research / entries / openclaw

OpenClaw

Open-source personal AI agent that lives in your chat apps. MIT, 373k stars, currently the most-starred project on GitHub.

2026-05-17 · updated 2026-05-18 (commit-history lessons section added) · entry 01 · candidate: openclaw.ai · source: github.com/openclaw/openclaw

Call it what it really is

It's the AI you text on WhatsApp instead of opening another app.

Strip it to one line: "text my assistant" replaces "open the app." Memory, calendar, email, web, shell — those are what any executive assistant does. The trick isn't the skills, it's the interface: no app, no login, no new icon on your home screen. Just another contact in your phone you happen to text more than the human ones. The 🦞 "lobster way" branding is cute; the pitch underneath is "we removed the app."

Easier translation for a non-tech person: "It's like hiring a remote personal assistant — except it's software, it lives on your laptop, and you contact it through WhatsApp like you would any human assistant." That sentence sells it without saying "AI" once.

TL;DR (technical)

MIT-licensed local-first agent runtime that bridges chat apps (WhatsApp, Telegram, Discord, Signal, iMessage, Slack, Teams, +15 more) to a "Gateway" daemon on your machine, which then talks to whatever LLM provider you bring a key for. 373k stars; passed React; most-starred project on GitHub as of mid-2026. Created by Peter Steinberger (PSPDFKit founder), hired by OpenAI in Feb 2026. Project now community-maintained with corporate sponsors (OpenAI, GitHub, NVIDIA, Vercel). Default first-class provider has shifted from Claude to the native OpenAI Codex app-server runtime as of May 14, 2026; Claude Opus 4.7 is fully supported with 1M context default but no longer the primary path.

The verdict for Pantheon: reverse-engineer the architecture, roll our own as the consumer surface of Pantheon. The chat-app routing is the killer wedge — every messaging platform on earth becomes our install base, no app-store fight. Pantheon today is substrate without a consumer product; openclaw is consumer product without a substrate (calls 3rd-party LLMs). Building our own version fills both gaps simultaneously.

The Four Lenses

Lens

Verdict

One-liner

01 · Integrate

YES — as mobile remote

Cheap immediate win: openclaw on Telegram becomes the phone-side remote for our desktop Claude Code / metal-console sessions. The dominant 1% pattern is exactly this.

02 · Replace

N/A

Nothing in our stack to replace. Unless framed as "replaces the hypothetical Pantheon mobile app we haven't built" — in which case yes, this architecture replaces ever needing one.

03 · Reverse-engineer

STRONG YES

Headline verdict. MIT license + 373k-star, 50k-commit codebase + 4-month proof of product-market fit = the cheat code for building Pantheon's consumer surface.

04 · Dovetail

ACTIVE — two paths

Path A (today): openclaw ↔ metal-console via Telegram for mobile remote. Path B (target): Pantheon-native fork using NOUS / IDS / biRT.

∞ · Roll our own?

SPLIT

Chat-app plumbing: no (reverse the architecture, don't reinvent 20+ channel integrations). Pantheon-native brain + memory + runtime: yes (this is the differentiator). The shell from them, the soul from us.

LENS 01

Integrate — as mobile remote Yes, today

The most-cited 1% pattern in the openclaw community: two-machine split, phone is the surface, desktop is the substrate. @nateliason: "Separate Claude subscription + Claw, managing Claude Code sessions" (source). @php100: "Autonomous Claude Code loops from my phone. 'fix tests' via Telegram" (source). @conradsagewiz: "I'm literally on my phone in a telegram chat and it's communicating with codex cli" (source).

For metal-console specifically, this is a 1-day install with real value: npm install -g openclaw@latest on a Mac/Linux dev box, point it at Telegram, write a skill that calls into the Be tilde commands. Now Joey can text ~monitor kastil-systems from his phone and get a status report back. ~b a board item while walking the dog. Trigger ~ship from the car.

Costs: one machine running the Gateway 24/7 (or Cloudflare-tunneled from a Pi, per @AlbertMoral); the security discipline below (anti-patterns section — this is non-trivial); an LLM API key for the Gateway's own thinking (we already have one).

