General AI Assistant Review

OpenClaw Review 2026: Features, Pricing & Verdict

A free, open-source personal AI assistant you self-host on your own devices - and talk to through the messaging apps you already use. Powerful, model-agnostic, and squarely aimed at technical users who take security seriously.

General AI Assistants
Self-hosting developers & tinkerers
Open source, self-hosted
Free + your LLM API costs
Your messaging apps
Windows, macOS, Linux

OpenClaw review: the open-source personal AI assistant that lives in your messaging apps

OpenClaw is a free, open-source autonomous personal AI assistant that you self-host on your own devices. Its defining idea is unusual: instead of giving you yet another web dashboard or desktop app to open, it uses the messaging apps you already have - WhatsApp, Telegram, Slack, Signal, iMessage, and many more - as its interface. You text the assistant the way you would text a capable colleague, and it acts on your machine: running shell commands, driving a browser, reading and writing files, managing your calendar, and sending email. Everything runs locally, and its configuration and history live on your device so its behavior stays persistent and adapts to you over time.

That combination - a real, tool-using agent reachable from your phone's chat apps, running entirely on hardware you control - is genuinely novel, and it is why OpenClaw has gained attention in the self-hosting community. But the same power that makes it compelling makes it risky. An assistant that can execute shell commands and read your files, triggered by inbound messages, is a serious security surface, and self-hosting means that surface is yours to secure. This OpenClaw review covers what the project actually is, how it works, its skills system, its model-agnostic design, what it costs, and - at length - the security and privacy questions any buyer should settle before installing it. The short version: for capable, security-aware technical users, OpenClaw is one of the most interesting personal-agent projects of 2026. For non-technical users or regulated enterprises, it is not yet the right tool.

Two-line verdict: OpenClaw is a free, open-source, model-agnostic personal AI assistant you self-host and control from your existing messaging apps, with real tool-using power on your own machine. The trade-off is broad local permissions and prompt-injection exposure that make security and self-hosting discipline non-negotiable.

TL;DR

OpenClaw is a free, open-source personal AI assistant that you install and run on your own devices rather than in someone else's cloud. You interact with it through everyday messaging apps - among them WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, Matrix and a built-in WebChat - and it carries out real actions locally: running shell commands, controlling a browser, handling files, managing your calendar and sending email. It is model-agnostic, so you connect your own LLM (Claude, GPT, DeepSeek, or a local model) and pay only for that model's usage, or nothing at all with a local model. A "skills" system built around SKILL.md files extends what it can do. Because it holds broad permissions on your machine and processes untrusted inbound messages, security is central: it suits technically capable, security-aware users and is a poor fit for non-technical people or compliance-bound enterprises.

Editorial scorecard

Our editorial scores reflect the project's public documentation, its stated capabilities as of July 2026, and how it compares to other general AI assistants in this category. These are editorial opinions, not user ratings, and no vendor pays for placement - which is straightforward here, because OpenClaw is a community open-source project with no commercial vendor behind it.

Overall
Novel, powerful, but security-heavy and technical
8.0
Capabilities
Real tool use: shell, browser, files, email, calendar
9.0
Pricing
Free and open source; pay only your LLM
9.5
Ease of use
Self-hosting and configuration assume real skill
6.2
Security posture
Broad permissions; injection risk is your responsibility
6.0
Model flexibility
Model-agnostic; bring any major LLM or a local one
9.3

Scores are the editorial opinion of the AI Agent Square team based on documented capabilities. They are not aggregated user ratings, and no star ratings or third-party review scores are represented on this page.

What OpenClaw is and how it works

At its core, OpenClaw is an autonomous agent runtime that you install on your own computer and connect to a large language model. What sets it apart from most personal AI assistants is the interface layer. Rather than asking you to learn a new app, it plugs into the chat platforms you already use every day. You add the assistant as a contact, a bot, or a channel in something like WhatsApp or Telegram, and from then on you simply message it. That message-first design means the assistant is always a text away from wherever you are - on your phone, on a laptop, inside a team Slack - without any additional software to open.

