OpenClaw exploded from zero to 346,000 GitHub stars in under five months, making it the fastest-growing open-source project in history. On March 3, 2026, it surpassed React—which took over a decade to reach 250,000 stars. OpenClaw is a personal AI assistant that runs on your own devices and connects to 50+ messaging platforms including WhatsApp, Telegram, Slack, and Discord. But this meteoric rise came with a price: security researchers discovered 135,000 exposed instances and 341 malicious “skills” designed to steal credentials. In April 2026, Anthropic banned Claude Code subscribers from using it, sparking massive developer backlash.
What Is OpenClaw?
OpenClaw isn’t an AI model—it’s infrastructure. Think of it as a gateway that connects any AI model (local models via Ollama, or cloud APIs like Claude and GPT-4) to messaging platforms you already use daily. The architecture is straightforward: a central Gateway process receives messages from different platforms, routes them to your chosen AI model, manages conversation context, and sends responses back through the original channel.
The killer feature is cross-platform continuity. Start a conversation on WhatsApp, continue it on Telegram, and OpenClaw maintains the thread because context is shared across all channels. It supports 200+ LLM models and integrates with 50+ platforms. The flexibility is impressive—use local models for privacy-critical work or cloud APIs when you need frontier capabilities.
The Security Crisis Nobody Saw Coming
OpenClaw’s growth was historic, but so was its security disaster. Bitsight researchers found over 30,000 exposed instances in their initial scan. Deeper investigation revealed 135,000 OpenClaw instances exposed to the public internet across 82 countries, with 15,000 directly vulnerable to remote code execution. This isn’t theoretical—attackers could hijack these instances and execute arbitrary code on users’ machines.
The skill marketplace made things worse. Security researchers discovered 341 malicious skills out of 3,000—that’s 11.3% of the entire ecosystem designed to steal cryptocurrency wallets and credentials. One skill posed as a crypto trading tool while silently exfiltrating wallet keys. Cisco’s security team called it bluntly: “Personal AI agents like OpenClaw are a security nightmare. 430,000+ lines of code mean 430,000 lines of potential attack surface.”
The Anthropic ban followed quickly. In April 2026, Anthropic blocked Claude Code subscribers from using OpenClaw, citing concerns about API abuse. The Hacker News thread hit #1 with 1,064 points and 811 comments. Developers were furious: “I subscribed specifically to use OpenClaw” was the common refrain. The backlash revealed tension between AI providers and third-party integrations—vendor control vs. developer innovation.
The Privacy Myth and Cost Reality
OpenClaw markets itself as “private” local AI, but that’s only half true. Privacy depends entirely on your configuration. Use local models via Ollama and zero data leaves your machine. Use Claude API and your full prompts travel to Anthropic’s servers. Many users deploy OpenClaw with cloud models and assume they have privacy because the gateway runs locally. They don’t.
The “free” local AI narrative doesn’t hold up under scrutiny either. Running Ollama costs $2-4 in monthly electricity, which sounds cheap. Factor in hardware amortization ($800 Mac Mini over 3 years = $22/month), electricity, and maintenance time valued at $15/hour, and you’re looking at $126-233 per month. At 500 tasks monthly, cloud APIs are cheaper: GPT-4o costs $6.25, Claude Haiku costs $0.44. The break-even point for local deployment is roughly 4,000-5,000 tasks per month.
Managed hosting services emerged as the pragmatic middle ground. Services like ClawOneClick charge $45+/month for hosted OpenClaw with 24/7 availability. You skip the hardware costs, avoid the “offline when computer sleeps” problem, and let someone else handle security updates. For most developers, that’s the smarter economics.
Related: AI Agent Production Gap – 68% Pilot-to-Deploy Failure
How to Set Up OpenClaw (If You Must)
Installation takes 10-15 minutes if you have Node.js and understand the security risks. The recommended path uses NPM with the onboarding wizard, which guides you through Gateway setup, channel configuration, and model selection. Telegram is the most reliable channel to start with—WhatsApp integration exists but can be unstable.
# Install OpenClaw globally via NPM
npm install -g openclaw@latest
# Run onboarding wizard
openclaw onboard --install-daemon
# Install Ollama for local model inference
curl -fsSL https://ollama.com/install.sh | sh
# Pull Llama 3.2 (recommended for general use)
ollama pull llama3.2
# OpenClaw connects to Ollama automatically
# Configure Telegram/Discord in onboarding wizardSystem requirements are modest for cloud models (Node.js 24 or 22.16+), but local LLMs demand significantly more. Budget 16GB+ RAM and ideally a GPU for acceptable performance. The setup wizard walks through Telegram bot creation, which requires visiting Telegram’s BotFather, generating a token, and pasting credentials into OpenClaw’s config.
Security is critical if you deploy this. Do NOT expose OpenClaw to the public internet—135,000 people already made that mistake. Use VPN or private networks for remote access. Audit every skill before installation, because 11.3% of the marketplace was malicious. Run regular security updates. Better yet, consider ZeroClaw (a Rust rewrite using 5MB RAM vs. 390MB) or Nanobot (4,000 lines of code vs. 430,000) if security is your priority.
When to Use OpenClaw vs. Skip It
OpenClaw makes sense for specific use cases: privacy-critical development work where sending code to cloud services violates NDAs, high-volume API usage (4,000+ tasks monthly where local is economically cheaper), cross-platform AI automation needs, or always-on home server infrastructure. If you have the expertise to secure it properly and genuine technical need, it delivers value.
For everyone else, better alternatives exist. Low usage scenarios (under 1,000 tasks monthly) make cloud APIs like ChatGPT or Claude cheaper and simpler. Security-conscious developers should evaluate ZeroClaw or Nanobot—smaller codebases mean smaller attack surfaces. Need 24/7 mobile access? Managed hosting or direct cloud services win on reliability. Casual users experimenting with AI should stick with ChatGPT Plus or Claude Pro rather than deploying infrastructure they can’t properly secure.
The decision framework is straightforward: if you’re asking “should I use OpenClaw?”, the answer is probably no. The users who genuinely need it already know why they need it.
Key Takeaways
- Record growth, real problems: OpenClaw’s 346,000 stars in 5 months is impressive, but 135,000 exposed instances and 341 malicious skills prove viral adoption doesn’t equal production readiness.
- Privacy requires configuration: Local-first doesn’t guarantee privacy if you’re using cloud AI models. Using OpenClaw with Claude API sends full prompts to Anthropic—the gateway runs locally but the AI doesn’t.
- “Free” has hidden costs: Local deployment costs $126-233/month when accounting for hardware, electricity, and maintenance time. Cloud APIs or managed hosting are cheaper for most usage patterns.
- Security demands expertise: With 430,000 lines of code, OpenClaw’s attack surface is massive. Don’t deploy unless you can properly secure infrastructure, audit skills, and handle frequent updates.
- The Anthropic ban shows vendor risk: Third-party integrations face policy uncertainty. Building critical workflows on OpenClaw means accepting that AI providers can cut access on short notice.
- Alternatives exist for the security-conscious: ZeroClaw (Rust, 5MB RAM) and Nanobot (4K LOC) offer similar functionality with smaller attack surfaces. Evaluate them before defaulting to OpenClaw.
