In November 2025, an Austrian developer named Peter Steinberger published a weekend project to GitHub. He called it Clawdbot — a personal AI assistant he had wired to WhatsApp so he could text it commands while away from his computer. By February 2026, renamed twice due to trademark disputes, the project had crossed 250,000 GitHub stars and become the fastest-growing open-source repository in GitHub history, overtaking React in under 60 days.
The tool is now called OpenClaw. And what made it go viral is exactly what makes it ethically complicated: it gives an AI agent real, persistent, unrestricted access to your computer — and lets it act without asking permission at every step.
Most writing about OpenClaw focuses on CVEs, exposed ports, and malicious ClawHub extensions. Those risks are real and we'll cover them. But this article is about something harder: what it means, ethically and philosophically, to hand an autonomous system the keys to your digital life.
What OpenClaw actually does
OpenClaw is not a chatbot. It's not a coding assistant. It's an autonomous agent that runs locally on your machine, wakes itself on a configurable heartbeat timer, and acts on your behalf — reading and writing files, executing shell commands, browsing the web, sending emails, managing calendars, and controlling APIs — through whatever messaging platform you connect it to.
The interface is deceptively simple. You send it a message on WhatsApp, Telegram, Signal, or Slack. It acts. While you sleep, it checks its objectives and executes. One developer's agent negotiated $4,200 off a car purchase over email while he slept. Another's filed a legal rebuttal to a disputed charge.
The architecture has four primitives that matter:
- Persistent identity — the agent knows who it is across sessions, stored in SOUL.md
- Periodic autonomy — a heartbeat scheduler wakes it to act without being prompted
- Accumulated memory — it remembers across sessions via local Markdown files
- Real-world execution — it doesn't just generate text; it takes actions with consequences
Three elements define genuine delegation: a goal, autonomy over method, and real-world consequences that flow back to the authorizing party. OpenClaw satisfies all three precisely. That's what makes it different from every AI tool that came before it — and what makes the ethical questions genuinely new.
SOUL.md: the programmable self
Every OpenClaw agent has a file called SOUL.md. It's a Markdown document — editable by anyone — that defines the agent's identity, values, behavioral constraints, and access rights. It's injected into the system prompt at every inference call.
SOUL.md defines who the agent is, how it should behave, and what it values. You can give it a name, a personality, boundaries it won't cross, and permissions it will always exercise. You can also remove those boundaries entirely.
This is where the ethical weight concentrates. The traditional AI safety architecture — the "alignment" approach baked into products like Claude or ChatGPT — involves the AI provider engineering constraints into the model itself: things it won't do, content it won't generate, actions it won't take. These constraints exist at the model layer and can't be easily removed by end users.
OpenClaw moves those constraints to a text file you control. The underlying model still has its own training-based guardrails. But SOUL.md sits above them, and the behavioral instructions in it shape how the model acts in context — including which tools it will use, what it considers in-bounds, and how aggressively it pursues goals.
More importantly: the model's own safety training was designed for conversational use. Agentic use — sequential tool calls, persistent execution, actions with compounding consequences — is a meaningfully different context that the original safety work didn't fully anticipate.
The responsibility gap
When an AI agent acts on your behalf and something goes wrong, who is responsible?
This is not a hypothetical question. One OpenClaw user reported that their agent accidentally started a dispute with an insurance company because of a misinterpreted response. Another user's agent sent over 500 unsolicited messages to contacts after being given access to iMessage.
The legal framework is still being constructed. OpenClaw's architecture forces technologists, venture capital investors, and lawyers to rethink what "agent" means in the AI age. Current law generally treats AI outputs as the responsibility of the human operator. But as agents become more capable and act more autonomously, the accountability chain becomes harder to trace.
A research paper published on arXiv in May 2026 examined this directly: the ethical challenges of OpenClaw concern how agency is redistributed, how responsibility is assigned, whose consent is counted, and how harms emerge when autonomous or semi-autonomous systems act within social contexts.
