Notes on Open Claw Bot

It is really fascinating, how this platform works under the hood. This is what I could glean from just studying the documentation and internet resources.

Maybe eventually, I will find the time (and courage) to set up a Claw Bot myself.

Most significant architecture elements

Control Gateway

• Periodic execution, event handling, session manager
• A "Lane Queue" per session (every channel gets its own session) serializing execution
• Enables controling the bot via (simultaneous) connections to messengers like Telegram, WhatsApp, Discord, MS Teams
• Event and periodic execution
  • Lifecycle events, e.g. for session start or memory management (example: a pre-compaction ping to persist any relevant context before auto compaction happens).
  • Plugin events

Agent harness (in TypeScript) with a minimal core:

Based on pi-mono project by Mario Zechner

• The core agent harness of pi-mono has only 4 tools:
  • read: Read file contents
  • write: Create or overwrite files
  • edit: Make surgical edits to files (old text must match exactly)
  • bash: Execute bash commands
• pi was originally built as a coding agent harness but easily customizable for other purposes (like Open Claw Bot)
• Model abstraction supports a wide range of models with in-session model switching
• No MCP support (out-of-the-box) (Mario Zechner 2025a)
• See What I learned building an opinionated and minimal coding agent (Mario Zechner 2025b)

Extensibility

• Skills (concept from Anthropic) are central to the easy extensibility of Open Claw
• References
  • See the System Prompt template of Open Claw

Memory Management

• JSONL files for per-session memory
• Plain Markdown files for long-term memory
• Two levels of persistent memory: Daily log and curated long term memory
  • Auto compaction (feature of pi)

Browser Access

• Based on Google's Chrome DevTools Protocol (CDP) automating Blink-based browsers
  • Uses Microsoft's Playwright for interactions with websites
  • Uses the accessibility tree for browser automation
• See Open Claw Docs:
  • How it works (internal)
  • Agent tools + how control works

System Prompt

See the documentation: Open Claw - System Prompt

• Dynamically built for each agent run. (This is what context engineering means!)

Security Vulnerabilities

Some thoughts on (the lack of) security. Prompt injection is by far the most serious risk. But not the only one.

• Prompt Injection - no hard isolation between untrusted content from chats, skills, and external data sources from internal instruction expressing from user intent. (Zenity Labs 2026)
• Compromised agent skills corrupting systems. Malware scanner to mitigate this?

Sources

Architecture

• Laurent Bindschaedler (2026) Decoding OpenClaw: The Surprising Elegance of Two Simple Abstractions https://binds.ch/blog/openclaw-systems-analysis/
• Cobus Greyling (2026) Replace MCP With CLI , The Best AI Agent Interface Already Exists; URL: https://cobusgreyling.medium.com/replace-mcp-with-cli-the-best-ai-agent-interface-already-exists-bcbb8094cff8
• Mario Zechner (2025a) What if you don't need MCP at all? URL: https://mariozechner.at/posts/2025-11-02-what-if-you-dont-need-mcp/
• Mario Zechner (2025b) What I learned building an opinionated and minimal coding agent; URL: https://mariozechner.at/posts/2025-11-30-pi-coding-agent/

Security

• Bernardo Quintero (2026) From Automation to Infection: How OpenClaw AI Agent Skills Are Being Weaponized; URL: https://blog.virustotal.com/2026/02/from-automation-to-infection-how.html
• Zenity Labs (2026) OpenClaw or OpenDoor? URL: https://labs.zenity.io/p/openclaw-or-opendoor-indirect-prompt-injection-makes-openclaw-vulnerable-to-backdoors-and-much-more