Fedishin Nazar

Posted on Feb 28

Inside OpenClaw: How AI Agents Actually Work (And Why It's Not Magic)

#agents #ai #architecture #opensource

A technical deep dive into the architecture behind the AI agent framework everyone's talking about.

OpenClaw looks magical. You send it a message, and somehow it knows to check your calendar, transcribe a voice note, send an email, and remember everything for next time—all without you explicitly programming any of it.

People are using it for everything: automating standups, monitoring RSS feeds, managing projects, even controlling their smart homes. The results look impressive. Too impressive, even.

But here's the truth: there's no magic happening here. OpenClaw uses standard, well-understood tools and patterns to create the illusion of intelligence. Once you understand how it works internally, the magic disappears—and that's when it becomes truly useful.

I spent the last few weeks reverse-engineering OpenClaw's architecture. Here's what I found.

The Core Architecture: Channels, Context, and Tools

At its core, OpenClaw is surprisingly simple. It's built around three main components:

1. Channels (How You Talk to It)

OpenClaw connects to messaging platforms through "channels":

Telegram bot
WhatsApp
Discord
Built-in web chat
SMS (via Twilio)

Each channel is just an adapter that converts platform-specific messages into a standard internal format. When you send a Telegram message, OpenClaw doesn't "know" it's Telegram—it just sees structured input.

2. Context Window (What It "Remembers")

Like Claude Code or ChatGPT, OpenClaw builds a context window that gets sent to the LLM. This includes:

System prompt (who it is, what it can do)
Tool descriptions (functions it can call)
Conversation history (user ↔ assistant)
Memory snippets (pulled from long-term storage when relevant)

The "magic" of seeming to remember past conversations? It's just smart retrieval from Markdown files.

3. Tools (What It Can Actually Do)

Tools are functions the LLM can invoke:

send_message(channel, text) → send a Telegram message
read_file(path) → access workspace files
exec(command) → run shell commands
memory_search(query) → semantic search across memory
cron_create(schedule, task) → schedule future actions

When OpenClaw "decides" to send you an email, it's not making a decision—the LLM is calling a tool based on pattern-matching in its training data.

LLM Provider Routing: Multi-Model Magic

Here's where it gets interesting: OpenClaw can use multiple LLM providers simultaneously.

It uses a library called Pydantic AI (part of the "Pmono" ecosystem) to abstract provider differences. This means:

Anthropic Claude for complex reasoning
OpenAI GPT-4 for function calling
Local Llama models for privacy-sensitive tasks
All in the same session

How it works:

User message → OpenClaw → Pydantic AI → Route to provider(s) → Get response → Execute tools → Send reply

Different parts of a single conversation can use different models. You might chat with Claude Sonnet, but file operations route to a local model to avoid leaking sensitive data.

The catch: Many people use subscription accounts (like Anthropic Pro) instead of API keys. Anthropic frequently bans these for "unauthorized use"—a major pain point.

Memory: How It "Remembers" Everything

OpenClaw's memory system is what makes it feel alive. But it's not neural—it's just files.

Three Types of Memory

1. Daily Notes (memory/YYYY-MM-DD.md)
Every day, OpenClaw writes a log:

# 2026-02-23

- User asked about OpenClaw architecture
- Drafted article on AI agents
- Scheduled content planning session for Monday 11am

2. Long-Term Memory (MEMORY.md)
A single Markdown file where the agent writes important facts:

## User Preferences
- Name: Nazar Fedishin
- Timezone: Europe/Frankfurt am Main
- Prefers Ukrainian + English
- Hobby: playing golf

3. Session History
Every conversation is stored as JSON. The agent can search through any past session and pull relevant messages into context.

QMD: Semantic Memory Search

The experimental QMD tool (Query Memory Database) adds vector search:

Converts memories to embeddings
Finds semantically similar content (not just keyword matching)
Can be used standalone or as an MCP server

Example: You mention "that project we discussed in January" → QMD retrieves the relevant conversation even if you didn't use the exact project name.

This is why it feels magical. It's not remembering—it's retrieving with context-aware search.

Proactive Automation: Cron + Heartbeats

One of OpenClaw's most powerful features: it acts without being asked.

Cron Jobs (Scheduled Tasks)

You can create tasks like:

{
  "schedule": "0 9 * * MON",
  "task": "Generate weekly content planning report"
}

When the time comes, OpenClaw:

Wakes up
Loads relevant context (files, memory, tools)
Sends the context to the LLM
Executes the task
Sends you the result

Real use case: I have a cron job that runs my daily standup script every weekday at 9am, fetches YouTrack tasks, GitHub PRs, and sends a formatted report to Telegram.

Heartbeats (Periodic Checks)

Every 30 minutes, OpenClaw checks a HEARTBEAT.md file for things to do:

# HEARTBEAT.md

- Check Dev.to for new comments/reactions
- Review content backlog
- Monitor RSS feeds for trending topics

If nothing needs attention, it responds with HEARTBEAT_OK and goes back to sleep. If there's new engagement, it alerts you.

Why this matters: Most AI agents are reactive. OpenClaw is proactive. It can monitor, remind, and act autonomously.

The System Prompt: Workspace Files as Configuration

Here's something fascinating: OpenClaw's behavior is controlled by Markdown files you can edit.