Caveat for short-term integration: the project just survived a "rough week" of degraded releases in April 2026 and is moving to an LTS track that hasn't shipped yet (source). Pin a known-good version (current 2026.5.14-beta.2 is reportedly stable per npm release notes) and treat updates as a deliberate decision, not npm update.

LENS 02

Replace N/A

Nothing in metal-console or Pantheon today is in openclaw's seat. metal-console is a developer-side discipline; openclaw is a consumer-side runtime. Different layer, different audience.

The interesting reframe: openclaw's architecture replaces a hypothetical Pantheon mobile app we haven't built yet. The conventional path for "Pantheon needs a consumer surface" is: design a mobile app, ship to App Store + Play Store, fight for install attribution, ship updates through review processes, ask users to download yet another icon. The openclaw architecture skips all of that — every chat app on earth becomes the install base. That's the replacement worth naming.

LENS 03

Reverse-engineer Strong yes

This is the headline verdict. The combination is rare:

MIT license — we can read, copy, adapt the architecture without legal friction.
50,578 commits of battle-tested code — chat-app integration is integration hell (WhatsApp Business API tier, Telegram Bot API, Signal MTProto, iMessage shenanigans, Matrix federation, +15 more); they've eaten the hard part.
4 months of proven product-market fit — the 1% patterns, the use cases, the anti-patterns are all discovered, not theoretical.
Published security postmortems — their CVEs (CVE-2026-25253 / 25157 / 24763) and the "rough week" retros tell us where the architecture's load-bearing walls are.
Public skill marketplace as a labeled hazard — Koi Security found 341 malicious skills out of 2,857 audited on ClawHub (source). The Pantheon version doesn't repeat that mistake; we ship a curated skill set, not an open marketplace.

Reverse-engineering is mostly architectural. The valuable patterns to extract:

The Gateway daemon model — one local process holds memory, sessions, tool permissions, channel adapters. Clean separation from the LLM provider.
The channel-adapter pattern — pluggable surface per chat platform with a common message envelope. Don't reinvent it; copy the shape.
The SKILL.md + supporting files contract for skills. Convergent with Anthropic's Skills 2.0; we can run both.
The per-channel allowFrom / groupAllowFrom allowlist for access control. Lifted directly.
The two-machine split philosophy — not a code thing, a deployment doctrine. Bake into our docs.

LENS 04

Dovetail — two paths Active

Path A (this week, low risk): install openclaw as-is on a dev box; wire Telegram; write a be-bridge skill that dispatches Joey's tilde commands. Joey now has a mobile remote for metal-console. No Pantheon brand, no integration into kastilsystems.com — just a personal productivity tool. Throwaway-safe.

Path B (months, strategic): reverse-engineer the architecture into a Pantheon-native sibling, branded under the kastilsystems umbrella. See the Pantheon Extension Proposal below.

Both paths can run in parallel. Path A teaches us what works in Joey's hands daily; Path B builds the long-term consumer surface using those lessons.

The Pantheon Extension Proposal

Proposal — consumer surface for Pantheon

The shell from them, the soul from us.

Pantheon today is a substrate: NOUS (planned brain), IDS (intelligent data set), biRT (one-binary runtime), the Last Platform, the Last System, Full Metal. All pieces of infrastructure or methodology. No consumer surface. The kastilsystems.com home portfolio names 9 properties; not one of them is a thing a non-developer can use today.

openclaw proves a consumer surface that works: 373k stars, 180k active users, every chat app on earth as the install base, no app-store fight. Building this from scratch would take a small team a year. Reverse-engineering it, swapping the substrate to Pantheon-native pieces, and shipping under our brand is a months-long project, not years.

