If you’ve spent any time in writing communities this year, you’ve seen someone raving about OpenClaw: an AI agent that lives in your WhatsApp or Telegram, reads your email, updates your spreadsheets, posts to your blog, and generally runs your life while you sleep. For a working novelist, the pitch is seductive — something that handles the business of writing so you can do the actual writing.
I’ve been researching it for the past week, reading the documentation, the security reports, and a lot of user post-mortems, trying to decide whether to hook it up to my own author business. I’m not installing it. Not yet, anyway. Here’s the whole picture, so you can make your own call.
What OpenClaw actually is
OpenClaw is a free, open-source “personal AI agent” created by developer Peter Steinberger. It went so viral in early 2026 that its GitHub repository passed 280,000 stars — briefly making it one of the most-starred software projects in history. (It’s had an identity crisis along the way: it launched in late 2025 and was renamed twice in a single week before landing on OpenClaw. The lobster mascot stuck.)
In plain terms: you install it on a computer that stays on — usually a small rented server — and connect it to an AI model like Claude or GPT. Then you text it like a person, from whatever messaging app you already use. Unlike a chatbot, it can actually do things: check email, browse the web, run code, and install community-made “skills” that teach it new tricks.
The dream version, for a novelist
I want to be fair to the dream, because it’s a good dream. An agent like this could plausibly draft your newsletter every week, track your submissions and query responses, compile research packets for your next book, watch your book’s sales dashboards, and nudge you when a promo price ends. That’s the one-person publishing operation most of us are already running — minus the hours it eats.
Why I’m not installing it: the security file
This is where the rabbit hole got dark. Security researchers have been busy with OpenClaw, and the findings are not edge cases:
- Your passwords sit in a plain text file. OpenClaw stores the access keys for every service you connect — email, calendar, anything — in an unencrypted configuration file. Anyone who gets that file doesn’t just have your passwords; they have a working robot that can act as you.
- Thousands of installs are exposed to the open internet. One research firm found over 21,000 OpenClaw instances publicly reachable online, many with no encryption at all. These are mostly ordinary users who followed a setup tutorial and missed a step.
- The add-on marketplace has a malware problem. An analysis of community skills found roughly one in eight was malicious — including a coordinated campaign of 335+ bad skills. Cisco’s security team caught one quietly stealing data from users who installed it.
- It can be tricked by the content it reads. This one matters most for writers. An agent that reads your email can’t reliably tell the difference between instructions from you and instructions hidden inside a message. A malicious “query rejection” email could, in principle, tell your agent to forward your contacts or your manuscript somewhere — and it might comply. Researchers have demonstrated versions of exactly this attack.
None of this means the project is a scam — it isn’t, and a new foundation now stewards it. It means the technology is at the “exciting and sharp-edged” stage, and the people it cuts are the non-technical users it’s being marketed to. Which is us.
What it actually costs
“Free and open source” is true of the software. It is not true of running it. The agent thinks by calling a paid AI model, and agents think a lot — every task can burn through millions of tokens. Realistic reports from moderate users land around US$40–80 per month in AI costs plus a few dollars for the server, and there are plenty of horror stories of a misconfigured setting quietly racking up a scary bill overnight. A hosted, do-it-for-you version exists at US$49/month.
For context, that’s a Sudowrite subscription plus your monthly book budget — spent on an assistant you also have to babysit.
Verdict: who should try it, who should skip it
Try it if: you’re technically comfortable, you’d run it with throwaway accounts on a machine that touches nothing important, and you’d enjoy the tinkering as a hobby in itself. As an experiment, it’s fascinating.
Skip it (for now) if: you’d be connecting it to your real author email, your newsletter list, or your store — in other words, if you’d be using it the way the hype suggests. You are your own IT department, and this tool currently needs one.
Price: free software; realistically US$40–80/month to run, or US$49/month hosted. Worth it for working novelists: not yet. I’ll revisit in six months — if the foundation fixes the security basics, this genuinely could become the author’s assistant we keep being promised.
In the meantime, if you want AI help that won’t email your agent on your behalf: grab my free sampler, 10 Prompts That Fix Your Second Draft — you’ll also get my honest tool reviews in your inbox as they land.
Leave a comment