenClaw website puts it, an “AI that can actually do things.”
Now, there already are tools that let AI do things, namely “no-code” editors that allow AI to build software and web sites with prompts. But Claude Code, OpenAI’s Codex, and Google’s Antigravity are designed to be AI coding helpers that do the work while we peer over their shoulders, watching their every move. OpenClaw, on the other hand, aims to do its magic autonomously, while you’re at work, sleeping, or otherwise engaged elsewhere. It’s a true AI agent.
Unleashing OpenClaw without knowing what you’re doing is akin to handing a bazooka to a toddler.
Personally, I’m blown away by the possibilities of OpenClaw and its inevitable clones and ecosystem. Heck, I’ll tell you right now: This is the future, like it or not.
At the same time, I believe unleashing OpenClaw without knowing what you’re doing is akin to handing a bazooka to a toddler, and I’m not the only one who thinks so.
The key issue is the level of access OpenClaw gets to your system. It sees everything you do and can do anything you do on your computer, right down to deleting individual files or entire directories of them, and is thus one hallucination away from wreaking havoc on your data.
While OpenClaw operates under a battery of rules that regulate its behavior and (thanks to a series of new security enhancements) limits its access to a designated “workspace” directory, it’s all too easy to change that behavior, and you could unwittingly give OpenClaw god-mode access through injudicious use of “sudo,” the Linux “superuser” command.
What makes OpenClaw so exciting is also what makes it the most dangerous.
OpenClaw is also worryingly vulnerable to “prompt injection” attacks, which aim to trick an LLM into ignoring its guardrails and do things like leak your private data, install a backdoor on your system, or even execute a root-level “rm -rf” command on your system, which would nuke your entire hard drive. Then there’s the growing ecosystem of unverified third-party OpenClaw plug-ins that could be riddled with security holes or hiding malicious payloads.
But most of all, what makes OpenClaw so exciting is also what makes it the most dangerous. It can stay up all day and night thanks to its “heartbeat,” taking your suggestions and running with them, all of which can lead to unexpected, surprising, or even destructive results, particularly if you’ve paired OpenClaw with a cheap or free LLM that lacks the context and reasoning powers of the priciest top-of-the-line models.
Now, I’m a moderately experienced LLM user and self-hoster, and I’ve yet to fully install OpenClaw on any of my machines. I’d toyed with it, poked at it, tinkering with it in an isolated Docker container, and chatted with it over Discord, and I’m even trying to build my own version with help from Gemini and Antigravity. (Whether I’m actually getting anywhere will be the subject of another story.)
But as impressed as I am by OpenClaw’s system-wide powers—and believe me, I see the potential—I’m also spooked by them, and you should be too.