Let me start by saying this clearly: OpenClaw is genuinely brilliant. If you've used it and haven't starred the repo, go do that. Peter Steinberger built something in a weekend that went from 9,000 to 60,000 GitHub stars in days, got him hired by OpenAI, and single-handedly made the entire tech world take autonomous AI agents seriously. The man shipped a vision of the future while I was still arguing with my system prompt about em dashes. Credit where it's due - OpenClaw opened a door that most of us didn't even know was there.
I run Wizzy, my OpenClaw instance, through Telegram. I use it. I monitor it closely. I watch what it does, how it thinks, what it gets right. It's a genuinely useful window into where autonomous agents are heading. But Wizzy doesn't get access to anything I'd lose sleep over. And that's the whole story of why Iris exists.
What OpenClaw gets right
The core idea is fantastic. An AI agent that lives in your messaging apps - WhatsApp, Telegram, Discord, iMessage - takes real actions, reads files, sends emails, manages your calendar, and can even wake up on a schedule and do things proactively without being prompted. It's local-first, open source, extensible. The heartbeat feature alone (your agent wakes up every few hours and checks if there's anything it should be doing) is the kind of thing that makes you rethink what an AI assistant even is.
The multi-platform messaging gateway is what really caught my eye. One agent, every chat platform, unified context. But the thing that properly blew my mind was the agent-to-agent communication. You send one prompt and your agents can talk to each other, coordinate, hand off tasks between themselves. Not just "parent delegates to child" like a traditional orchestration tree - actual peer-to-peer agent conversations triggered from a single user message. That's the kind of architecture that makes you stop and rethink your entire approach.
When I first saw it, I thought - "right, I'm just going to use this." Why build Iris from scratch when someone's already solved the hard part?
Then I started digging.
The security situation
I need to be careful here because I genuinely respect the project and the community around it. But the security track record is... a lot.
Bitsight found over 30,000 exposed OpenClaw instances online. SecurityScorecard put the number at 40,000+, with 63% of deployments vulnerable and nearly 13,000 exploitable via remote code execution. Kaspersky ran a full audit and found 512 vulnerabilities, 8 classified as critical. Honeypot researchers said the first probes from attackers arrived within minutes of exposing an instance.
The default configuration trusts localhost connections, which sounds fine until you realise how many people expose their gateway publicly through misconfigured reverse proxies. Authentication accepts single-character tokens. Meta banned it from company hardware - employees were told they'd risk their jobs if they ran it on work laptops. A Northeastern University cybersecurity professor called it "a privacy nightmare".
And look - Steinberger himself said "most non-techies should not install this." He knows. He also told The Pragmatic Engineer "I ship code I don't read", which is a very honest thing to say but not exactly what you want to hear from the person whose software has full system access to your machine.
ClawHub - the plugin problem
This is the part that really got me. OpenClaw has ClawHub, a marketplace where anyone can publish skills (plugins) that extend what your agent can do. Great concept. Then in late January, security researchers discovered ClawHavoc - a supply chain attack where 1,184 malicious skills were uploaded to ClawHub. That's roughly 12% of the entire registry. Compromised.
The malicious skills had professional documentation, innocent names, and "Prerequisites" sections that tricked users into running terminal commands from attacker-controlled servers. On macOS, one payload was linked to the Atomic macOS Stealer, which grabbed browser credentials, Keychain data, Telegram sessions, SSH keys, and crypto wallets. The only requirement to publish a skill? A GitHub account that's at least a week old.
OpenClaw has since added VirusTotal scanning, which is good. But a marketplace where anyone can dump anything, running inside an agent with full system access? That's a supply chain attack surface that keeps me up at night. And I say this as someone who thinks the concept of a skill marketplace is excellent.
The "local-first, but actually..." problem
OpenClaw markets itself as local-first, and it is - your files, your memory, your configuration, all on your machine. But every single message, every task, every file the agent reads gets sent to an external LLM provider (Anthropic, OpenAI, whoever) for processing. One user reported their session context consumed over 200,000 tokens of cached context. That's a lot of your life sitting in someone else's API logs.
For a tool that manages your calendar and sends emails and reads your documents... that's not local-first in the way that matters to me. The compute is remote. The data passes through remote servers. The storage is local, yes, but the processing - the part where the model actually sees and understands your personal information - happens elsewhere, and you're trusting the provider's data handling policies.