Behind that friendly chat surface sits a genuine tool-using agent. When you ask OpenClaw to do something, it interprets the request with the LLM you have configured and then reaches for the tools it needs on your machine. It can run shell commands, so it can operate the operating system directly. It can control a web browser, so it can look things up, fill forms, or drive web apps. It can read and write files, so it can find a document, edit it, or produce a new one. It can manage your calendar and send emails. In other words, a single text message can translate into concrete work happening on your own device rather than a canned chat reply.

Because it runs locally, OpenClaw keeps its configuration and its interaction history on your machine. That local persistence is important to how it behaves: the assistant can remember context, preferences, and past exchanges, which lets it act in a more adaptive, personalized way over time rather than starting cold on every request. The trade-off, which we return to below, is that the same local footprint - broad access to your files, your shell, your accounts - is exactly what makes securing the deployment so important.

Messaging-first interface

The messaging-first approach is the feature buyers react to first, and for good reason. Most agent products expect you to come to them; OpenClaw comes to you inside the tools you already live in. Practically, this means you can fire off a task while walking - "check whether the deploy finished and text me the log tail" - and get the result back in the same thread. It also means the assistant inherits the ubiquity and notifications of mature chat apps, which no bespoke agent UI can match. The caveat is that a messaging channel is also an inbound path from the outside world, which is central to the security discussion later.

Local execution

Everything OpenClaw does happens on hardware you own. There is no vendor cloud brokering your files or holding your history - the agent, its config, and its logs sit on your device. For privacy-conscious users this is a major draw: your data does not transit a third party's servers except, if you choose a hosted model, the specific requests you send to your chosen LLM. Local execution is also what gives OpenClaw its reach into the shell, the filesystem, and your local apps, since it is running as a process on your own machine with your own permissions.

The skills system

OpenClaw extends its abilities through a "skills" system. A skill is a directory that contains a SKILL.md file holding metadata plus instructions that tell the assistant how to use a particular tool or accomplish a particular task. Skills can be bundled with the project out of the box, installed globally so they are available everywhere, or stored per workspace for project-specific behavior - and when both exist, workspace skills take precedence over global ones. This layered model makes the assistant's capabilities modular and portable: you can share a skill as a small folder, keep sensitive or bespoke skills scoped to a single workspace, and override defaults where a project needs different behavior.

Bring your own LLM

OpenClaw does not ship its own model. It is model-agnostic and integrates with external LLMs such as Anthropic Claude, OpenAI GPT models, and DeepSeek, with you supplying the API key. You can also point it at a locally hosted model, which keeps both cost and data entirely on your own machine. This BYO-model design means you choose the intelligence-to-cost trade-off that suits each task, and you are never locked to one vendor's roadmap or pricing - when a better or cheaper model appears, you switch to it by changing a setting.

A note on the name: Warelay to Moltbot to OpenClaw

OpenClaw has had three names in under a year, and it is worth stating the history plainly because buyers searching for it will run into all of them. The project was created by developer Peter Steinberger and first published in November 2025 under the name Warelay. On January 27, 2026 it was renamed to Moltbot following a trademark complaint from Anthropic. A few days after that, it was renamed again to OpenClaw, the name it carries today.

None of this reflects a change in what the software does; it is the same project throughout, and the renames were a response to a naming dispute rather than a pivot in direction or ownership. We note it neutrally so that anyone encountering older documentation, forum threads, or repository references under "Warelay" or "Moltbot" understands they are looking at earlier names for OpenClaw. If you are evaluating the project, treat coverage under any of the three names as describing the same tool, while checking that capability details you rely on are current, since an actively developed project changes between releases.

OpenClaw pricing

OpenClaw is free and open source. There is no subscription, no seat fee, and no paid tier for the software itself - you download it and run it on your own hardware at no charge. Because it is model-agnostic, the only cost that can arise is your chosen LLM's usage: you bring your own API key, so you pay whatever your model provider charges for the requests OpenClaw makes on your behalf. Choose a local model instead of a hosted one and that cost drops to zero, since the model runs on your own machine. Beyond your chosen LLM provider, there is nothing to pay.

Your LLM API
BYO key
You pay your model provider
  • Connect Claude, GPT, or DeepSeek
  • Pay only your chosen provider
  • Scale the model to the task
  • No markup added by OpenClaw
Local model
$0
API cost with a local model
  • Run a model on your own hardware
  • No per-request API charges
  • Keeps data on your machine
  • Needs capable local hardware

We do not quote a specific dollar figure for API usage because it depends entirely on which model you choose and how heavily you use the assistant. The rule to remember is simple: the software is free, and you pay only your chosen LLM provider - or nothing, with a local model.