There's a specific problem with third-party consent. When your OpenClaw agent sends an email, the recipient didn't consent to interacting with an autonomous system. When it negotiates a contract, the counterparty may not know they're negotiating with an AI acting without real-time human oversight. The agent acts on your behalf — but the people it interacts with never agreed to that arrangement.
Soft constraints in a hard-action world
The architectural security research makes a point that has ethical implications beyond technical security. A 2026 paper analyzing OpenClaw's governance architecture found that SOUL.md constraints are enforced via LLM semantic interpretation — a soft constraint mechanism. Under threat models, a sufficiently crafted prompt injection can bypass such constraints. Robust enforcement requires hard-coded permission checks at the tool-invocation layer.
Put plainly: the behavioral constraints in SOUL.md are suggestions interpreted by a language model, not hard technical restrictions. A malicious prompt in a webpage, email, or document the agent reads can potentially override them.
This matters ethically because it means the "user controls the agent's behavior" promise is weaker than it appears. The agent may be vulnerable to taking actions the user never intended — not because the user configured it incorrectly, but because an outside actor manipulated its context. An attacker might frame a request as helping a colleague, supporting a team goal, or resolving an emergency, thereby steering the agent toward actions that the user did not meaningfully authorize.
The harm in this scenario is not purely technical compromise. It's the exploitation of delegated trust — using the user's own agent against the user, or against third parties the user would never have chosen to harm.
The supply chain problem: ClawHub
OpenClaw's skill system — where third-party developers publish extensions to a community registry called ClawHub — introduced a supply chain problem that materialized quickly.
In January 2026, the ClawHavoc campaign planted malware across hundreds of ClawHub skills. An Atomic Stealer payload harvested API keys, injected keyloggers, and wrote malicious content directly into MEMORY.md and SOUL.md files for persistent effect across sessions. One skill posed as a cryptocurrency trading tool and silently stole wallet credentials from the agent's environment.
A Koi Security audit of 2,857 ClawHub skills found 341 malicious entries, with 335 tied to one campaign. That's roughly 12% of all audited skills containing malicious code at a point in the project's growth.
The ethical dimension here is about trust infrastructure. When you give an agent broad permissions and connect it to a skill ecosystem, you're implicitly trusting that ecosystem's security. The skill author has access to the same permissions you granted the agent. That trust transfer isn't always visible or understood.
The exposure problem: who else sees what your agent does
OpenClaw runs locally. Your data stays on your machine. This is genuinely better for privacy than cloud-based AI services that store your conversations on provider servers. But local doesn't mean private in all the ways users might assume.
Security researchers found over 42,000 exposed OpenClaw control panels across 82 countries, many running without authentication. Misconfigured instances were found leaking API keys, OAuth tokens, and plaintext credentials.
The agent also necessarily processes your private data to act on it. Privacy in OpenClaw is shaped to a large extent by deployment choices — including system configuration, enabled tools, accessible data sources, and the presence or absence of isolation and auditing controls. OpenClaw introduces privacy risks related to local privilege concentration, persistent storage, cross-context aggregation, and plugin supply chains.
A persistent agent with filesystem access and memory that accumulates across sessions builds a remarkably complete picture of your life. That picture exists on your machine — but it's also an extraordinarily high-value target if an attacker can reach it.
The consent question that isn't about you
Most ethical discussions about AI agents focus on the user: did you knowingly grant these permissions? Do you understand what the agent can do? These are important questions. But there's a less-examined category of consent that OpenClaw's real-world use has surfaced.
The people your agent interacts with didn't consent to anything. The email recipient, the customer service representative, the negotiating counterparty — they're in a conversation they believe to be with a human, or at minimum with a human who is present and making real-time decisions. An autonomous agent acting without human review changes the nature of that interaction in ways the other party can't see.
This isn't illegal in most jurisdictions yet. But the question of disclosure — should you tell people you're communicating with them through an autonomous AI agent? — is one that OpenClaw, by making this easy at scale, has forced onto the agenda in a way that chatbots never did.
