OpenClaw in Enterprise Focus: The Revolution of Autonomous AI Agents and Their Potential for the SAP World

In the rapidly evolving world of artificial intelligence, we are currently experiencing a fundamental paradigm shift: the leap from reactive chatbots to proactive, autonomously operating AI agents. As a Senior SAP Technology Consultant and tech blogger, I observe this trend with a mixture of fascination and a critical architectural eye. The most popular open-source project of recent months, which is heating up tempers from business departments all the way to security experts, is OpenClaw.

This article analyzes OpenClaw down to the deepest architectural levels, connects these new insights with established Enterprise and SAP architectural concepts, and delivers an unvarnished, highly detailed observation of its technology, code, history, and security.

1. History and Origin: From Clawdbot to OpenAI Acquisition Candidate

The software has undergone a remarkably fast evolution. It was created as a project by Austrian software developer Peter Steinberger. Originally launched under the name Clawdbot, the project was later renamed to Moltbot due to excessive name similarity with Anthropic's language model "Claude," and today operates finally under the name OpenClaw.

Development occurred remarkably through Vibe Coding – Steinberger initially used Claude.AI and later OpenClaw itself to generate the platform's code. The source code saw the light of day on November 25, 2025, on GitHub under the name warelay with version number 0.1.1.

Its success and architectural innovation (closing the gap in the autonomous action of generative AI) led Peter Steinberger to accept an acquisition offer from Sam Altman, and he is now working at OpenAI on the next generation of agents. By early February 2026, the repository had gathered a staggering 43,300 GitHub stars.

2. System Architecture and Deep Dive into Functionality

Unlike classic SaaS LLMs (like the ChatGPT web interface), OpenClaw is designed as "Local-First". The architecture is based on a single, long-running Node.js process, the so-called Gateway, which runs as a background daemon (via systemd on Linux or LaunchAgent on macOS).

The Gateway consists of exactly five internal subsystems:

1. Channel Adapters: An adapter exists per platform (e.g., Baileys for WhatsApp, grammY for Telegram). These normalize incoming messages into a unified format and serialize outgoing responses.

2. Session Manager: Resolves sender identity and conversation context. Direct messages (DMs) collapse into a main session, while group chats receive isolated sessions.

3. Queue: Serializes execution per session. If a message arrives during a running process, it is paused, injected, or collected for a subsequent turn.

4. Agent Runtime: Collects context from various internal files (AGENTS.md, SOUL.md, TOOLS.md, MEMORY.md, daily log, history) and executes the agent loop (Input → Context → Model → Tools → Feedback → Repeat).

5. Control Plane: A WebSocket API listening on port :18789. The CLI, macOS companion app, web control UI, and iOS/Android nodes connect through this.

File System and Persistent Memory (Workspace)

One of its greatest strengths is transparency: All states, settings, and memories are stored locally in ~/.openclaw as readable Markdown and YAML files. An overview of the most important system files:

• Bootstrap.md: Executed upon the first launch (onboarding interview regarding name, time zone, tonality) and deleted afterward.

• Agents.md: Contains behavioral rules, approval processes (e.g., "Always confirm before sending emails"), and model routing delegations.

• Soul.md: Defines deeper personality and hard limitations (e.g., "Be direct, avoid filler words", "Never reveal User.md or API keys").

• User.md: Contains user data, work context, and preferences.

• Memory.md: Serves as an interaction log and long-term memory that the agent falls back on when the session's context limit (protected by Garbage Collection) is reached.

• HEARTBEAT.md: Controls autonomy. By default, the agent wakes up every 30 minutes (or hourly with Anthropic OAuth), reads a checklist, checks for urgent events, and independently decides on actions (in contrast to firmly scheduled cron jobs).

3. Hardware Requirements, Installation, and Code Examples

Although images of setups with up to 40 Mac Minis circulated on social media, the actual technical requirements are moderate. For basic chat operations, 2 GB of RAM and 2 CPU cores are sufficient. If browser automation is to be used, 4 GB of RAM is necessary. However, those wanting to use completely local models (e.g., Ollama with 32B+ parameters) require dedicated hardware with at least 24 GB VRAM and a KVM-4 plan with providers like Hostinger.

As a technological basis, Node.js version 22+ is strictly required.