Strengths and limitations

Strengths

  • Free and open source - no subscription or lock-in
  • Reachable from the messaging apps you already use
  • Real tool use: shell, browser, files, calendar, email
  • Runs locally; data and history stay on your machine
  • Model-agnostic - bring Claude, GPT, DeepSeek, or a local model
  • Local model option means zero API cost and full privacy
  • Modular, portable skills via SKILL.md directories
  • Persistent local history enables adaptive behavior

Limitations

  • Broad local permissions make it a serious security surface
  • Inbound messages expose it to prompt-injection risk
  • Self-hosting and securing the deployment are on you
  • Assumes real technical skill to install and configure
  • No vendor SLA, support contract, or enterprise controls
  • Not suited to non-technical users or regulated environments
  • Fast-moving project with a short, thrice-renamed history

Detailed feature review

OpenClaw packs a lot into a self-hosted package. Below are the capabilities that define it, why each matters, and the practical caveats a careful buyer should weigh.

Multi-channel messaging interface

OpenClaw's signature. Rather than a bespoke app, it meets you inside the chat platforms you already use, connecting to many channels including WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, Matrix, IRC, LINE, WeChat, and a built-in WebChat, among others. This breadth means the assistant is reachable from your phone, your desktop, or a team channel with no new interface to learn, and it inherits the notifications and reliability of mature messaging apps. The flip side is that each connected channel is also an inbound path an attacker could use to reach the agent, which is why channel choice and access control matter.

Local tool execution

Triggered by a plain text message, OpenClaw can run shell commands, control a web browser, read and write files, manage your calendar, and send emails - all on your own machine. This is what elevates it from a chatbot to an agent: a request becomes concrete action rather than a suggestion. It is also the source of its risk, since the same tools that let it get real work done let it do real damage if it is misdirected or manipulated. The capability is genuinely powerful; it demands to be paired with genuine caution.

Skills and SKILL.md

Capabilities are extended through skills - directories containing a SKILL.md file with metadata and instructions for using a given tool or performing a task. Skills can be bundled, installed globally, or scoped per workspace, with workspace skills taking precedence over global ones. This makes the assistant's behavior modular, shareable as small folders, and overridable where a project needs something specific. It also means you should treat third-party skills the way you treat any code you run: review before installing, since a skill defines what the agent will do.

Model-agnostic architecture

OpenClaw brings no model of its own. It integrates with external LLMs such as Anthropic Claude, OpenAI GPT models, and DeepSeek on a bring-your-own-key basis, and it can also drive a locally hosted model. You pick the intelligence-to-cost trade-off per your needs and switch models by changing a setting rather than migrating tools. This hedges against vendor lock-in and lets you adopt a better or cheaper model the day it ships, which is a meaningful long-term advantage in a fast-moving field.

Local persistence and adaptive behavior

Because it runs locally, OpenClaw stores its configuration and interaction history on your device. That persistence lets the assistant retain context and preferences across sessions, so it behaves in a more adaptive, personalized way over time instead of resetting on every request. For a personal assistant this continuity is valuable - it is the difference between a tool that remembers how you work and one you must re-brief constantly. The corresponding responsibility is that this stored history is sensitive data on your machine that you must protect.

Security and privacy considerations

This is the section that matters most, and no honest OpenClaw review can treat it as a footnote. OpenClaw is designed to run shell commands, control a browser, and access your files, email, and calendar - and it is driven by messages that arrive from the outside. That is an extraordinary amount of capability to hand to an autonomous agent, and it changes the risk profile fundamentally compared with a passive chatbot. Anyone considering OpenClaw should decide, before installing it, that they understand and can contain these risks.

Broad local permissions

OpenClaw runs as a process on your machine with access to a shell, your filesystem, a browser, and your communication accounts. If the agent does something destructive - deletes files, sends the wrong email, runs a harmful command - the blast radius is your actual computer and accounts, not a sandboxed cloud tenant. The right mitigation is to run it with the least privilege it needs: a dedicated user account, a constrained or containerized environment, scoped credentials rather than your primary logins, and no access to anything it does not require. Treat the breadth of its permissions as something to actively narrow, not a convenience to accept wholesale.

