OpenClaw hit 247,000 GitHub stars in three months, making it the fastest-growing open-source project in history. It gives you a personal AI agent that runs 24/7 on your own hardware, reachable from WhatsApp, Telegram, or 13 other messaging apps. Before you install it, here is something worth knowing: Claude Code’s ecosystem already covers 21 of its 22 major features. This is an honest, feature-by-feature comparison, with a working setup you can clone and try today.
git.fromaitochitta.com/ktg/claude-code-complete-agent
What OpenClaw Actually Does
Peter Steinberger released Clawdbot in November 2025. After two name changes (Anthropic sent a trademark complaint, then the community settled on OpenClaw), it found its identity: an AI agent that actually does things on your behalf. Not a chatbot. An agent that runs on your hardware, under your control.
In February 2026, Steinberger joined OpenAI and transferred the project to an independent foundation. In March, NVIDIA announced NemoClaw, an enterprise security layer on top of OpenClaw. The ecosystem grew fast. But what does OpenClaw actually do? Four concepts define it.
Always-On Agent
OpenClaw runs as a daemon: a background process you start once. It stays running while you sleep, watching for messages, executing tasks, and writing logs. This is fundamentally different from a chatbot you open and close.
Channels
Channels are how you talk to OpenClaw. Not through a website, but through apps you already use: WhatsApp, Telegram, Discord, Slack, Signal, iMessage, and nine more. Send a message from your phone, get a response. Like texting a friend who happens to be an AI.
Skills and Plugins
Skills teach OpenClaw specific tasks: research a topic, send a daily briefing, manage your calendar. ClawHub has 5,700+ community skills. Plugins go deeper, adding new messaging channels, model providers, or hooks that run on specific events.
Gateway
The gateway is a small web server on your machine. It gives you a control panel in your browser: running sessions, configuration, usage monitoring. You can expose it to the internet to control your agent from anywhere.
Two more concepts matter for this comparison. Memory: OpenClaw writes daily markdown logs and maintains a MEMORY.md file loaded at startup. Advanced setups add vector search (SQLite-vec or LanceDB) for semantic recall across thousands of past interactions. Security: Docker containers isolate what the agent can access, DM pairing codes prevent strangers from sending commands, and allowlists restrict which tools the agent can use. More on security later, because that is where the story gets complicated.
The Feature Map
Every major OpenClaw capability, mapped to its Claude Code equivalent. 22 capabilities in total.
| # | Capability | OpenClaw | Claude Code Ecosystem | Verdict |
|---|---|---|---|---|
| Core Agent | ||||
| 1 | Agent Runtime | Long-running daemon, tool execution | CLI agent loop + Auto Mode | |
| 2 | Shell Execution | exec tool, PTY, elevated mode | Bash tool + permission system | |
| 3 | File I/O | read, write, edit, apply_patch | Read, Write, Edit, Glob, Grep | |
| 4 | Web Search | Brave Search, Firecrawl fallback | WebSearch + WebFetch (built-in) | |
| 5 | Browser | CDP/Playwright, screenshots, actions | Playwright MCP + Computer Use | |
| 6 | Computer Use | Browser + desktop app control | Computer Use in Desktop + Cowork | |
| Intelligence | ||||
| 7 | Memory | Daily logs + vector search | CLAUDE.md hierarchy + auto-memory | |
| 8 | Multi-Agent | Sub-agents, mesh, agent-to-agent | Agent Teams, SendMessage, worktree | |
| 9 | Model Providers | 20+ providers, failover chains | Opus/Sonnet/Haiku + overrides | |
| Communication | ||||
| 10 | Messaging | 15+ native channels | Telegram, Discord, iMessage + MCP | |
| 11 | Always-On | Daemon process, 24/7 | Headless VPS + Cowork + /schedule | |
| 12 | Voice/TTS | Talk Mode, wake word, push-to-talk | Via MCP/scripts (not built-in) | |
| 13 | Companion Apps | macOS, iOS, Android native | Desktop, VS Code, JetBrains, Web | |
