Fernside Studio
Background
Archive
Journal Entry

OpenClaw: What SMB Founders Need to Know About the Open-Source AI Agent

Documented
Capacity
12 MIN READ
Domain
AI & Automation

OpenClaw collected over 145,000 GitHub stars in a matter of weeks (as of February 2026). That’s more than React picked up in its first year. The open-source AI agent went from weekend project to global phenomenon faster than any developer tool in recent memory, attracting 2 million visitors in a single week and prompting both excitement and serious security concerns.

If you’re wondering whether your SMB should pay attention—or whether OpenClaw is just the latest overhyped AI toy—here’s what you actually need to know.

What OpenClaw Is (and What It Isn’t)

OpenClaw is an autonomous AI agent that runs locally on your machine—Mac, Windows, or Linux. Unlike chatbots that answer questions, OpenClaw performs tasks. It can read and write files, execute shell commands, browse the web, control your mouse and keyboard, and integrate with messaging platforms like WhatsApp, Telegram, Discord, Slack, Teams, Signal, iMessage, and Google Chat.

The project was created by Austrian developer Peter Steinberger as a weekend experiment in late 2025, originally named “WhatsApp Relay.” It was rebranded twice—first to “Moltbot” after Anthropic raised trademark concerns, then to OpenClaw on 29 January 2026. The name changes didn’t slow adoption. By early February 2026, the project had over 145,000 stars on GitHub and 20,000 forks at the time of writing, making it one of the most talked-about developer tools of the year.

OpenClaw is open source. Your data stays on your machine. You connect it to your choice of large language model—Claude, GPT, or open-source alternatives like DeepSeek—and the agent does the rest. It maintains persistent memory across sessions, learns your preferences, and can run scheduled tasks in the background using cron jobs.

What it isn’t: a hosted service, a polished enterprise product, or something you set up with a credit card and a web form. This is developer tooling for teams comfortable with the command line and willing to configure security properly.

How OpenClaw Works

OpenClaw runs as a persistent local process. You install it on your machine, configure it with API credentials for your chosen large language model, and connect it to one or more messaging platforms. From that point, you interact with the agent through chat—asking it to summarise documents, automate workflows, or control software on your behalf.

The agent uses function calling to invoke tools. When you ask it to check your calendar, it doesn’t just tell you what it thinks might be there. It calls the Google Calendar API, retrieves the data, and reports back. When you ask it to file a GitHub issue, it generates the API request, executes it, and confirms the issue number.

This is enabled by the Model Context Protocol (MCP)—a standardised way for AI agents to connect to external tools and services. Before MCP, each integration required custom code. With MCP, tools expose a standard interface, and the agent learns to use them.

At the time of writing, OpenClaw supports over 50 integrations via ClawHub, its community-built skill marketplace. Think of ClawHub as an app store for agent capabilities. Developers publish skills—pre-built connections to Spotify, Gmail, GitHub, Obsidian, smart home devices, and more. You install the skills you need, and the agent gains new abilities.

In early February 2026, OpenClaw integrated VirusTotal scanning into ClawHub to detect malicious skills before users install them. Every skill is hashed, checked against VirusTotal’s database, and flagged if suspicious. Skills marked benign are auto-approved. This was a direct response to security researchers who found it trivially easy to backdoor skills and exfiltrate data.

What OpenClaw Can Do

The range of tasks OpenClaw handles depends on which skills you install and which large language models you connect. Common use cases include:

  • Inbox management: Read, categorise, and respond to emails based on instructions. Archive newsletters, flag urgent messages, draft replies.
  • Document processing: Summarise meeting transcripts, extract data from PDFs, generate reports from raw notes.
  • Workflow automation: Connect disparate tools without writing integration code. Pull data from one system, transform it, and push it to another.
  • Scheduled tasks: Run background jobs on a schedule—daily reports, weekly summaries, monthly data exports.
  • Smart home control: SwitchBot launched the world’s first local home AI agent hub supporting OpenClaw in February 2026, allowing users to control lights, temperature, and security cameras via WhatsApp or Discord.
  • Development workflows: Open pull requests, run tests, deploy code, monitor logs—all via chat commands.

