Clawdbot’s Capacity Is Less a Triumph of AI and More a Triumph of Desktop OS
By this time, it’s almost impossible not to have heard of Clawdbot, now called OpenClaw after two renames. You’ve probably also been flooded with endless tutorials about it.
In a nutshell: Clawdbot is a personal AI assistant that runs directly on your desktop operating system. You talk to it through chat apps like Telegram and WhatsApp, and it can get work done by exposing local files, software, and interfaces to an AI model and letting the model operate on your behalf.
If you’re already familiar with terminal-based coding agents like Claude Code, think of Clawdbot as a “Claude Code for everyday life.” The design shares much of the same ideas. Both emphasize file system and command-line capabilities, and both operate on an “agentic loop”: the model reasons and plans, calls tools to read, write, and execute in a real environment, then uses the results to plan the next step, repeating until the task is done. In terms of configuration, both support defining agent behavior per workspace and extending via “skills” and plugins. In fact, many tasks you can do with Clawdbot were already possible with Claude Code.
However, Clawdbot’s main differentiator — and the main reason people find Clawdbot compelling — is that it is more persistent, approachable, and further reaching. Architecturally, the core of Clawdbot is a daemon process called the “Gateway.” The Gateway bridges “Channels” (chat interfaces) and “Providers” (local or remote AI model APIs). When you send a question or command via a Channel, the Gateway bundles your message with template context (system prompts, AGENTS.md, etc.) and forwards it to the model. The model then retrieves memory, calls tools, and eventually routes the response back through the Gateway to you.
On top of that, Clawdbot proactively handles repetitive tasks like checking email or calendars in “Heartbeats.” It also writes conversation logs into persistent storage (MEMORY.md). The result is an assistant persona that feels more convenient, human, and understanding.
None of this, however, means that Clawdbot is user-friendly or ready for the average consumer. The official documentation is dense, disjointed, and obscure, bearing the unmistakable hallmarks of AI authorship; installation relies on npm, arguably the package manager people love to hate most; and the interface assumes a baseline competence in command-line tools and UNIX/Linux system administration. If you lack this technical background and are just buying into the hype from influencers, hoping Clawdbot will magically manage your life, you’re likely to hit a wall. It’s no wonder scalpers are already popping up selling pre-configured Clawdbot servers.
More importantly, Clawdbot may not be nearly as useful as the hype machine suggests. First, there’s the cost. Even the simplest requests (like “list my to-dos”) can burn through tens of thousands of tokens — you’ve probably seen posts panicking about money burning in real time. Federico Viticci, a familiar name in Apple circles and a guru of automation-as-performance, published a characteristically enthusiastic article on MacStories last week, only to reveal later that he burned through over $560 in tokens in a single weekend. His achievement? Managing Obsidian notes via Telegram.
Sure, you can cap costs by configuring it to piggyback on a ChatGPT or Claude subscription. But setting aside the risk of account bans, consider that a single query to a GPT-4o class model consumes roughly 0.34 Wh of electricity. At agent scale, where a single task may require many back-and-forth turns, it is not hard to rack up enough chatter that the energy feels disproportionate to the errands being automated. If you have even a shred of environmental conscience, do you really believe spending that much energy on trivial tasks is justifiable?
Even if you ignore cost, the lack of robustness and the security story are enough to keep Clawdbot from anything truly important. The posts that showcase Clawdbot’s “magic” usually skip how long it took and how many failed attempts it went through. (Spoiler: often a while and a lot.) In real use, an 80–90% success rate is already something to be grateful for, while a 90% SLA would be unacceptable for any production service. When errors occur, manual fixes can easily outweigh perceived time savings.
Moreover, Clawdbot’s perceived power comes largely at the expense of security. The AI researcher and blogger Simon Willison coined the concept of “the Lethal Trifecta”: if an AI system has (1) access to private data, (2) exposure to untrusted content, and (3) the ability to communicate externally, it is highly vulnerable to prompt injection attacks that leak data. Clawdbot checks every single box. Unlike Claude Code, it lacks a permission request mechanism and will happily execute any instruction from you, or what it thinks is from you. It’s no surprise that a single malicious email was enough to trick Clawdbot into handing over SSH keys.
(Yes, you can reduce the attack surface with sandbox mode or by hosting it on a VPS, but then you also blunt much of what differentiates Clawdbot from other agent tools in the first place.)
Finally, it is also worth pointing out that Clawdbot’s capacity is less a triumph of AI and more a triumph of the desktop operating system. No matter how advanced AI becomes, remember its nature is probabilistic prediction based on context; the quality and boundary of the context determine the quality and boundary of the output. Currently, AI giants face bottlenecks because data and APIs are siloed: ChatGPT has to covertly buy Google results, and Gemini can’t access user data outside Google’s ecosystem. As base model capabilities converge, the competition shifts to who owns the ecosystem.