| Platform | ||||
| 14 | Cron/Automation | HEARTBEAT.md, cron, webhooks | /loop, CronCreate, /schedule, hooks | |
| 15 | Plugin System | openclaw.plugin.json, 20+ hooks | plugin.json, hooks, commands, agents | |
| 16 | Skills | SKILL.md, ClawHub (5,700+) | Skills + marketplace (2,300+) | |
| 17 | Configuration | JSON5, hot-reload, profiles | settings.json hierarchy, CLAUDE.md | |
| 18 | Chat Commands | /status, /model, /think, /mesh | Built-in + custom skills | |
| 19 | CLI | onboard, gateway, tui, doctor | claude CLI with subcommands | |
| Control | ||||
| 20 | Security | Docker sandbox, DM pairing | Permission modes + Auto Mode + hooks | |
| 21 | Gateway | WebSocket server, Control UI | Remote Control (/rc) + Dispatch | |
| 22 | Canvas/A2UI | Agent-driven HTML workspace | HTML generation + Playwright preview | |
Full match Different approach Gap. Requires Claude Code v2.1.86+. Full details in the companion repo.
Reading the Table
“Full match” means Claude Code achieves the same outcome. “Different approach” means achievable but with different architecture, often requiring more setup or a different tool in the Anthropic ecosystem. “Gap” means not possible today without significant workarounds.
The score: 13 full matches (59%), 8 different approaches (36%), 1 gap (5%). Claude Code is not an OpenClaw clone. It solves many of the same problems through a fundamentally different architecture: managed service instead of self-hosted, session-based instead of daemon, fewer native channels but deeper model integration.
- Agent Teams + auto-memory (v2.1.32)
- Background agents (v2.1.49)
- Worktree isolation (v2.1.50)
- HTTP hooks (v2.1.63)
- /loop + CronCreate (v2.1.71)
- Channels with Telegram (v2.1.80)
- Auto Mode with AI safety classifier (v2.1.86)
Anthropic ships multiple releases per week. Minimum version for full coverage: v2.1.86
Where They Match
Some matches are obvious (shell execution, file I/O, CLI). These four are more interesting.
Agent Runtime and Auto Mode
OpenClaw runs as a daemon that executes tools without asking. Claude Code traditionally required approval for every file write and every command. Auto Mode changed this. An AI safety classifier (built on Sonnet 4.6) evaluates each tool call and allows safe operations automatically. With a 0.4% false positive rate, it rarely blocks legitimate work. The result: Claude Code now operates with the same autonomy as OpenClaw’s daemon, but with a safety net that OpenClaw lacks.
Multi-Agent Orchestration
OpenClaw has /mesh: give it a multi-step plan, and it spawns sub-agents to execute in parallel. Claude Code has Agent Teams: a team lead coordinates specialized agents, each with their own tools and context. SendMessage lets agents communicate directly. Worktree isolation gives each agent its own git branch, preventing file conflicts. Different mechanics. Same outcome: divide complex work across multiple AI instances working simultaneously.
Plugins and Skills
ClawHub has 5,700+ community skills. Claude Code’s marketplace has 2,300+, growing fast. The authoring experience is similar: write a markdown file with YAML frontmatter, place it in the right directory, and it is available immediately. Both support hooks (event-driven scripts), custom commands, and third-party distribution. The gap is quantity, not capability. And quantity is a matter of time.
Cron and Automation
OpenClaw uses HEARTBEAT.md for scheduled tasks and a built-in cron system. Claude Code offers /loop (repeat a task on an interval), CronCreate (system-level scheduling), /schedule (remote triggers via claude.ai), and hooks that fire on events like tool use or session start. If you need something to run at 03:00 every night, both platforms can do it.
Where They Differ
The Always-On Question
The biggest architectural difference. OpenClaw is a daemon. You start it once, and it runs indefinitely. Claude Code is session-based. Each conversation has a beginning and an end.
