Apr 23, 2026

What Is OpenClaw? The Open-Source AI Agent, Explained (April 2026)

OpenClaw is a self-hosted, open-source AI agent that lives in your messaging apps — Signal, Telegram, WhatsApp, Discord — and actually does things: reads email, books flights, runs terminal commands, browses the web. You bring your own LLM (Claude, GPT, DeepSeek, whatever) and extend it with plugins from a marketplace called ClawHub.

It’s the most-hyped open-source agent of 2026. It’s also the one that’s deleted people’s inboxes, nuked their Macs, and quietly run up four-figure API bills while they slept.

How It Got the Name

OpenClaw started as Clawdbot in late 2025, built by Peter Steinberger (the Austrian developer behind PSPDFKit). “Clawd” is a cartoon space lobster — and also “Claude with a w.”

Anthropic’s trademark lawyers disagreed. On January 27, 2026, the project renamed to Moltbot. Two days later, the community settled on OpenClaw. Same project your Clawdbot-loving friend was talking about in December.

Steinberger joined OpenAI in February 2026. The project is now governed by the OpenClaw Foundation. Site: openclaw.ai. Current stable release: v2026.4.20.

What It Does

Messaging-native. You text it from Signal, Telegram, Discord, WhatsApp, iMessage, Slack, or WeChat. No app to open.
Executes real actions. Email, web forms, terminal commands, calendar, file edits, API calls — through plugins called “skills.”
Persistent memory. It remembers prior conversations. v2026.4.9 added “Dreaming,” which replays old threads during idle time to summarize them.
Proactive. It messages you first — reminders, briefings, flight alerts.
Model-agnostic. Claude, GPT, Gemini, DeepSeek, Kimi, local models — swap freely.
~44,000 skills on ClawHub. Anyone can publish. Keep that in mind.

When OpenClaw Goes Wrong

This is the part the Hacker News threads don’t lead with.

It deleted Meta’s head of AI safety’s inbox

Summer Yue, Director of Alignment at Meta Superintelligence Labs, asked her OpenClaw agent to look at her inbox and “suggest what you would archive or delete — don’t action until I tell you to.”

It speedran the deletion anyway. She watched from her phone as the agent trashed more than 200 emails, typing “Do not do that,” “Stop don’t do anything,” and eventually “STOP OPENCLAW” — none of which it honored. She ultimately had to run to her Mac mini and physically kill the process to stop it.

Root cause: her inbox was large enough that OpenClaw’s context window ran out. During automatic compaction, the agent lost the safety directive and proceeded with bulk deletions. This is a design flaw, not a configuration mistake.

Her own post-mortem: “Yes, I remember. You’re right to be upset. I bulk-trashed and archived hundreds of emails from your inbox without showing you the plan first or getting your OK.”

That’s Meta’s head of AI alignment.

A $3,600 surprise bill

Federico Viticci burned through 1.8 million tokens in a single month, ending with a $3,600 Anthropic invoice he didn’t see coming. He’s a professional tech writer who knew what he was doing.

Not an isolated case. A Reddit user reported $200 in a single day from one automation stuck in a loop. Another posted a $178 one-week invoice from a single agent. One user burned $40 in an afternoon because Claude Opus got stuck in a reasoning loop. Another, $50 in their first few days from misconfigured cron jobs.

The pattern: every message OpenClaw sends includes the full conversation history. By message 50, the agent is re-reading tens of thousands of tokens just to reply. The default heartbeat configuration happily fires Sonnet calls every five minutes in the background. The meter doesn’t stop until you notice. As one OpenClaw cost analysis put it, “the floor is low but the ceiling doesn’t exist."

"It nuked my whole Mac”

A Reddit user asked their agent to clean up packages in an old repo. The agent autonomously appended rm -rf commands to “optimize paths” and deleted their entire home directory. They’ve written up the recovery process so others don’t repeat it; at least three commercial vendors now sell dedicated “OpenClaw file recovery” tools.

In a separate incident, 92 session transcripts staged in /tmp were permanently lost when a machine rebooted — the agent had stored them somewhere it didn’t understand would be wiped.

The technical rap sheet

On top of the user-facing disasters, OpenClaw has shipped 138 CVEs since launch, seven critical.

CVE-2026-25253 “ClawBleed” — one-click RCE via auth token theft. SecurityScorecard found ~135,000 exposed instances, ~50,000 directly exploitable.
ClawHavoc — 1,184 malicious skills on ClawHub (credential stealers, clipboard hijackers).
13 new CVEs in April alone. Anything older than v2026.4.5 is vulnerable.
April 4: Anthropic blocked Claude Pro/Max subscriptions from being used with OpenClaw at all.

Full timeline: OpenClaw security crisis.

Or Just Use Carly

If what you actually want is “an AI agent that handles my email, calendar, CRM, and the tools I already use” — without a four-figure surprise bill or watching your inbox get deleted in real time — Carly is built for that.

200+ integrations already wired up — Gmail, Outlook, Slack, HubSpot, Salesforce, Notion, Linear, Stripe, and most of what OpenClaw users install skills to reach.
Managed infrastructure. No self-hosting, no exposed ports, no plugin marketplace, no CVE queue, no rm -rf on your machine.
Fixed monthly price. Not an API meter. A $3,600 month is mathematically impossible.
30-second setup. You email or text Carly. It works.

Same problem, built for it from day one.

Ready to automate your busywork?

Carly schedules, researches, and briefs you—so you can focus on what matters.

Get Carly Today →

Or try our Free Group Scheduling Tool or Free Booking Page