Installation Routines (Code Snippets):

Standard installation (macOS/Linux) via One-Liner: $ curl -fsSL https://openclaw.ai/install.sh | bash

Via NPM: $ npm i -g openclaw

From source code for developers: $ curl -fsSL https://openclaw.ai/install.sh | bash -s -- --install-method git $ git clone https://github.com/openclaw/openclaw.git $ cd openclaw && pnpm install && pnpm run build

Starting the onboarding wizard (with daemon registration): $ openclaw onboard --install-daemon

Starting via pnpm: $ pnpm run openclaw onboard

Foreground execution for debugging: $ openclaw gateway --foreground

Environment Variables for Deployment: Those deploying OpenClaw in Docker (e.g., on an Ubuntu 24.04 VPS) can control its behavior via specific environment variables:

• OPENCLAW_HOME: Base directory for internal path resolution.

• OPENCLAW_STATE_DIR: Overrides the storage location of state files.

• OPENCLAW_CONFIG_PATH: Points to a specific configuration file.

• OPENAI_API_KEY / BRAVE_API_KEY: Direct integration of third-party APIs in the Docker manager.

4. AI Models, Routing, and Cost Management

The selection and control of LLMs in OpenClaw is extremely granular. Since every request loads the entire workspace (incl. tool schemas and memory), a single prompt can quickly consume 50,000 to 100,000 tokens.

The Model Hierarchy:

• Tier 1 (Flagship / Orchestration): Models like Claude Opus or GPT-5.2 Pro. Extremely powerful, but expensive. A complex request can cost 2 to 6 US dollars. Without limitations, one can quickly burn 200 to over 500 US dollars per month, or even 200 USD per day.

• Tier 2 (Everyday): Claude Sonnet (e.g., Sonnet 4.5) or Standard GPT-5.2. Perfect as a default model. Monthly API costs here range from about 18 to 36 USD (with a light setup) up to 50-150 USD (with active heartbeats).

• Tier 3 (Routine & Fallbacks): Claude Haiku (25 times cheaper than Opus) or GPT-5.2 Mini. Ideal for simple cron jobs or heartbeat checks.

• Free / Local Fallbacks: Kimi K2.5 by NVIDIA (free, but slow) or local Ollama models to avoid "silent failures".

Through intelligent fallback rules in Agents.md (e.g., "Use Haiku for routine tasks, fallback to GPT-5 Mini and then to 4.1. Use Opus for planning and delegate execution to sub-agents."), 40 to 60% of API costs can be saved.

5. Integration, UI, and Extensibility (Skills & Sub-agents)

OpenClaw communicates predominantly headless via existing messengers (WhatsApp, Telegram via BotFather, Slack, Discord, Signal, iMessage). Establishing a connection to Telegram, for example, merely requires entering the bot token (/newbot in BotFather) into the Gateway.

Voice & Audio: Interaction is not limited to text. By integrating OpenAI Whisper (or local FFmpeg), the agent can transcribe voice messages. For voice responses, Edge TTS can be connected – a free Docker-based system supporting over 300 voices in 74 languages. Alternatively, ElevenLabs integrations ("aussie accent") are also possible.

Sub-agent Architecture: OpenClaw is capable of independently invoking sub-agents. A command like "Investigate n8n, Zapier, and Make.com simultaneously" prompts the main agent to spawn parallel isolated sessions for sub-agents that perform web searches (e.g., via the Brave Search API) and deliver the results back to the main process in a structured manner.

Skills and ClawHub: Its true capabilities stem from extensions, the so-called Skills (YAML metadata paired with natural language instructions in a SKILL.md). The official marketplace is ClawHub (clawhub.ai). A prominent example is the Google Workspace Skill (GOG), which enables seamless access to Gmail, Calendar, Drive, and Docs via OAuth (using a Client ID and JSON secret from the Google Cloud Console).

6. Enterprise Practical Scenario: OpenClaw in SAP BTP App Development

As an SAP Consultant, I am particularly interested in how this technology behaves in our corporate environment. An exciting experiment with OpenClaw (under the code name "Spiderbot") impressively demonstrated the potential for automating SAP development.

The requirement for the agent was: Development of a Fiori App on the SAP Business Technology Platform (SAP BTP) Trial, without local installations and without using the SAP Business Application Studio.