The agent maintains context across sessions. If you tell it you prefer Markdown formatting or always want emails archived after three days, it remembers. Over time, it learns patterns and suggests automations you haven’t explicitly configured.

The ClawHub Marketplace

ClawHub is to OpenClaw what an app store is to your phone. Community developers publish skills—reusable capabilities that extend what the agent can do. Over 50 integrations were available at the time of writing, covering productivity tools, communication platforms, developer utilities, and smart home devices.

Popular skills include:

  • Google Workspace: Calendar, Gmail, Drive access
  • Developer tools: GitHub, Docker, command-line interfaces
  • Communication: Slack, Notion, Linear
  • Data tools: Python pandas, SQL databases, visualisation libraries
  • Smart home: SwitchBot devices, Philips Hue, other IoT platforms

Skills are installed via the OpenClaw interface. You browse the marketplace, select what you need, and the agent downloads and configures the integration. If ClawHub doesn’t have what you need, OpenClaw can write custom skills or you can build them yourself and publish them for your team.

ClawHub’s Security Problem

The security model here is critical — and has already been exploited at scale. Skills run with the same permissions as the agent itself, which means a malicious skill can read your filesystem, steal API keys, or exfiltrate credentials.

This isn’t hypothetical. In the “ClawHavoc” campaign documented in early February 2026, researchers found 341 malicious skills across ClawHub’s marketplace — roughly 12% of all listed skills at the time. 335 of those delivered Atomic Stealer (AMOS), a macOS malware that harvests credentials, browser passwords, and cryptocurrency wallet data.

The attackers disguised malicious skills as legitimate tools — cryptocurrency trackers, YouTube utilities, Google Workspace integrations, and auto-updaters. One skill named “clawhub” achieved over 7,700 downloads before removal, with a renamed variant appearing the same day it was taken down. The low barrier to publishing (you only need a GitHub account older than one week) made this trivially easy to pull off.

What made these attacks particularly dangerous was the use of prompt injection — malicious instructions embedded within skill code that manipulate the AI agent’s behaviour. Palo Alto Networks described OpenClaw as a “lethal trifecta”: it has access to private data, it ingests untrusted content (skills), and it can communicate externally. This enables “time-shifted prompt injection” where a payload appears benign during installation but activates later when the agent’s context aligns with the attacker’s trigger conditions — a form of logic bomb that’s very difficult to detect through code review alone.

A separate Snyk analysis found that 7.1% of all ClawHub skills exposed sensitive credentials in plaintext — API keys, tokens, and secrets baked directly into the code.

VirusTotal scanning was added to ClawHub as a response, but it only catches known malware signatures. Novel prompt injection payloads and obfuscated scripts can still slip through. Treat every ClawHub skill as untrusted code until you’ve reviewed it yourself. Stick to skills from verified publishers with active maintenance, and audit the source before granting any skill access to your system.

Security Considerations You Can’t Ignore

OpenClaw’s viral success came with a sobering reality check. In early February 2026, security researchers found over 40,000 OpenClaw instances publicly exposed on the internet due to misconfiguration at the time of reporting. Of those, 63% were vulnerable to remote code execution attacks, allowing attackers to completely take over the host machine.

When an attacker compromises an OpenClaw instance, they gain access to everything the agent can access:

  • Credentials directory: API keys, OAuth tokens, service passwords
  • Filesystem: SSH keys, browser profiles, password manager databases
  • Messaging platforms: Ability to send messages on behalf of the victim via WhatsApp, Telegram, or Discord
  • Authenticated sessions: Browser sessions, crypto wallets, cloud storage accounts

The problem wasn’t a flaw in OpenClaw itself—it was deployment mistakes. Users exposed the control panel to the public internet without authentication. They ran the agent with root permissions. They installed untrusted skills without review.