What Peter Steinberger actually said
It's worth quoting the creator directly. When security researchers were finding thousands of exposed instances and the CVE had just dropped, Steinberger wrote:
"It's a free, open source hobby project that requires careful configuration to be secure. It's not meant for non-technical users. We're working to get it to that point."
This is honest. It's also insufficient as a description of where the project ended up. By March 2026, OpenClaw had crossed 250,000 GitHub stars and topped React to become the most-starred software project on GitHub in just 60 days. Most of those users are not the careful technical users the quote describes. The gap between "intended audience" and "actual audience" created a real-world harm surface that good intentions didn't close.
Steinberger joined OpenAI in February 2026 while the project transitioned to a non-profit foundation. The project continues under open-source governance.
This isn't an argument against OpenClaw
OpenClaw represents something genuinely valuable: a proof of concept that persistent, autonomous, locally-run AI agents are possible and useful. The developer who negotiated a better car price while sleeping, the person who automated a genuinely tedious workflow — these are real benefits.
The OpenClaw philosophy responds directly to the tension between control and convenience: don't trade control for convenience unless you've explicitly decided to. Build the infrastructure once, own it permanently, and never be caught off guard by a platform policy update or a vendor shutting down. That's a coherent and defensible position.
But the ethical weight of giving an AI agent full permissions doesn't disappear because the intention is good. The questions this article raises — about responsibility, consent, soft constraints, trust infrastructure, and third-party impact — aren't solvable by better documentation or a more careful default configuration. They're structural features of what it means to delegate autonomous action to a system that acts at machine speed, at scale, on a loop.
Questions worth sitting with
If your agent takes an action you didn't intend, are you responsible for the consequences?
If your agent interacts with someone on your behalf without their knowledge, is that deceptive?
If your SOUL.md constraints can be overridden by a prompt injection, how much control do you actually have?
If you install a third-party skill, do you understand what permissions you've extended to its author?
These aren't hypothetical. They've all happened in 2026.
Frequently asked questions
Is OpenClaw safe to use?
For technically sophisticated users who understand the permission model, keep it updated, don't expose it to the public internet, and audit third-party skills before installing: yes, with appropriate caution. For non-technical users who install it and grant it broad access without fully understanding the implications: the risk profile is significant. CVE-2026-25253 (CVSS 8.8) was patched in version 2026.1.29 — running older versions leaves a known critical vulnerability open.
How is OpenClaw different from Claude or ChatGPT?
Claude and ChatGPT are stateless conversational systems that respond to prompts and stop. OpenClaw is a persistent autonomous agent that runs continuously, acts without prompting via a heartbeat scheduler, executes real-world actions (shell commands, email, file writes), and retains memory across sessions. The permission model, attack surface, and ethical implications are fundamentally different.
What is SOUL.md and why does it matter?
SOUL.md is a Markdown configuration file that defines your agent's identity, values, and behavioral constraints. It's injected into the system prompt at every inference call. It's the primary mechanism for customizing agent behavior — including giving it broad permissions or removing default constraints. Critically, it's a soft constraint interpreted by the LLM, not a hard technical restriction, which means it's potentially bypassable via prompt injection.
What happened with the ClawHub malware?
In January 2026, the ClawHavoc campaign distributed malicious skills through ClawHub, the community extension registry. A subsequent audit found 341 malicious entries out of 2,857 audited skills — roughly 12%. Malicious skills had the same permissions as the agent itself, enabling data exfiltration, keylogging, and credential theft. The lesson: third-party skills extend your agent's full permission set to their authors.
Should I disclose when I'm using an agent to communicate?
There's no universal legal requirement in most jurisdictions as of mid-2026, but the ethical case for disclosure is strong in contexts where the other party has a reasonable expectation of human judgment — negotiations, disputes, sensitive communications. The norms here are still forming.
If you're evaluating OpenClaw alongside other AI tools, see our comparison of major AI services and optimizer tool for matching use cases to the right setup.