Claude Code achieves always-on through different patterns. Run headless on a VPS in tmux (a $5/month server that stays running indefinitely). Use Cowork’s “keep computer awake” on a dedicated Mac. Or use /schedule to trigger remote sessions at specified times. The architecture is different, but the outcome is the same: your agent is available when you need it. The session-based model also means Claude Code does not consume API tokens while idle, unlike OpenClaw’s daemon which polls continuously.
Messaging Channels
OpenClaw supports 15+ messaging platforms natively. Claude Code supports three: Telegram, Discord, and iMessage (via Channels plugins, added in v2.1.80). For Slack, Google Chat, and others, you need MCP servers. The difference is setup effort. OpenClaw: add credentials, restart. Claude Code: install an MCP server, configure authentication, test.
There are three distinct ways to reach Claude Code remotely. Channels (event-based messaging from apps like Telegram). Dispatch (task assignment from the Cowork mobile app). Remote Control (/rc, which gives you browser access to a running CLI session from your phone). Together they cover most situations. But they are three separate tools where OpenClaw has one unified system.
Voice and TTS
OpenClaw has Talk Mode: continuous speech recognition, language model response, text-to-speech playback, all in a loop. Wake word detection (“Hey Claw”) works on macOS, iOS, and Android natively.
Claude Code has no built-in voice. You can build it with MCP servers and external scripts (this platform uses an ElevenLabs TypeScript pipeline for video narration), but it requires manual integration. For voice interaction, OpenClaw is clearly ahead.
The Broader Ecosystem
Claude Code is one product in a larger Anthropic family. The full picture matters for this comparison.
| Product | Role | OpenClaw Equivalent |
|---|---|---|
| Claude Code (CLI) | Developer agent in the terminal | OpenClaw core agent |
| Claude Code Desktop | Desktop app with Computer Use | OpenClaw + macOS app |
| Cowork | Non-technical agent with connectors | OpenClaw for non-developers |
| Dispatch | Mobile task assignment | Telegram/WhatsApp channels |
| /schedule | Remote triggers via claude.ai | HEARTBEAT.md cron |
| Agent SDK | Programmatic control, CI/CD | OpenClaw API |
A recurring observation in community discussions captures the trade-off well: Anthropic’s stack covers roughly 90% of what made OpenClaw compelling, with significantly less risk of exposing your personal data to the internet. That brings us to security.
The Security Reality
This is where the comparison gets serious. OpenClaw’s rapid growth brought real security problems that affected real users. Understanding them helps you make an informed choice regardless of which platform you pick.
What Went Wrong
Three documented issues shaped the security conversation around OpenClaw in early 2026.
CVE-2026-25253 (CVSS 8.8). A 1-click remote code execution flaw. The attack worked like this: an attacker crafts a URL containing a malicious WebSocket gateway address. When an authenticated OpenClaw user clicks the link, the application silently overrides its gateway connection. The attacker’s server captures the user’s auth token and replays it against the legitimate OpenClaw instance to execute arbitrary code. The victim’s own browser acts as the bridge, bypassing firewalls entirely. Over 30,000 instances were publicly exposed before the patch landed.
The ClawHavoc campaign. In February 2026, security researchers uncovered a massive supply-chain attack on ClawHub. Initial analysis by Cisco found 12% of community skills (341 skills) contained malicious code. By mid-February, the number grew to 824 malicious skills across 12 publisher accounts, roughly 20% of the entire registry. The #1 ranked community skill, “What Would Elon Do,” had nine vulnerabilities including silent data exfiltration via curl commands hidden in prompt injection payloads. Attackers also gamed ClawHub’s ranking algorithm to inflate download counts, pushing malicious skills to the top. Infostealers like Vidar and RedLine were updated specifically to harvest OpenClaw configuration files: openclaw.json, soul.md, and memory.md.