The layer-by-layer swap:

openclaw uses today

Brain: Claude / OpenAI / Google / OpenRouter (BYO API key, 3rd-party LLM)

→

Pantheon version uses

Brain: Start with Claude (we already use it, infra exists). Swap NOUS in when NOUS is production-grade.

openclaw uses today

Memory: Flat-file local persistence per user

→

Pantheon version uses

Memory: IDS (Intelligent Data Set). Trusted data layer the rest of Pantheon also uses.

openclaw uses today

Runtime: Node 24 / npm / pnpm

→

Pantheon version uses

Runtime: Node today, biRT long-term (one binary, no OS). Aligns with metal-console's bare-metal trajectory.

openclaw uses today

Skills: ClawHub open marketplace (341 malicious skills found in audit)

→

Pantheon version uses

Skills: Curated set, signed by us. No public marketplace at launch. Closes the supply-chain hole openclaw is still trying to patch.

openclaw uses today

Brand: "Local + MIT + no walled garden"

→

Pantheon version uses

Brand: "You own you." Local + MIT + the AI itself is yours (eventually, via NOUS). Differentiator on the brain layer.

Scope discipline for v1

Pick 3 channels, not 23. Telegram + Signal + iMessage. Telegram for the dev community, Signal for the privacy-conscious, iMessage for the mainstream US consumer. Add WhatsApp + Discord in v2.
Pick 5 skills, not 60,000. Inbox, calendar, web research, file operations, the bridge to metal-console. Everything else is v2+.
Don't fork. Studying their codebase under MIT ≠ inheriting their 3.4k open PRs and 3.5k open issues. Clean-room implement with their architecture as reference.
Claude in slot one, NOUS swap deferred. NOUS doesn't exist at production grade. Building this on a dependency that doesn't ship is a non-starter.
One naming candidate to surface for the design pass: "Pantheon Touch" — the surface you touch the Pantheon through. Or "NOUS Touch" once NOUS is in. Or, sticking to the family-strip naming pattern: the-pantheon-line.com. Naming is a ~design question; the candidates above are first-draft.

Why now: openclaw's founder went to OpenAI. The project is community-maintained but the founder's center of gravity has moved. Native OpenAI Codex app-server is now the default first-class provider. There's a window where the Claude-aligned / privacy-aligned / "you own you" positioning is open and they're not aimed at it. We are.

Top use cases (from research)

#	Use case	Why it wins
1	Personal chief-of-staff over WhatsApp / Telegram. Morning briefing (weather + calendar + news + email + tasks) delivered at 7am.	Chat-app surface beats every dashboard UI. Local memory survives across sessions.
2	Phone-driven remote control of Claude Code / Codex sessions.	The dominant 1% pattern. Most directly relevant to metal-console operators.
3	Multi-agent "agent fleet" personal-OS setups. @jdrhyne runs 15+ agents across multiple machines.	One chat thread orchestrates many specialized workers.
4	Voice-driven production-incident response. @georgedagg_ fixed a Railway deployment while walking.	Phone + voice = ops console without opening a laptop.
5	Negotiation / commerce automation. @astuyve saved $4,200 on a car negotiation across multiple dealers.	Long-running outreach the human doesn't want to babysit.
6	Smart-home / hardware orchestration. Garmin + SSH homelab + air purifier autonomous control.	The agent discovers device controls; user doesn't write integrations.
7	Site migration from a phone. @davekiss migrated 18 Notion posts to Astro + moved DNS from mobile.	Mechanical work delegable; review is on-screen.
8	Solo-founder business glue. @therno: "It's running my company."	One chat reaches Gmail, GitHub, calendar, 1Password, deployment.

Top 1% patterns

Two-machine split: phone surface, desktop substrate

Run the Gateway on a desktop (or Pi + Cloudflare tunnel). Phone is purely a Telegram/WhatsApp client. The phone never runs the agent. @AlbertMoral source

OpenClaw as orchestrator, Claude Code / Codex as workers

@nateliason wires a "Go" workflow that triggers parallel Codex agents for feature development. OpenClaw is the dispatcher; Claude Code / Codex / Conductor are the workers. This is the pattern most directly portable to metal-console.

Self-improving agent skill installed by default

The single most-downloaded ClawHub skill (~419k downloads). Writes errors, learnings, corrections into persistent memory so the agent doesn't repeat mistakes. Pattern equivalent: Be's ~wtf + CLAUDE.md compounding.

Skill-Vetter chain before every install

Run the "Skill Vetter" skill on every new third-party skill before install. Audits permissions, flags scope creep. The safety pattern that lets power users adopt new skills aggressively without paying the supply-chain tax. source

Two Claws collaborating in a shared chat group

Two users have their OpenClaw instances jointly participating in a shared WhatsApp group. The multi-agent emergent behavior that people are now starting to design deliberately.