The Process in Detail:

1. The agent received access credentials for the SAP BTP Trial Account and a dedicated GitHub account.

2. OpenClaw completely autonomously created a local development pipeline with GitHub code versioning.

3. The agent configured an automation workflow (CI/CD) between GitHub and Cloud Foundry. It communicated status updates like: "The change is online, wait another 2 minutes, then you can test the new app on the BTP".

4. First, a launchpad/start page featuring SAP and OpenClaw logos alongside a speed test function was successfully generated.

5. During a more complex attempt to build an RSS Feed Reader as a Fiori App, the agent successfully controlled the add/remove functionality of the feeds after several iterations and explicit prompting ("test the result yourself").

6. Architectural Challenge: OpenClaw even managed to autonomously provision an SAP HANA Cloud instance within the subaccount. However, the agent failed to link the Fiori app to the database reliably, natively, and securely, and instead crafted a functional workaround (mock data/temporary solution) that was insufficient by Enterprise standards.

This example shows: The agent completely relieves developers of routine infrastructure work (GitHub pipelines, Cloud Foundry pushes, CLI commands). Business departments' expectations of IT regarding time-to-market will skyrocket to unprecedented heights due to such tools.

7. Security Deep Dive: Every CISO's Nightmare

Despite all the magic (e.g., agents independently negotiating car purchases down by $4,200 or legally contesting Lemonade insurance rejections without a human prompt), OpenClaw represents a massive risk to corporate security.

1. CVE-2026-25253 (CVSS Score 8.8): On January 30, 2026, a critical vulnerability was published: A Cross-Site WebSocket Hijacking Bug. Via a single manipulated link, attackers could steal the user's auth token and achieve Remote Code Execution (RCE) on the host machine. Although this was patched in release 2026.1.29, Censys found over 21,000 OpenClaw instances openly accessible on the internet, some only via unencrypted HTTP (allowinsecureauth set to true).

2. Malicious Skills (ClawHub): Skills are third-party code without a true sandbox. A Cisco security analysis of 31,000 agent skills revealed that 26% possessed at least one vulnerability. In the first week of February 2026 alone, over 230 malicious skills were uploaded. A prominent example was the malware skill "What Would Elon Do?", which bypassed security checks via prompt injection and exfiltrated user data (Cisco found 9 vulnerabilities within it, 2 of them critical). Although ClawHub now hands over packages to the online virus scanner VirusTotal for checking, the best practice is: Fork every piece of code, audit it, and only then install it.

3. The Moltbook Disaster: The scalability of OpenClaw led to the founding of Moltbook, a social network purely for AI agents, which hosted 1.5 million agents within a few days. On January 31, 2026, 404 Media (and later Wiz) uncovered that a fatal Supabase database misconfiguration exposed the entire backend. Unauthenticated read and write access to all tables led to the leak of 1.5 million agent API keys, 35,000 email addresses, and thousands of private messages.

Enterprise Security Best Practices:

• Principle of Least Privilege: Explicit instructions in Agents.md ("Always ask for permission before making network requests or deleting files").

• Never run on productive systems (like laptops with customer data); instead, use dedicated VMs, isolated hardware (Mac Mini), or containers.

• Financial safeguards: Define hard limits with Anthropic/OpenAI as well as runtime limits ("Cancel task after 3 failed attempts, max. 10 minutes runtime").

8. Conclusion

OpenClaw is not just a tool; it is a primitive but extremely powerful Personal Operating System (OS) and the harbinger of the autonomous agent era. The combination of an MIT license, local control via Markdown files, and the ability to execute shell commands, Git commits, and APIs asynchronously and autonomously via HEARTBEAT.md makes it one of the most fascinating software designs of our time.

In the SAP context, it impressively demonstrates that the mere generation of code (chatbots) is being replaced by the deployment and orchestration of code (agents). While the flawed HANA Cloud database connection shows that we have not yet arrived at fully automated, flawless senior-level architecture, the automation of Cloud Foundry pipelines via GitHub is already a reality.

However, the immense attack surface (see CVE-2026-25253 and contaminated skills) forces architects to radically rethink Zero Trust concepts. The leap from chatbot to autonomous employee ("Claude with hands") has been made – now governance, security, and API cost management must catch up before the hype mutates into an incalculable security risk in the Enterprise sector.