Adapted remarks from Google VP Christy Abizaid’s keynote at the "Growing Up in the Digital Age" Summit at Google Dublin.

In November 2025, Austrian developer Peter Steinberger published a weekend project called Clawdbot. You could text it on Telegram or WhatsApp, and it would do things for you: manage your calendar, triage your email, run scripts, and even browse the web. By late January 2026, it had exploded. It gained 25,000 GitHub stars in a single day and surpassed React’s star count within two months, a milestone that took React over a decade. By mid-February, Steinberger had joined OpenAI, and the project moved to an open-source foundation under its final name: OpenClaw.

What was so special about OpenClaw? Why did this one take off when so many agent projects before it didn’t?

Autonomous AI isn’t new

Where we are today feels similar to April 2023 when AutoGPT hit the scene. It had the same GitHub trajectory with its promise of autonomous AI. It didn’t take long for reality to hit. Agents got stuck in loops, hallucinated a lot, and racked up token costs. It didn’t take long for people to walk away.

OpenClaw has one critical advantage: the models have gotten better.  Recent LLMs like Claude Opus 4.6 and GPT-5.4 allow models to chain tools together, recover from errors, and plan multi-step strategies. Steinberger’s weekend project benefited from timing as much as design.

The architecture is intentionally simple. There are no vector databases and no multi-agent orchestration frameworks. Persistent memory is Markdown files on disk. Let me repeat that: persistent memory is Markdown files on disk! The agent can read yesterday’s notes and search its own files for additional context. You can view and edit the agent’s files as needed. There’s a useful lesson in that: not every agent system needs a complex memory strategy. It’s more important that you understand what the agent is doing and that it retains context across runs.

What fascinates me about OpenClaw is that none of the individual pieces are new. Persistent memory across sessions? We’ve been building that for years. Cron jobs to trigger agent actions on a schedule? Decades old infrastructure. Plugin systems for extensibility? A very standard pattern. Webhooks into WhatsApp and Telegram? There are well-documented APIs for that. What Steinberger did was wire them together at the exact moment the underlying models could execute on multi-step plans. The combination created something that felt quite different from anything that had come before!

Why this time feels different

OpenClaw nailed three things that previous agent projects missed: proximity, creativity, and extensibility.

Proximity—it lives where you already are every day. OpenClaw connects to WhatsApp, Slack, Discord, Telegram, and Signal. That single design decision changed its trajectory. The agent becomes an active participant in your workflow. People use it to manage their sales pipeline, automate emails, and kick off code reviews from their phones.

Next, it’s proactive. OpenClaw doesn’t wait for you to ask; it uses cron jobs to run tasks on a set schedule. It can check your email every day at 6 AM, draft a reply before you wake up, and even send it for you! And it reaches out when anything needs your attention. Agents become part of everyday life when integrated into familiar channels.

And finally, my favorite, it’s open and extensible. OpenClaw’s plugin system, called “skills”, lets the community build and share modular extensions on ClawHub. There are thousands of skills ready to be plugged into your agent. Agents can even write their own new skills and use them going forward. That extensibility meant more skills, more users, and more attack surfaces, which we’ll get to.

The community ran with it. A social network exclusively for AI Agents, Moltbook, launched in late January and grew to over 1.5 million agent accounts. One agent created a dating profile for its owner on MoltMatch and started screening matches without being asked.

I’ll admit, I got swept up in it, but that’s not surprising; I’ve always been an early adopter of emerging technology. I bought a Mac Mini, installed OpenClaw, and connected it to my JIRA, AWS, and GitHub accounts. In no time, I had my agent, Jarvis, writing code and submitting PRs, running my daily standups, and deploying my code to AWS using AWS CloudFormation and the AWS CLI.

I spent a lot of time binding the gateway to localhost, auditing every skill, and restricting file system permissions. For me, hardening the setup was not optional. I’m now deploying via AWS Lightsail, which adds network isolation and managed security layers that are hard to replicate on a Mac Mini in your home office.

The security problem no one wants to talk about

OpenClaw requires root-level access to your system by design. It needs your email credentials, API keys, calendar tokens, browser cookies, file system access, and terminal permissions. If you’re like me, that would keep you up at night.

Security researchers found 135,000 OpenClaw instances exposed on the open internet, over 15,000 vulnerable to remote code execution. The default configuration binds the gateway to 0.0.0.0 with no authentication. A zero-click exploit disclosed in early March allowed attackers to hijack an instance simply by getting the user to visit a webpage.

The skills marketplace got hit, too. Researchers discovered over 800 malicious skills distributing malware on ClawHub, including credential stealers targeting macOS. Cisco confirmed that one third-party skill was performing data exfiltration and prompt injection without user awareness. These are not edge cases and point directly to what happens when an agent can act across real systems with real permissions and weak controls.

What practitioners should take away

OpenClaw matters for the same reason ChatGPT mattered in late 2022. A huge number of people just experienced, for the first time, what it feels like to have an AI agent do real work for them. That changes what they expect from every product going forward.

If you’re building AI systems, pay attention to three signals here.

The killer interface for agents turned out to be the one on everyone’s phone. Your agent strategy shouldn’t require users to learn a new tool; that’s why most products are introducing agentic capabilities.

Control is the central design challenge. Prompt injection, credential exposure, and attacks through plugin marketplaces are real-world problems you need to solve before you ship features. Oversight has to be available at runtime. You need visibility into what your agents are accessing, what they’re doing, and how failures are handled.  Permission boundaries, approval gates, audit logging, and recovery mechanisms are non-negotiable.

OpenClaw is a proof of market. It proved that people are ready to make AI personal. People want a personal AI agent that has access to their applications and can do things for them. That demand is now validated at scale. While AutoGPT proved that people wanted autonomous AI, Perplexity and Cursor built businesses around that. The same pattern is likely playing out here. If you’re building in this space, the window is wide open.

The more interesting question now is what gets built next. The next phase of agent design will be shaped by how governable, observable, and safe agents are in real-world environments.

For a deeper dive into OpenClaw, join us on March 19 for AI Product Lab: OpenClaw Up and Running with Aman Khan and Tal Raviv. You’ll learn more about why OpenClaw is a viral sensation, how to get it up and running in a way you won’t regret, and how to use it to build and manage safe, agentic workflows.

Ryan welcomes Kari Briski, NVIDIA’s VP of Generative AI Software for Enterprise, to the show to explore how a chip manufacturer got into the model development game.

Digital signatures have grown in popularity and acceptance in the industry and are now required in some cases, such as with MSIX packages. This ensures that the software delivered is secure and trustworthy. [...]

In 2018, Microsoft announced MSIX as the next big thing: a single installer that will replace MSI, EXE, and APP-V. [...]

WPF, which stands for Windows Presentation Foundation, is a framework used for building client applications that run on Windows operating systems, was introduced as a part of .NET Framework 3.0. [...]