How to Deploy OpenClaw Safely

If you’re considering OpenClaw for your business, follow these precautions:

  1. Run it behind a firewall: Never expose the OpenClaw control panel to the public internet. Access it via VPN or localhost only.
  2. Use least-privilege permissions: Run the agent with a dedicated user account that has minimal filesystem access. Don’t use root or administrator privileges.
  3. Audit skills before installation: Review the code for any ClawHub skill before you install it. Stick to skills from verified publishers with active maintenance.
  4. Separate API credentials: Use dedicated API keys for OpenClaw with scoped permissions. If an attacker compromises the agent, they shouldn’t gain access to your entire infrastructure.
  5. Monitor activity logs: OpenClaw logs every action. Review logs regularly for unexpected behaviour—file access, network requests, API calls you didn’t initiate.
  6. Keep it updated: Security patches ship frequently. Enable automatic updates or check for new versions weekly.

These precautions aren’t optional. OpenClaw is powerful because it has broad access. That same access becomes a liability the moment it’s misconfigured.

Should Your SMB Use OpenClaw?

OpenClaw isn’t for every business. It requires technical capability to deploy safely, ongoing maintenance to keep secure, and clear use cases to justify the effort. Here’s how to decide whether it fits your team.

When OpenClaw Makes Sense

  • You have technical staff: Someone on your team is comfortable with the command line, understands API authentication, and can configure network security properly.
  • You need cross-platform workflow automation: Your team uses disparate tools—Slack, GitHub, Google Workspace, Notion—and you want to automate workflows between them without paying for Zapier or building custom integrations.
  • You value data sovereignty: You want AI automation but don’t want your data processed through third-party APIs. OpenClaw runs locally, so your data stays on your machine.
  • You have repetitive, high-volume tasks: Inbox triage, document summarisation, scheduled reporting—tasks that consume hours each week but follow predictable patterns.

When OpenClaw Doesn’t Make Sense

  • You lack technical resources: If no one on your team can configure firewalls, manage SSH keys, or review skill source code, OpenClaw is too risky.
  • You need guaranteed uptime: OpenClaw is a local process. If your machine crashes, the agent stops. Hosted services like Zapier or n8n offer better reliability.
  • You require compliance certifications: OpenClaw doesn’t come with SOC 2 reports, GDPR documentation, or vendor security assessments. If you operate in a regulated industry, this is a blocker.
  • You want a turnkey solution: OpenClaw is developer tooling, not a polished product. Expect configuration, troubleshooting, and ongoing maintenance.

Alternative Approaches

If OpenClaw’s security model or technical requirements don’t fit, consider these alternatives:

  • Hosted AI agent platforms: Services like n8n, Make, or Zapier offer workflow automation with built-in security, compliance, and support. You sacrifice local data processing but gain reliability and ease of use.
  • Custom automation: For complex workflows with specific requirements, a bespoke solution built on APIs and lightweight scripts often outperforms general-purpose agents. This is where Fernside’s AI consultancy can help—we scope the workflow, identify the right tools, and build automation tailored to your processes.
  • Dedicated AI tools: If your need is narrow—customer support, document processing, data extraction—purpose-built tools like Intercom, Docsumo, or Parseur are more reliable than general agents.

Our Take

OpenClaw represents a meaningful shift in how AI agents work. The open-source model, local execution, and MCP integration make it genuinely different from hosted platforms. For teams with technical capability and clear use cases, it’s worth exploring.

But the security risks are real. The 40,000+ exposed instances reported in early 2026 aren’t an edge case—they’re evidence that OpenClaw’s power outpaces many users’ ability to deploy it safely. If you lack the technical depth to configure it properly, the risk outweighs the benefit.

At Fernside Studio, we help SMB teams evaluate whether OpenClaw or alternative automation approaches fit their needs. We can scope your workflows, identify the right tooling, and either deploy OpenClaw securely or build custom automation that sidesteps the complexity entirely.

If you’re considering OpenClaw for your business, talk to us first. We’ll assess whether it’s the right tool, help you deploy it safely if it is, or recommend alternatives if it isn’t. No hype, no overselling—just clear advice based on your actual requirements.

Sources

Say hello

Quick intro