An agent that reads your DMs and can run your shell
An AI assistant that reads your WhatsApp and can also run shell commands on your laptop is either the most useful thing you install this year or the most dangerous. OpenClaw is betting it can be the first without becoming the second, and since late November it has gathered around 380,000 GitHub stars from people who want to find out.
OpenClaw is a self-hosted, single-user personal assistant. You run it on your own devices, and it answers you on the channels you already use. The README is blunt about the shape of it: the Gateway is just the control plane, and the product is the assistant. That one line tells you where the engineering went.
What you actually get
The headline is reach. OpenClaw connects to roughly two dozen messaging surfaces, among them WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, Matrix, and WeChat, plus a built-in web chat. It speaks and listens on macOS, iOS, and Android, with wake words through Voice Wake and continuous conversation through Talk Mode, falling back from ElevenLabs to system text-to-speech when needed. There is a Live Canvas the agent can draw into, and companion apps for Windows, macOS, and mobile.
Setup is a global npm install and one onboarding command:
npm install -g openclaw@latest
openclaw onboard --install-daemon
That registers the Gateway as a launchd or systemd user service so it keeps running in the background. It wants Node 24, or 22.19 at the minimum. Multi-agent routing sends different channels, accounts, or contacts to isolated agents, each with its own workspace and sessions, which is how one install stays organized once several conversations run through it.
The trust boundary is the real product
Here is the part to read twice. OpenClaw wires a capable agent to real inboxes, and the README treats every inbound DM as untrusted input. By default, unknown senders on Telegram, WhatsApp, Signal, iMessage, Teams, Discord, Google Chat, and Slack hit a pairing gate: they receive a short code, and the bot ignores their message until you approve it with openclaw pairing approve. Opening the assistant to the public is possible but deliberate, and requires both an open DM policy and a wildcard in the allowlist.
The tool-access default deserves the same attention. For your own main session, tools run directly on the host, so the agent has full access when it is just you. The moment other people can reach it, you are expected to move non-main sessions into a sandbox with sandbox.mode: "non-main". Docker is the default sandbox backend, and the default policy allows file and process tools while denying the browser, canvas, cron, and the gateway itself. An openclaw doctor command flags risky DM policies, and there is an exposure runbook to read before any of this faces the open internet.
Models, skills, and running it
OpenClaw stays provider-agnostic. It authenticates to model providers over OAuth, ships with OpenAI subscription support, and the maintainers suggest a current flagship model from a provider you already trust, with auth-profile rotation and failover for when one backend is down. Behavior extends through skills, which arrive bundled, managed, or defined in your own workspace, with a registry at ClawHub.
Where it fits, and the caveats
OpenClaw is single-user by design, so this is a power user's personal assistant, not a team deployment. The pace is aggressive: roughly 80,000 forks and more than 6,000 open issues describe a project being shaped in public and still moving fast, which means churn. The central risk is the one the README keeps returning to. You are giving a language model a standing foothold on your personal communications, and potentially on your host machine, so the sandbox and pairing settings are not optional hardening; they are the product decision. The badge in the README reads MIT, but check the LICENSE file and third-party notices against your own use before you build on it. If you want to see where personal AI agents are heading, OpenClaw is worth running on a spare device with sandboxing turned on, and treating its trust settings with the care you would give a server you expose to the internet.
Top comments (0)