Clawdbot, as a one-person project, seems to dodge those constraints, not because it has some miraculous model or architecture, but because it is running right next to the data: on your desktop OS, often your primary machine. There, it can read local files and data directly, invoke command-line tools and system APIs freely, and even drive graphical interfaces that have no public API by operating the mouse and keyboard. None of that is novel. Desktop systems have supported this for decades, and traditional automation tools have long been able to do many of these jobs more cheaply and more reliably.
We’ve seen this before. Last year, Manus burst onto the scene with a similarly subversive appearance. Its secret sauce? Giving the AI a Linux virtual machine so it could leverage a full OS. Clearly, this pattern is easy to replicate. Following the usual cycle of AI hype, it’s reasonable to expect Clawdbot’s hype to fade within six to twelve months, while its underlying approach gets absorbed into more mainstream tools, or repackaged into something more approachable.
The greater concern is how much longer the desktop OS — the foundation Clawdbot stands on — will remain open. Windows is fast becoming a billboard for Copilot, while macOS suffers an identity crisis under the shadow of iOS. Both are increasingly restricting user autonomy, tightening permissions, and gating software distribution. The end-state is a “mobile OS, but bigger” — a system treated as an extension of a walled service ecosystem, rather than an open platform. (Linux has plenty of encouraging developments, but 2026 is plainly not the “year of the Linux desktop,” and 2027 won’t be either.)
If desktop operating systems ultimately become data islands the way mobile platforms already are, there will be no room for a new Clawdbot. AI will instead become something bestowed by the monopoly providers who control the data, rather than a tool people use to exercise agency.
But, of course, that’s not a conversation the carpe diem AI influencers are interested in having.
>> 中文版
只要你关注科技新闻,最近几乎一定会听说过 Clawdbot(经历两次更名,现在叫做 OpenClaw),可能也已经刷到了无数教程和分享。
简单回顾:Clawdbot 是一个运行在桌面操作系统上的个人 AI 助理工具。它以 Telegram、WhatsApp 等聊天软件作为交互界面,并通过向 AI 模型暴露操作系统中的文件、软件和接口,帮助用户执行任务。
如果你已经了解以 Claude Code 为代表的终端编程工具,不妨将 Clawdbot 理解为一个面向日常需求的 Claude Code。Clawdbot 的设计与 Claude Code 有很多相似之处。例如,工作原理上, 两者都强调对文件系统与命令行的操作能力,都采用「代理循环」(agentic loop)的工作机制,即模型负责推理与规划,调用工具在真实环境里读写与执行,结果再返回给模型继续规划,如此循环直到任务完成。配置方式上,两者都支持以工作区文件夹(workspace)为单位配置代理行为,都支持通过「技能」(skills)等方式扩展能力。实际上,许多能通过 Clawdbot 完成的操作,之前也已经能通过 Claude Code 完成。
但 Clawdbot 的区分度——也是吸引力的主要来源——在于它比 Claude Code 驻留更久、入口更多、手臂更长。从架构上看,Clawdbot 的核心是一个称为「网关」(gateway)的守护程序。网关连接着「频道」(channel,聊天消息收发渠道)和「提供商」(provider,本地或远程的 AI 模型接口)。当用户通过频道发来问题或指令时,网关将用户消息和一些模板内容(包括系统提示词、AGENTS.md 等)组合起来,发给 AI 模型,后者随即根据指令查询记忆、调用工具,最后将响应结果通过网关转发到频道,答复用户。
此外,Clawdbot 还会主动完成检查邮件、日历等重复定时任务(称为「心跳」),主动将对话内容写入持久记忆(MEMORY.md)。由此,一个更方便、更拟人,也更「懂你」的助手人设就立起来了。
不过,这并不意味着 Clawdbot 是一个对日常用户友好、适合普通用户使用的工具。Clawdbot 的官方文档复杂、跳跃而晦涩(显然主要出自 AI 之手),安装方式依赖 npm(可能是被吐槽最多的包管理器之一),界面措辞也假定用户对命令行和 UNIX/Linux 系统管理有基本掌握。如果你平时并不了解这些,只是听信了网红鼓吹,就想用 Clawdbot 来掌管生活大小事,是有很大概率会吃闭门羹的——也难怪闲鱼上已经有投机者卖起 Clawdbot 服务器了。
更重要的是,Clawdbot 可能根本没有 AI 网红们鼓吹的那样有用。首先是成本问题。哪怕向 Clawdbot 提出一些最简单的要求(例如「列出我的待办事项」),消耗的 token 数量也是上万级的——你可能已经刷到了一些惊呼 Clawdbot 烧钱如烧纸的帖子。苹果圈的老朋友、自动化表演艺术家 Federico Viticci 上周在 MacStories 发表了一篇热情洋溢的文章(因为他对一切新玩具都热情洋溢),然后透露自己一个周末就烧了 560 多美元的 token,而他的成就就是能在电报上操作 Obsidian 笔记了。
当然,你可以通过借用 ChatGPT 或 Claude 订阅来限制成本。但暂且不论账户被封的风险,须知与 GPT-4o 级别的模型对话一轮,就会消耗 0.34 瓦时,而代理消耗的能源只多不少。从环保角度,真的有必要把电浪费在一点琐事上吗?