Why I built Iris instead
Iris is being built to manage my life. Not to manage a task list or answer trivia. My actual life. Reminders about things that matter to me. Memory of conversations I've had. Context about my goals, my habits, my schedule. The kind of information that, if leaked, would be genuinely personal.
I couldn't hand that to a system where:
- 12% of the plugin marketplace was compromised within weeks of launch
- Tens of thousands of instances are publicly exposed
- The default security posture is "insecure by default"
- Every conversation passes through a third-party LLM API with my full context window
So I built my own. Not because I'm smarter than Peter Steinberger (I'm very clearly not - the man built PSPDFKit and sold it for nine figures). But because I need full control over every layer:
- Which models see my data - I choose which providers, which models, what context gets sent
- What plugins run - No marketplace. I build my own tools or I don't use them. Nothing executes on my machine that I haven't reviewed
- How memory is stored - Three-layer memory system (session, long-term, pinned facts) that I designed, I control, I can nuke at any time
- Where the boundaries are - My agent doesn't have blanket system access. Each tool has a defined scope. The file system access is scoped. Shell execution is scoped
It's slower to build. It's more work. OpenClaw gives you an autonomous agent in an afternoon. I've been building Iris for weeks and I'm still shipping core features. But when this thing eventually manages my calendar, reads my emails, and reminds me about sensitive personal commitments, I'll know exactly what has access to what and why.
What I took from OpenClaw
Loads, actually. I'll be implementing a lot of what OpenClaw has and will have - but curated for my own needs, built into my own stack, under my own control.
The messaging gateway concept directly influenced how I think about Iris's Telegram integration. The heartbeat pattern (proactive agent behaviour on a schedule) is something I want for Iris's reminder system. The idea of persona files (SOUL.md) inspired how I structure Iris's identity and memory system. The multi-platform vision - one agent, every channel - is exactly where Iris is heading. The agent-to-agent communication model is something I'm actively working towards in my own orchestration layer - the idea that a single user prompt can spawn a chain of agents that coordinate with each other rather than just report back to a parent.
I also learned from OpenClaw's mistakes. The adapter pattern I use for Telegram output (stripping orchestration markers for different channels) was designed with the assumption that more channels are coming. The tool system is locked down by design, not as an afterthought. Every sub-agent has a defined scope, and the parent agent is accountable for the result - it can't just blindly relay whatever a specialist or plugin says.
The Chutes angle
One thing worth mentioning: Iris runs its models through Chutes AI, which is itself open source under MIT. The entire API is on GitHub and you can technically self-host the whole platform. I looked into it. The reality is that self-hosting Chutes requires a minimum of 8 H200 GPUs, a Kubernetes cluster, PostgreSQL, S3-compatible storage, and a fair amount of infrastructure expertise. The developers themselves say it's "not recommended at all." So in practice, running your own Chutes instance isn't a realistic path to data sovereignty for a solo developer.
What Chutes does offer is a meaningful middle ground. The platform runs on decentralised infrastructure with Trusted Execution Environments (TEEs) - secure enclaves where not even the machine owner can access your data during processing, with end-to-end encryption. That's a different proposition from sending your life context to OpenAI or Anthropic's APIs and trusting their retention policies. It's not perfect - your data still leaves your machine for inference - but it's processed in an environment specifically designed so nobody can peek at it in transit. For running open-source models on someone else's hardware, that's about as good as it gets today.
The real win is that Chutes hosts open-source models. If the privacy calculus ever changes, I can take those same models and run them somewhere else - my own hardware, a different provider, whatever. I'm not locked into a proprietary model API. The prompts, the agent architecture, the orchestration - it's all mine. The inference is the only part that's outsourced, and it's the most replaceable part.
Where I stand
I run Wizzy. I like Wizzy. I watch what OpenClaw does and I take notes. When the security story matures - and it will, especially with OpenAI's resources behind it now - it might become the right choice for a lot of people. The vision is correct. An AI that lives in your messaging apps and takes real action is the future. OpenClaw proved that.
But for the thing I'm building - a deeply personal AI that knows everything about my life - I need to own every layer of the stack. Not because OpenClaw is bad. Because the stakes are too high to outsource trust.
Steinberger opened a new world. I'm just building my house in it with my own locks on the doors.