Default exposure. OpenClaw’s gateway defaults to binding on all network interfaces, not just localhost. Many users, following community guides to “make it accessible from your phone,” left this open without authentication. Credentials are stored in plaintext in ~/.openclaw/. As technology analyst Shelly Palmer wrote after his own week-long setup: “The project involved a cloud server, a Mac mini, VPN networking, multiple OAuth integrations, and enough troubleshooting to fill a graduate seminar. The assistant now works beautifully. Getting there was harder than anyone on social media is admitting.”
These are not theoretical risks. They affected real users running real instances.
NemoClaw’s Answer
NVIDIA announced NemoClaw at GTC in March 2026 to address exactly these problems. It wraps OpenClaw in four security layers enforced by the Linux kernel, not by the agent itself.
| Layer | What It Blocks | Enforced By |
|---|---|---|
| Network | Non-allowlisted outbound connections | Linux kernel (netns) |
| Filesystem | Access outside /sandbox and /tmp | Linux kernel (Landlock) |
| Process | Privilege escalation, dangerous syscalls | Linux kernel (seccomp) |
| Inference | Unrouted LLM API calls | Proxy gateway |
The key insight: out-of-process enforcement. The agent cannot disable its own constraints because they operate at the kernel level, below the application. This is architecturally stronger than any application-level security.
NemoClaw is still in early alpha, and the details matter. Shortly after the announcement, security researcher Zack Korman (CTO at Pistachio) demonstrated that NemoClaw agents could modify their own configurations to bypass the security controls OpenShell was supposed to enforce. NVIDIA’s response: the permissive defaults were “by design” and “a user decision.” As Korman noted, “a security product should require you to weaken it, not require you to strengthen it.” NemoClaw also requires a fresh OpenClaw install, runs only on Linux, and needs 4 vCPUs, 8GB RAM, 20GB disk, and a 2.4GB container image. Enterprise-focused, not personal-laptop friendly.
How Claude Code Handles It
Claude Code’s security is built into the product, not bolted on afterward. Three layers.
Permission modes control what the agent can do without asking. In “plan” mode, every action requires your approval. In “auto edit” mode, file changes are allowed but commands need approval. Auto Mode adds an AI safety classifier (Sonnet 4.6) that evaluates each tool call for safety, approving safe operations and flagging risky ones automatically. The 0.4% false positive rate means it rarely blocks legitimate work while still catching dangerous actions.
PreToolUse hooks let you write shell scripts that run before any tool call executes. If your script returns a non-zero exit code, the action is blocked. You can inspect the tool name, arguments, and context before deciding. PostToolUse hooks provide audit logging after actions complete. HTTP hooks can send events to external monitoring systems.
Sandbox mode uses macOS sandbox-exec to restrict file system and network access at the OS level. This is lighter than NemoClaw’s kernel isolation, but it works without Docker, containers, or a separate platform.
Where Claude Code Falls Short
Three areas where OpenClaw with NemoClaw has a genuine advantage. These are real gaps, not spin.
Kernel-level isolation. Claude Code hooks run as shell scripts on the same machine. A sufficiently creative prompt injection could theoretically craft arguments that bypass hook logic. NemoClaw’s Landlock and seccomp enforcement cannot be bypassed because it operates below the application layer entirely.
Enterprise compliance. NemoClaw is designed for SOC2 audit trails, OpenTelemetry integration, and centralized policy management. Claude Code has managed-settings.d/ for organization-wide settings and PostToolUse hooks for logging, but no compliance framework. If your organization requires formal audit trails, Claude Code does not provide them natively.
Multi-tenant isolation. NemoClaw sandboxes isolate agents from each other at the OS level. Claude Code agents share the host environment. Worktree isolation separates git state, but it is git-level, not OS-level. If you run multiple agents serving different users or clients, NemoClaw provides stronger guarantees.
For personal use, Claude Code’s security model is practical and flexible. For enterprise deployments with compliance requirements, NemoClaw addresses problems that Claude Code currently does not.
What You Must Do Yourself
Regardless of which platform you choose, security is not automatic. It is a practice.
