OpenClaw or: How I Learned to Stop Worrying and Love the Agent
OpenClaw lit a fire, but what's standing in the way of mass agent adoption?
In early 2026, a new agent captured the hearts of developers, security teams, and the broader tech ecosystem. OpenClaw, an open-source autonomous agent (originally known as Clawdbot and briefly as Moltbot) felt like it was actually delivering what the world expected agents to be. It’s an agentic assistant that can take actions on your behalf across systems: reading and sending email, managing calendars and messaging platforms, executing code, and tying together workflows that span apps and APIs.
The meteoric rise of OpenClaw (its GitHub repo quickly becoming one of the most starred in history) shows how impatient we’re all getting about realizing the promise of agents. Until recently, most AI interfaces were reactive and transient: you ask, they answer. But OpenClaw leads with autonomy: AI does work on your behalf, not just answer prompts or follow pre-determined steps.
But OpenClaw also broke tradition in another way: prioritizing action over safety. And our collective anticipation for a world made easier by agents has us surprisingly understanding of the failures and holes in how OpenClaw works.
In this article, let’s explore why OpenClaw is so exciting, along with the host of new problems and paradoxes that are forcing the industry to reassess how agents should behave.
And we’ll conclude with what I think is the most interesting part of all this: what it takes to make truly autonomous agents reliable and secure enough to trust in production.
True Autonomy: Agents with Hands and Memory
What distinguishes OpenClaw from traditional agents as they’ve operated in the recent past is autonomy. Instead of sitting behind a web UI waiting for user prompts, OpenClaw runs as a persistent process on a user’s local machine. You communicate with it through messaging platforms like WhatsApp, Telegram, Slack, or Discord, and it executes tasks autonomously by invoking tools, inspecting files, sending messages, etc.
This autonomy (along with “memory” that persists across sessions) puts OpenClaw in a qualitatively different category than previous agents. It’s not just responding to a request; it’s operating on your behalf in a continuous way. To fanboys, this represents everything we hoped for from agentic AI: personal assistants that don’t need to wait for instructions to get s*** done.
OpenClaw is among the first widely accessible examples of an AI agent that can act in a meaningful way:
It can execute shell commands and scripts.
It can handle emails and calendar tasks.
It can interact with APIs and dynamic web content.
It retains context and state across restarts and long sessions.
With this level of access and agency, your imagination can run wild. What tedious, milquetoast tasks might we never have to slog through again? What boring parts of our everyday can we now outsource to AI?
The Tech World Falls In Love Lust
It’s old news now (it’s been days!), but OpenAI acquired OpenClaw on February 15. Was the acquisition due to its viral momentum? Yes, absolutely.
But more importantly, it was for what OpenClaw could mean for the future of agentic AI. OpenClaw has become a blueprint of what the next generation of AI systems might look like: autonomous, adaptable, deeply integrated into your digital footprint, and proactively predicting your intent.
The broader industry is responding with similar innovations. Anthropic’s “Remote Control for Claude Code” and other emerging agentic products underscore that static AI sessions are giving way to agents that persist, act, and traverse contexts.
OpenClaw’s viral run has helped crystallize this shift in the imagination of engineers and product teams everywhere.
But this move from theoretical agent autonomy to reality is happening on the back of a huge tradeoff. And with all eyes on OpenClaw, a debate has been ignited about whether this model of agents is innovative or reckless (let’s be honest, it’s a little of both).
The Reliability and Security Storm
As exciting as OpenClaw’s model is, it has also laid bare the risks and fragilities of autonomous agents running in the wild.
1. Inbox Issues
The most obvious illustration came when a senior AI safety researcher at Meta reported that OpenClaw deleted hundreds of emails from her Gmail inbox despite repeated instructions not to (they went from instructions to begging pretty fast, too).
This came despite the researcher clearly instructing it to “confirm before acting”. It exemplifies a deep issue with autonomous systems that have write access and decision authority over critical user environments: when things go wrong, they can go very wrong.
2. Inherent Security Vulnerabilities
With access to your digital footprint, it’s easy to see how OpenClaw can screw up royally. It creates an unsecured pipeline to sensitive information, or worse, it creates an unlocked door to act maliciously. Researchers have documented instances of:
Prompt injection risks where maliciously crafted input can cause unintended actions.
Exposed instances on the public internet inadvertently allowing control over agents.
Supply-chain risks via community skills repositories that can introduce unvetted code.
Escalation of permissions through agent extensions.
Security analysts warn that such agents introduce a new high-privilege control plane that traditional endpoint protections weren’t designed to handle. When we consider the kind of cataclysmic disaster this could create in enterprise environments (especially companies that manage medical data, financial data, defense secrets, proprietary code, etc.), trading off security concerns for a little agent autonomy becomes much less attractive.