Prompt injection through messages

Because OpenClaw acts on the content of inbound messages, those messages are an attack surface. Prompt injection - where text crafted by an attacker manipulates the model into taking unintended actions - is a live, unsolved problem for tool-using agents in general, and it is acute here because the agent can execute commands and touch your data. Content the assistant reads while doing a task - a web page it browses, an email it processes, a file it opens - can also carry injected instructions. The practical implications are to be careful which channels can reach the agent and who can message it, to be cautious about pointing it at untrusted content, and to assume that any path by which text reaches the model is a path by which someone could try to steer it.

The responsibility of self-hosting

Self-hosting is a double-edged benefit. It gives you full control and keeps your data off a vendor's servers, which is a real privacy win. It also means every security responsibility is yours: keeping the software and its dependencies patched, securing the host, managing secrets and API keys, controlling who can message the assistant, and monitoring what it does. There is no vendor security team, no managed patching, and no support line if something goes wrong. That ownership is empowering for people equipped to handle it and a liability for people who are not.

Who should not run OpenClaw

Bluntly: if you cannot confidently secure a self-hosted service, isolate its permissions, and reason about prompt-injection risk, OpenClaw is not for you yet. Non-technical users should not point an agent with shell and file access at their primary machine and accounts. Organizations in regulated or compliance-bound settings - where data handling, auditability, and vendor accountability are requirements - should not deploy a self-hosted, community-maintained agent with this permission profile without serious, dedicated security review. None of this is a knock on the project's ambition; it is the reality of the power it wields, and taking that reality seriously is the price of using it responsibly.

Integrations

OpenClaw integrates on two axes: the messaging channels you reach it through, and the LLMs that power it. Both are broad, which is a large part of its appeal.

Messaging channels

WhatsAppTelegramSlackDiscordGoogle ChatSignaliMessageMicrosoft TeamsMatrixIRCLINEWeChatWebChat

Language models

Anthropic ClaudeOpenAI GPTDeepSeekLocal models (BYO)

Channel and model support reflect the project's documentation as of July 2026; an actively developed project may add or change integrations between releases.

Top use cases

01

Text-driven task automation

Firing off a request from your phone - run a script, tail a log, kick off a routine - and getting the result back in the same chat thread, without opening a laptop or a dashboard.

02

Personal file and document handling

Asking the assistant to find, edit, summarize, or generate files on your own machine, with the work happening locally rather than in a third-party cloud.

03

Calendar and email assistance

Managing your calendar and drafting or sending email from a chat message, so scheduling and correspondence happen without switching apps.

04

Browser-driven lookups and web tasks

Having the agent control a browser to research, fill a form, or operate a web app on your behalf, then report back in your messaging channel.

05

Privacy-first local AI

Running everything - including a local model - on your own hardware for cost-sensitive or privacy-sensitive work, keeping data off external servers.

06

Building and sharing custom skills

Extending the assistant with SKILL.md-based skills scoped to a workspace or shared globally, tailoring its behavior to your own tools and workflows.

Who it's for - and who should skip it

OpenClaw is a strong fit for developers, tinkerers, and technically capable, security-aware individuals who want a genuinely powerful personal agent they fully control. If you are comfortable self-hosting a service, scoping its permissions, managing API keys, and reasoning about prompt-injection risk, OpenClaw offers a level of capability, privacy, and model freedom that hosted assistants rarely match - and it costs nothing but your chosen LLM's usage. The messaging-first interface is a genuine convenience for people who want their assistant a text away wherever they are.

You should skip it if you are not equipped to secure a self-hosted agent with broad local permissions. Non-technical users are far better served by a managed, sandboxed assistant that cannot run arbitrary commands on their primary machine. Enterprises in regulated or compliance-bound settings that need auditability, vendor accountability, and formal support should not deploy a community-maintained, self-hosted agent of this permission profile without dedicated security review - and most will want a governed commercial product instead. Knowing which of these you are is the whole decision.

Alternatives to OpenClaw

OpenClaw sits in a fast-growing field of general and autonomous AI assistants. If you are scoping options - especially if the self-hosting and security requirements above give you pause - these are the comparisons worth running. See the full general AI assistants category for the wider landscape, and our Manus AI vs Devin comparison for two leading autonomous agents head to head.