即使不考虑成本,稳健性和安全性的欠缺也决定了 Clawdbot 难以胜任真正重要的任务。那些展示 Clawdbot 神奇功效的帖子,一般不会说明它完成一项「壮举」花费的时间和经历的试错(剧透:通常不短、往往很多);实际使用中,能有八九成的成功率已经是谢天谢地,而哪怕 90% 的 SLA 对于任何生产服务都是不可接受的。一旦出错,手动解决的时间可能就会超过看起来节省的时间总和。
此外,Clawdbot 所谓的强大,很大程度上是以安全防护的缺失为代价的。知名 AI 圈博主 Simon Willison 曾经提出过「致命三要素」(the lethal trifecta)的概念,即如果 AI 同时 (1) 有权限访问私人数据,(2) 暴露于不受信任的内容,以及 (3) 能与外界通讯,就很容易受到攻击者诱使而泄漏数据。Clawdbot 不仅符合每一项条件,而且还没有 Claude Code 那样的权限请求机制,只会活蹦乱跳地执行任何来自你的(以及它自以为是来自你的)指令。也难怪一封恶意邮件就足以让 Clawdbot 交出 SSH 密钥了。
(你当然可以通过沙箱模式或者 VPS 托管来减小攻击面,但也因此失去了 Clawdbot 和其他 AI 代理工具的主要区分度。)
其实,Clawdbot 的成功与其说是 AI 的成功,不如说是桌面系统的成功。无论 AI 怎么突飞猛进,都不要忘了它的本质是根据上下文作概率预测;上下文输入的质量和边界,决定了 AI 输出的质量和边界。目前,许多 AI 大厂都面临因数据和接口互不开放造成的功能瓶颈:ChatGPT 要从第三方偷偷买来谷歌搜索结果,而 Gemini 也访问不到谷歌服务以外的用户数据。当模型的基础能力互相趋同,AI 的竞争很大程度上变成了生态基本盘的竞争。
但作为「一人项目」的 Clawdbot 看起来却超脱于这些限制之外,其原因当然不是它有多么强的技术架构和模型,而只是因为它的位置近水楼台,运行在桌面系统上——很多时候还是用户的主力系统。在这里,模型可以直接读取文件和数据,可以随意调用命令行工具和系统接口。即使是没有开放 API 的图形界面,也能操作鼠标和键盘控制。这些能力并不新颖,而只是桌面系统几十年来一直能做到的,之前也有许多可以通过传统自动化工具更低成本、更稳定地做到。
我们已在之前看到过类似情况。去年一度火热的 Manus,也曾以这样一种「下克上」的姿态粉墨登场。而其「秘诀」也是交给 AI 一台 Linux 虚拟机,让 AI 能充分利用一个完整桌面系统的能力。显然,这种模式是不难复制的。根据 AI 圈的惯例,有理由相信 Clawdbot 的热度可能会在半年到一年内消散,而其工作原理会被更主流的工具所吸纳,或者被包装为更简便易用的产品。
相比之下,更令人担心的是,为 Clawdbot 提供能力支撑的桌面操作系统还能走多远。Windows 桌面现在已经基本沦为 Copilot 巨幅广告牌,而 macOS 则深陷 iOS 影响下的身份危机。此外,它们都越发热衷于限制用户的自主性,缩紧系统文件权限、控制软件安装渠道。这种趋势的终点是一个大码的移动系统,把系统当作自家(围墙)服务生态的延伸,而不是一个开放平台。(Linux 当然不乏令人欣慰的发展,但今年显然不是「Linux 桌面元年」,明年也不会是。)
如果桌面系统也最终变成像移动系统那样的数据孤岛,那么新的 Clawdbot 将不会有出现的空间,而 AI 也将变成把控着所有数据的垄断厂商给用户的「恩赐」,而不是用户发挥自主、利用数据、改造环境的工具。