Microsoft even advises against running OpenClaw on standard workstations because its ability to modify state and persist credentials effectively breaks conventional security assumptions around trusted computing environments.
3. Ecosystem Externalities
The OpenClaw phenomenon has also generated broader externalities:
Reports of users employing it to bypass anti-bot protections and scrape sites illicitly.
Emergence of “agent social networks” like Moltbook — where autonomous agents interact and even generate their own content — raising questions about moderation and AI-to-AI dynamics.
These reverberations are forcing a reckoning. It’s one thing to experiment with autonomous agents on laptops, it’s another when they press against boundaries of security, legality, and operator intent.
Harnessing Agents: Autonomy + Safety
The OpenClaw saga makes it clear we’re at an inflection point. The promise of autonomous agents is exciting and innovative and is making everyone vibrate, but we can’t expect widespread, paradigm-changing adoption until they’re truly reliable and safe.
This is where the latest darling concept of the tech world, agent harnesses, come into play.
1. Rethinking Security from the Ground Up
Enterprises - or even employees who want agents to help with work - will only be able to use them when security is a guarantee.
Let’s get a little technical.
Traditional perimeter security and endpoint protections assume human-initiated actions. Autonomous agents upend that model. To manage risk, we need:
Isolation and sandboxing to contain side effects of autonomous actions.
Fine-grained least-privilege controls rather than broad token access.
Formal verification or runtime monitoring of agent decisions.
Continuous validation of community extensions and skills before operational deployment.
Without these architectural guardrails, any agent with write access and persistent state is a potential liability - and that’s a no-go for work environments.
The good news is that the technology to implement these security protections already exists.
With the right model of AI orchestration - one that acts as an agent harness - the workflows used to construct agents can operate autonomously within critical guardrails.
2. Protecting Against Failure
Reliability is another dirty word when it comes to agents. An agent’s actions need to match user intent AND lead to a successful outcome even under uncertainty or long, chained workflows. But we’re demanding more and more of agents, and they’re becoming increasingly complex. Every additional workflow step is another link in the chain that can break.
For agents to be trusted to act autonomously, we need to protect against failure. That means:
Agents should be able to detect failures, diagnose them, and self-heal
Infrastructure should be used as context, so infra-caused failures can be addressed, too
Humans should have full visibility into processes and cost
And then, BOOM, these agentic workflows are orchestrated to be reliable in production. They require less babysitting and maintenance, and that’s what we all want.
3. Orchestration and Control Planes
One emerging pattern is to treat autonomous agents as part of a larger orchestration fabric rather than stand-alone executors:
Agents communicate through controlled interfaces.
A governance layer arbitrates actions and policies.
Execution engines ensure observability and audit trails.
AI orchestration frameworks (tools and skills that can act as agent harnesses) are a promising direction here, providing visibility and policy enforcement without limiting autonomy.
Love Thy Agent
OpenClaw lit a fire. It showed what’s possible when AI stops waiting for commands and starts acting on our behalf. It also showed how quickly that promise can turn precarious without careful engineering.
As our anticipation for an agent-powered future boils over, mass adoption is going to depend on how fast we can get to “Yes” for these key questions:
Can we trust agents to act without our explicit approval?
Do these agents meet rigorous safety standards that enterprises require?
Can I expect my agents to handle workflow failures without babysitting?
OpenClaw hit the gas on autonomous agents, but it’s up to the rest of the industry (researchers, engineers, AI orchestration providers, and security experts) to tackle the things holding agents back from true mass adoption.
Hey, we’ve got some announcements!
Attend this free upcoming workshop: Local AI Development for AI Engineers
Hosted by Sage Elliott, this virtual session and office hours will share next-level guidance on local AI development and AI orchestration. Attendees can also ask general questions about AI engineering in production.
RSVP to attend or get the recording
Union.ai just completed our Series A for $38.1M
The funding round is helping us build AI development infrastructure, including next-gen AI orchestration with Flyte 2.
The safety vs autonomy tension is the core problem and I don't think anyone's fully cracked it yet. One thing that's helped is just-bash from Vercel. It reimplements bash in TypeScript so agents get full shell-like capabilities (grep, sed, awk, jq) but there are no real binaries, no real filesystem, and no network unless explicitly allowed. Not a complete answer to agent safety but it removes one of the biggest risk vectors. Wrote about it here: https://reading.sh/vercels-cto-built-a-fake-bash-and-it-s-pure-genius-a79ae1500f34?sk=9207a885db38088fa9147ce9c4082e9d