Long-context Claude as thinker, smaller models as workers

Opus 4.7's 1M context is the default for that model in OpenClaw. Power users route research/synthesis to Claude and route shell/file/cron work to cheaper local models (MiniMax 2.5 is the favored local).

Voice + TTS round-trip for hands-free workflows

@mirthtime: "My @openclaw just called my phone and spoke to me with an aussie accent." Eleven Labs Agent skill is the go-to for production-grade voice.

Lessons from their commit history (the cheat code)

Section added 2026-05-18 from a mining pass over the repo (commits, GHSA advisories, open issues, 9 release notes spanning v2026.5.3 → v2026.5.16-beta.4) and the 5 published postmortems on openclaw.ai/blog. Every claim cites a commit SHA, PR number, issue number, or post URL. The goal: concrete mistakes their record proves we don't have to repeat.

The headline finding

The single most valuable artifact in their history is commit f91de52f — the SQLite mega-refactor — shipped and reverted within hours on 2026-05-13 (revert: 694ca50e). It's the architectural Rosetta stone. The destination state OpenClaw wants but cannot reach without a multi-year migration: SQLite for everything that isn't content, no flat-file config, no filesystem locator-by-path, sandbox VFS even for subagent attachments.

Every revert in their history is downstream of one root cause: two states-of-truth, racing each other (filesystem + memory, npm + ClawHub, bundled + plugin, resume-token + transcript-file). The implication for our Pantheon-native build is clean: we can be at OpenClaw's destination on day one because we don't have to migrate from anything. Pick one state-of-truth substrate per concern. SQLite for everything that isn't strictly content. Content (markdown, media) in content-addressable storage. No flat-file config. No locator-by-path. Everything is locator-by-id from r1.