Manus AI

Autonomous general-purpose AI agent that plans and executes multi-step tasks - a managed alternative to a self-hosted agent.

Read review →
8.4

OpenAI Operator

OpenAI's agent that browses and acts on the web on your behalf, run in a vendor-managed environment rather than on your own machine.

Read review →
8.2

Getting started with OpenClaw

Onboarding is straightforward for anyone comfortable running a self-hosted service, and demanding for anyone who is not. The path has three broad steps. First, self-host the software: install OpenClaw on the device you intend to run it on - Windows, macOS, or Linux - ideally in a constrained environment with least-privilege access rather than as your primary user. Second, add your model API key: because OpenClaw is model-agnostic, you connect the LLM you want it to use, supplying your own key for Claude, GPT, or DeepSeek, or configuring a local model to keep costs and data on your machine. Third, connect a channel: link the messaging app you want to talk to it through - one of WhatsApp, Telegram, Slack, Signal, and the rest - and you can start messaging the assistant.

Two habits are worth building from the first day. One is to decide deliberately what the agent is allowed to touch - which directories, which accounts, which credentials - and to scope it tightly rather than granting broad access for convenience. The other is to control who and what can message it, since every connected channel is an inbound path to a tool-using agent. Getting those two decisions right up front is the difference between a powerful assistant you can trust and an open door on your own machine. For full setup details, the project's official documentation is the authoritative source, and it should be read before you connect anything sensitive.

Verdict

8.0

OpenClaw is one of the most genuinely interesting personal-agent projects of 2026: free, open source, model-agnostic, and reachable from the messaging apps you already use, with real tool-using power running locally on hardware you control. For capable, security-aware technical users, that combination is hard to find anywhere else, and the price is nothing beyond your chosen model. But the verdict comes with a firm condition. The same permissions that make it powerful - shell, browser, files, email, calendar, driven by inbound messages - make it a serious security surface that you alone are responsible for containing. Run it if you can secure it, scope it, and reason about prompt injection. If you cannot, choose a managed, sandboxed assistant instead. Judged on capability and value it scores high; judged on who can safely deploy it, it is deliberately narrow.

Frequently Asked Questions

Is OpenClaw free?

Yes. OpenClaw is free and open source. There is no subscription, seat fee, or paid tier for the software itself. Because it is model-agnostic, you bring your own LLM API key, so your only cost is your chosen model provider's usage - or $0 if you run a local model on your own hardware.

Which messaging apps does OpenClaw work with?

OpenClaw connects to many messaging channels, including WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, Matrix, IRC, LINE, WeChat, and a built-in WebChat, among others. You chat with the assistant in the app you already use instead of a separate dashboard.

What can OpenClaw actually do?

Triggered by a text message, OpenClaw can run shell commands, control a web browser, read and write files, manage your calendar, and send emails. It runs locally on your device, and its configuration and interaction history are stored locally so its behavior stays persistent and adaptive over time.

What is the OpenClaw skills system?

Skills are directories containing a SKILL.md file with metadata and instructions that tell the assistant how to use a particular tool or perform a task. Skills can be bundled with the project, installed globally, or stored per workspace, and workspace-level skills take precedence over global ones.

Which LLMs does OpenClaw support?

OpenClaw is model-agnostic. It integrates with external LLMs such as Anthropic Claude, OpenAI GPT models, and DeepSeek, and you supply your own API key. You can also point it at a locally hosted model to keep costs at zero and data on your own machine.

Was OpenClaw previously called something else?

Yes. The project was created by developer Peter Steinberger and first published in November 2025 as Warelay. It was renamed to Moltbot on January 27, 2026 following a trademark complaint from Anthropic, and then renamed again to OpenClaw a few days later. The underlying project is the same.

Is OpenClaw safe to run?

OpenClaw is powerful but carries real risk because it can run shell commands, control a browser, and access files, email, and calendar on your machine. Messages it processes are an attack surface for prompt injection, and self-hosting makes securing the deployment your responsibility. It is best suited to technically capable users who understand and can contain those permissions.

Get the best of open-source AI agents

Get our weekly roundup of the best AI agents, new reviews, and buyer guides - straight to your inbox.