- Understand permission modes and choose deliberately. Never run with bypassPermissions unless you fully understand the risk and control the environment.
- Write hooks for your specific needs. Default configurations protect against common mistakes, not targeted attacks. The companion repo has working examples.
- Audit MCP servers before installing them. Each MCP server runs with your agent’s permissions. Review what it accesses and what data it sends externally.
- Never expose your agent to the internet without authentication. This applies equally to OpenClaw’s gateway and Claude Code’s headless mode.
- Version-control your configuration. Skills, hooks, and CLAUDE.md files contain your operational logic. Treat them like code.
Where OpenClaw Has More (On Paper)
Two areas where OpenClaw offers more out of the box.
- Native messaging channels. 15+ plug-and-play channels versus Claude Code’s 3 native plus MCP. If you need WhatsApp, Signal, or Google Chat with zero configuration, OpenClaw has more coverage. Whether you should trust your messaging to a platform with the security track record described above is a separate question.
- Model flexibility. OpenClaw works with 20+ LLM providers including open-source models. Claude Code only works with Claude models. If provider diversity matters, OpenClaw offers it. But provider flexibility does not help if malicious skills are exfiltrating your data through those same providers.
What Claude Code Does Better
Three things that matter in practice.
- No self-hosting. OpenClaw requires you to run and maintain infrastructure: Docker, Node.js, a gateway, updates, security patches. Claude Code is a managed service. Install it and start working.
- Deeper model integration. Claude Code is built by the same company that builds Claude. Auto Mode’s safety classifier, effort levels, 1M-token context windows, and Agent Teams are features that cannot be replicated through OpenClaw’s Anthropic provider integration.
- IDE integration. VS Code, JetBrains, the Desktop app, and the web version (claude.ai/code) provide visual tools, live previews, and diff review that OpenClaw’s terminal-first approach does not match.
The One Gap
Canvas/A2UI. OpenClaw’s canvas is an interactive, agent-driven HTML/CSS/JS workspace served by the gateway. The agent can push content to it, evaluate JavaScript, take snapshots, and build visual interfaces on the fly. Claude Code can generate HTML files and preview them through Playwright or Computer Use, but there is no persistent, interactive canvas surface. Artifacts in claude.ai are the closest equivalent, but they are not available in Claude Code.
For 21 out of 22 capabilities, Claude Code has an answer. For this one, it does not. If agent-driven visual workspaces are central to your use case, that matters.
Try It Yourself
git.fromaitochitta.com/ktg/claude-code-complete-agent
Three steps to start:
- Clone the repo:
git clone https://git.fromaitochitta.com/ktg/claude-code-complete-agent.git - Open it in Claude Code:
cd claude-code-complete-agent && claude - Try example 01: paste the prompt from
examples/01-agent-runtime/prompt.md
The repo’s GETTING-STARTED.md walks you from demo to daily driver in six steps, including phone channel setup, personal skills, and MCP integrations.
Who Should Use Which
OpenClaw is an impressive engineering achievement. But when 20% of a skill marketplace is compromised, when a 1-click RCE affects tens of thousands of instances, and when the enterprise security layer ships with permissive defaults that researchers bypass on day one, the question shifts from “can it do this?” to “should you run it?”
Claude Code covers 21 of 22 OpenClaw capabilities. It requires no self-hosting, no Docker, no gateway exposed to the internet. The security model is built in, not bolted on. Auto Mode gives you autonomous execution with an AI safety classifier. Hooks give you custom guardrails. And always-on is achievable: run headless on a VPS in tmux, use Cowork with keep-awake, or schedule remote triggers. These are not workarounds. They are production-tested patterns.
The one thing you genuinely give up is native messaging breadth (3 channels versus 15+) and Canvas. For most people, that trade-off is not close.
If you are reading this on From AI to Chitta, you are someone who uses AI as a lever for genuine capability. The companion repo gives you a working Claude Code agent setup in minutes. Clone it, try it, and build from there.