The top 10 lessons

#	Lesson	Evidence in their record	What we do differently the first time
01	Don't ship a half-split. Bundle-vs-plugin mid-migration is the worst place to be.	"Rough Week" postmortem; v2026.5.12 release notes finally externalize WhatsApp, Slack, Bedrock, Vertex, OpenShell cones.	Pick a side at v0: everything is a plugin or everything is bundled. Never two install paths live at the same time. Migration is a one-shot cut, not a multi-month half-state.
02	Don't trigger an install side-effect from a UI selection.	PR #78799 ("Install Codex plugin on OpenAI model selection") reverted hours later in PR #78878 (commit `3a901b5e`, 2026-05-07).	Model selection is metadata; installation is an action. They must never be the same gesture. Explicit `plugins install <spec>` with the doctor reporting missing deps via catalog-backed install hints.
03	Marketplace trust is a hook, not a release-blocker.	PR #81307 ("Check ClawHub trust before plugin installs") reverted 3 days later in PR #81363 (commit `6c92324c`, 2026-05-13). Trust signal lookup blocked installs that should have succeeded.	Scanning verdict is ONE signal in a multi-signal install decision, never a binary wedge. Ship a `--bypass-trust` operator flag with audit log from day one. UI for trust status only after the signal is reliable for ≥30 days.
04	SQLite-everywhere is right; mega-PR is wrong.	Commit `f91de52f` (100-step megacommit) reverted within hours by `694ca50e` (2026-05-13). Two days later, "Where OpenClaw Security Is Heading" still lists SQLite as the destination.	Land at the destination on day one. No flat-file state to migrate from. If we inherit any, ship one subsystem per release with a doctor migrator that fails closed on partial state — never a 100-commit atomic flip.
05	20+ GHSAs in 72 hours means your security process broke.	Apr 21–24, 2026: 20+ advisories published (GHSA-r39h-4c2p-3jxp arbitrary code execution; GHSA-r6xh-pqhr-v4xh MCP loopback owner-context bug; GHSA-wppj-c6mr-83jj OpenShell FS bridge; +17 more). Response: `SECURITY.md` + GHSA → OpenGrep detector-rule pipeline (PR #69483, commit `6de9d71b`, 2026-04-30).	Day-zero: write `SECURITY.md` before the 2nd contributor. Every fixed vuln becomes a regression rule (Semgrep / OpenGrep / CodeQL). Build a triage harness for slop reports (curl saw 87% false-positive rate).
06	Auto-restore of invalid config is a footgun.	v2026.5.3: "stop Gateway startup and hot reload from auto-restoring invalid config; invalid config now fails closed and `openclaw doctor --fix` owns last-known-good repair."	Fail closed on bad config from day one. Recovery is an explicit operator action (`doctor --fix`), never magic.
07	Don't roll your own bind / path policy.	Multi-revert area: commit `8db20c19` ("sandbox: block sensitive external bind sources") reverted in `14a779ee` (PR #59016, 2026-04-01). "fix(gateway): bound silent local pairing scopes" reverted in `1703bdca` (2026-04-05). Final form: centralized `fs-safe` library.	Centralized `fs-safe`-equivalent boundary library on day one. Every read/write forced through it. Impossible for plugin code to bypass.
08	Assume the provider lies about its capabilities.	Commit `b202ac2a` (2026-03-15) reverts PR #46500: "Reverts. Breaks Ollama, LM Studio, TGI, LocalAI, Mistral API — these backends reject stream_options with 400/422." Default-true for `supportsUsageInStreaming` broke 5 backends.	Capability detection per-endpoint, never per-endpoint-family. Default to the most-conservative option; opt in per verified endpoint. Maintain a versioned manifest of "what's known to work."
09	"Restart" must not be a synonym for "resume."	Issue #81003 (open, 2026-05-16): 11 consecutive turns of byte-identical synthetic output (content sha256 `02df1d51...`), `input_tokens: 0`, `output_tokens: 0`, `model: "<synthetic>"`. Cause: `reason=restart` reused the same resume token; corrupted state replayed. Only `sessions.reset` recovered.	Two named primitives from r1: `session.resume` (same token, same state) vs `session.reset` (drop token, clean slate). UI surface AND CLI surface ship both buttons.
10	Unbounded backup files = 2 GB/day footgun.	Issue #80960 (closed 2026-05-12): `repairSessionFileIfNeeded` wrote `.bak-<pid>-<timestamp>` snapshots with no rotation, no max-count, no TTL, no dedup*. Field observation: 2,180 files / 2.1 GB in 25 hours from one stuck session. Root cause: auth token invalidated → infinite repair loop. Fix: commit `e1d7ba59`.	Every retry loop has a counter, a cap, a cooldown. Every backup has a rotation policy declared at creation. Auth failure is a terminal condition for the session, not a retry signal.

The architectural Rosetta stone

read this commit once

commit f91de52f — the SQLite mega-refactor Their destination, our day-one state

The destination state OpenClaw is trying to reach has these properties, all of which they currently do NOT have and are paying for daily:

No session state on the filesystem. Sessions, transcripts, cron, plugin state, auth profiles, model catalog, hermes secrets, device/push state, MSTeams learning, telegram message cache, TTS prefs, dreaming status, raw stream diagnostics, skill uploads, subagent attachments — all in SQLite, addressed by typed scopes.
No transcript-locator-by-path anywhere. Sessions identified by ID; transcripts derived from session identity.
No legacy file shims at runtime. All legacy paths gated behind doctor migration only.
Sandbox VFS for subagent attachments. Even attachments are in a virtual filesystem, not real files.

The commit is a 100-step plan because OpenClaw spent two years building on JSONL files + flat JSON config and now has to dig out. Every revert in their history is downstream of "two states of truth, racing each other": filesystem + memory, npm + ClawHub, bundled + plugin, resume-token + transcript-file.

What this means for the Pantheon-native build: pick ONE state-of-truth substrate per concern and never have two. SQLite for everything that isn't strictly content. Content (markdown, media) in content-addressable storage. No flat-file config — config goes in the same SQLite. No locator-by-path — everything is locator-by-id. We can be at OpenClaw's destination on day one because we don't have to migrate from anything.

Where greenfield wins (what they're still fighting)

Open issues whose existence reveals systemic problems that their commit history shows they have NOT solved. Each one maps to a greenfield differentiator for the Pantheon version.