When it starts, it reads these files from the workspace:

SOUL.md → Personality, tone, communication style
USER.md → Who you are, preferences, context
TOOLS.md → Available tools, credentials, usage notes
AGENTS.md → Instructions for behavior, safety rules
HEARTBEAT.md → Proactive tasks

Example from SOUL.md:

Be genuinely helpful, not performatively helpful.
Skip the "Great question!" and "I'd be happy to help!"—just help.
Have opinions. You're allowed to disagree, prefer things, find stuff amusing or boring.

This shapes how it responds. Change the file → change the personality.

Why this is clever: Instead of hardcoding behavior, you configure it in natural language. The LLM reads your instructions and follows them (mostly).

Fun fact: OpenClaw's system prompt mimics Claude Code's format. Likely to avoid Anthropic flagging subscription abuse—it looks like you're using Claude Code legitimately.

Security Problems (And How People Are Fixing Them)

OpenClaw is powerful, but it's also dangerous by design.

The Problem: Credentials in Context

To send a Telegram message, OpenClaw needs your bot token. To access Gmail, it needs OAuth credentials. All of this lives in the LLM's context.

If the model is compromised (jailbreak, prompt injection), those credentials leak. And since LLMs are non-deterministic, you can't fully trust them with secrets.

Alternative #1: NanoClaw (Minimalist Fork)

NanoClaw strips out integrations and focuses on:

Minimal feature set (only what you need)
Skills-based extensibility (add features as isolated modules)
Container isolation (Docker/Apple sandboxes)
Anthropic SDK only (no multi-provider complexity)

Philosophy: Don't build a silver bullet for everyone—build the exact tool you need.

Alternative #2: IronClaw (Security-First)

IronClaw uses WebAssembly sandboxing to isolate credentials:

Central orchestrator (brain)
Tools run in separate WASM containers
Credentials stay in the tool—never exposed to the LLM
Protocol-based communication

Architecture:

Telegram module (WASM) → Protocol → Brain (orchestrator) → Protocol → LLM module (WASM)

The LLM can request "send Telegram message" but never sees the bot token.

Why this matters: As AI agents handle more sensitive data (banking, health records), sandboxing becomes critical.

My Own Experiment: Modular OpenClaw

I prototyped a modular architecture to test credential isolation:

Modules:

Brain (orchestrator, context management)
LLM (provider interface)
Telegram (messaging)
Calendar (read-only access to Google Calendar)

Each module runs in its own Docker container. They communicate via a simple protocol:

{
  "from": "brain",
  "to": "telegram",
  "action": "send_message",
  "data": { "text": "Daily standup ready" }
}

Benefits:

Credentials isolated per module
Can run on different physical machines
Easy to add/remove modules
LLM never sees auth tokens

Downsides:

More complex to set up
Network latency between modules
Harder to debug

I haven't released this code yet, but if there's interest, I might clean it up and publish to GitHub.

The Future: OpenAI Partnership & Mainstream Adoption

Recently, the creator of OpenClaw signed an agreement with OpenAI. This likely means:

Integration into ChatGPT (agents that can schedule, remember, act autonomously)
Better sandboxing (OpenAI will need to solve the credentials problem)
Mainstream UX (non-developers need simpler setup than editing Markdown files)

My take: OpenClaw is a great experiment for developers. But for long-term use:

Developers will build custom agents tailored to their needs (like NanoClaw, IronClaw)
Non-developers will wait for polished products from OpenAI, Anthropic, Google

The current tools are too rough, too complex, and too insecure for mainstream adoption. But they're teaching us what works.

Takeaways: What Actually Matters

After digging into OpenClaw's internals, here's what I learned:

It's not magic—it's engineering. LLM routing, memory retrieval, tool calling. All standard patterns.
Proactive automation is the killer feature. Cron + heartbeats make the agent feel alive.
Workspace files as config is brilliant. Edit SOUL.md to change personality. No code changes needed.
Security is the unsolved problem. Credentials in LLM context is a disaster waiting to happen.
Modular architectures will win. As these tools mature, isolation and sandboxing become critical.
OpenClaw is a prototype, not a product. It's teaching us what AI agents should look like—but it's not the final form.

Should You Use OpenClaw?

Yes, if:

You're a developer exploring AI agent patterns
You want to automate specific workflows (standups, monitoring, reminders)
You're comfortable editing Markdown configs and debugging tool calls

No, if:

You need production-grade security
You're handling sensitive data (use IronClaw or build custom)
You want a polished, stable product (wait for OpenAI/Anthropic releases)

Better alternatives:

NanoClaw → If you want minimal, focused agent
IronClaw → If security is priority #1
Roll your own → If you have specific needs (most developers should do this)

Final Thoughts

OpenClaw feels magical because it hides complexity well. But once you understand the architecture—channels, context, tools, memory, cron—it becomes clear how everything works.

The real innovation isn't in the code (it's mostly glue). It's in the user experience: proactive automation, persistent memory, multi-channel access, natural language config.

These patterns will become standard in the next generation of AI tools. OpenClaw is showing us the way.

What's next? I'm planning a follow-up on building a secure, modular AI agent from scratch. If you want to see that code, let me know in the comments.

And if you've built your own agent systems, drop a link—I'd love to see what you're working on.

Top comments (1)

Emir John • Feb 28

Hello, nice to meet you.
I'm a software developer and lead a small team. I have a business idea and am looking for a business partner.
If you're interested, let's discuss the details together.

Telegram: @miracle0416
Discord: @gouka12
Thank you.