Issue	Symptom	Why it's still open	Greenfield answer
#71127 P1	Gateway detects stuck sessions but has no recovery action. Requires external process restart.	Detector and recoverer were never co-designed.	Every detector ships its recoverer in the same PR or doesn't merge.
#42213 P2	Control UI chat gets stuck busy; messages queue but never flush.	UI state and session state are independent state machines that diverge.	One state machine. UI is a projection.
#48810 P1 regression	Compaction creates orphan forks in `parentId` chain.	Compaction was bolted on after the parent-chain invariant was defined.	Define your transcript invariants before you build mutations. Every mutation passes the invariant or doesn't commit.
#48516 P1	Android-node WhatsApp notification → cross-session reply to wrong group.	No ingest-time dedup across pipes.	Single message-ID-based dedup at the ingest layer. Drop on any second arrival.
#81003	`reason=restart` reuses resume token; stuck state persists across the "restart."	"Restart" and "reset" semantics were conflated.	Two named primitives: `session.resume` vs `session.reset`. Both surfaces ship both buttons.
#80374	Claude CLI session resume doesn't reload SOUL.md / IDENTITY.md.	Identity files were loaded at session creation, not session entry.	Identity files re-read on every session entry, not session creation.
#76042 P1	Install takes 2+ hours; was ~20 min.	No install-time regression test in CI.	Install time p95 is a CI metric; >20% regression blocks release.
#81518	Discord DAVE encryption now mandatory; voice fails with `UnencryptedWhenPassthroughDisabled`.	No upstream-platform-mandate tracker.	Every adapter ships a "next 3 known platform breaking changes" tracking doc.
#82021, #82633, #83023, #83086, #81934, #81710, #81214	7 regressions filed within 72h of v2026.5.12 (model timeouts, Qwen tool calls vanished, image sanitization, max_tokens accounting, macOS multi-fail, heartbeat misses, subagent P1).	Mega-release strategy bundles too much change; the rough-week-recovery release shipped more regressions than it fixed.	Small, fast, betas with real users. Never ship a "fix-everything" release. Every fix gets its own beta cycle.

The institutional lesson

Single-maintainer release is a vulnerability class

From the rough-week postmortem (Steinberger, verbatim): "identified being 'too founder-driven' with excessive workload concentration on Peter Steinberger, prompting structural changes through the OpenClaw Foundation." Dual-approval scripted/gated/signed releases are now the fix.

For Pantheon version: build dual-signer + dual-approval release workflow before you need it. The founder's calendar is not a release engine. The CI is, with at least two human approvers, both of whom can ship without the other.

Anti-patterns (heavy on security — this matters)

Installing ClawHub skills without vetting

Koi Security's audit of 2,857 skills found 341 malicious skills, 335 from a single coordinated "ClawHavoc" campaign. Composio's guide (hyperbolically): "roughly 80% are garbage or outright malicious."

Pantheon version's answer: no open marketplace. Curated set, signed by us. Close the hole at the architectural level, not at the install-time-prompt level.

Skills with <100 installs and no published source

"Of the 820+ malicious skills discovered, over 90% had fewer than 100 installs." source

Same as above — if we don't ship the marketplace, we don't ship this risk.

Exposing the Control UI with a public gatewayUrl

CVE-2026-25253 (CVSS 8.8) leaked auth tokens via WebSocket URL query parameter. Patched in 2026.1.29. Two follow-on command-injection CVEs (25157, 24763) the same week. source

Never expose the Control UI to the public internet. Loopback or tunnel only.

Giving it credit cards / payment authority without explicit approval flow

@Hormold: "My @openclaw accidentally started a fight with Lemonade Insurance because of wrong interpretation."

Per-tool approval gate on anything with money or contracts. Match Be's DoD discipline.

Skipping LTS / running latest npm in production

Apr 24 / Apr 29 2026 releases broke many installs — Gateways slowed, channels misbehaved, dependency loops appeared. source

Pin a known-good version. Treat upgrades as deliberate decisions.

Treating it like a chatbot

Mehul Gupta: "The deeper issue was that OpenClaw blurred the boundary between an assistant and a system operator." Users who treat it like a chatbot get burned; users who treat it like sudo on a chat thread thrive.

In Be terms: treat agent prompts as commit-able commands, not chat. Match the discipline you'd give a human with shell access.

Receipts

Source	Outcome
@astuyve	$4,200 saved automating multi-dealer car negotiation
@jdrhyne	10,000 emails cleared via Discord-driven fleet of 15+ agents; built a GA4 skill in 20 min
@davekiss	Full site migration (18 posts Notion → Astro + DNS) from a mobile device
@therno	"It's running my company." source
@pocarles	"Processed our entire source of truth via WhatsApp in minutes."
Karpathy	Public endorsement: "Excellent reading thank you. Love oracle and Claw." source
OpenAI	Hired Steinberger Feb 15, 2026 off the back of OpenClaw. source
NVIDIA	Built NemoClaw guardrails layer specifically branded for OpenClaw
Microsoft	Formal deployment guidance: "Running OpenClaw safely"

What's NOT in receipts: independent productivity-multiplier studies; audited time-saved figures; enterprise reference customers. The "receipts" are individual-builder tweets and the project's own showcase. Treat as directional, not audited.

Recent state (last 90 days)

v2026.5.14-beta.2 current on the path to v2026.5.x stable. Native OpenAI Codex app-server runtime is now the default first-class path (May 14, 2026 blog post). source
Steinberger joined OpenAI Feb 15, 2026. Project community-maintained; corporate sponsors: OpenAI, GitHub, NVIDIA, Vercel, Blacksmith, Convex.
Claude Opus 4.7 supported with 1M context default. Reference: anthropic/claude-opus-4-7. source
Three CVEs late Jan / early Feb: CVE-2026-25253 (CVSS 8.8 token leak), CVE-2026-25157, CVE-2026-24763. Patched in 2026.1.29.
VirusTotal partnership for skill scanning announced Feb 7, 2026. source
China restricted state / SOE / bank usage citing unauthorized data deletion and energy concerns. source
"Rough week" April 24/29 releases caused widespread degradation. LTS track announced as the response. Not shipped yet. source
Public security postmortem: "How OpenClaw Got Safer in Public" (Apr 30) and "Where OpenClaw Security Is Heading" (May 15).
ClawCon NYC meetup covered by The Verge. source

Sources

Primary (openclaw.ai)

Press & analysis

Security

Community & analysis

Selected primary-voice testimonials

Commit-history mining (lessons section)

Release notes: v2026.5.12 (2026-05-14), v2026.5.7, v2026.5.4, v2026.5.3
Revert commits: 694ca50e (SQLite mega-revert, 2026-05-13); 6c92324c (ClawHub trust check revert, PR #81363, 2026-05-13); 3a901b5e (Codex plugin on model select revert, PR #78878, 2026-05-07); b202ac2a (streaming endpoint revert breaking Ollama/LM Studio/TGI/LocalAI/Mistral, 2026-03-15); 14a779ee (sandbox bind sources revert, PR #59016, 2026-04-01); 1703bdca (silent local pairing scopes revert, 2026-04-05)
Original (later-reverted) commits: f91de52f (SQLite refactor); 87eb4500 (ClawHub trust check, PR #81307); c8f3feca (Codex plugin on model select, PR #78799); 8db20c19 (sandbox block bind sources, PR #56024); 7f1b159c (gateway silent local pairing scopes)
Fix commits: e1d7ba59 (session-repair backup leak fix, 2026-05-12); 6de9d71b (GHSA → OpenGrep detector-rule pipeline, PR #69483, 2026-04-30); 1803d16d (single-use device bootstrap tokens, refs GHSA-63f5-hhc7-cx6p)
Open issues cited: #71127, #42213, #48810, #48516, #81003, #80374, #80960 (closed), #76042, #81518
GHSA advisories (20 published 2026-04-21 to 04-24): high-severity included GHSA-r39h-4c2p-3jxp, GHSA-cwj3-vqpp-pmxr, GHSA-r6xh-pqhr-v4xh, GHSA-wppj-c6mr-83jj, GHSA-5h3g-6xhh-rg6p (listing via gh api repos/openclaw/openclaw/security-advisories)