The Marketer's Field Guide to the Agent Claw Wars

If you've scrolled LinkedIn or X in the past three months, you've seen the lobster emoji. 🦞

It belongs to OpenClaw, an open-source AI agent that went from a weekend project to the most-starred repository in GitHub history (365,000 stars and counting) in roughly 120 days. It has since spawned an entire ecosystem of competitors, security tools, and enterprise wrappers. The way companies think about AI automation is changing because of it.

The problem: almost all of the coverage has been written for developers. If you work in marketing, revenue operations, or go-to-market strategy, the conversation sounds like it's happening in a language you almost speak but can't quite follow. Containers, sandboxing, prompt injection. These terms keep showing up in Slack threads and leadership meetings, and the gap between "I've heard of this" and "I understand what it means for us" is getting wider by the week.

This is your field guide. No GitHub account required.

What is OpenClaw, and why is everyone losing their minds?

OpenClaw is a free, open-source AI agent that runs on your computer and connects to the apps you already use: WhatsApp, Slack, Telegram, Discord, Gmail, your calendar, your file system, basically everything. You tell it what to do in plain language, and it figures out the steps and executes them.

That second part is what matters. ChatGPT and most AI tools you've used are conversational. They answer questions and generate text, but they don't actually do anything on your behalf. OpenClaw does. It can triage your inbox, draft replies, book travel, manage your calendar, update a CRM, post to social media, build reports from files on your desktop, and run tasks on a schedule while you sleep.

Peter Steinberger, an Austrian developer who previously founded a successful software company, created it. The project went through a couple of name changes (it was briefly called Clawdbot and then Moltbot before Anthropic's legal team got involved) and took off in early 2026. Steinberger has since joined OpenAI, but the project continues as an independent open-source effort with a growing team of maintainers.

The community around it is huge: 180,000 members on Discord, 450,000 on Reddit, and over 5,700 community-built "skills" (essentially plugins that teach the agent how to do new things). People are using it to automate everything from Google Ads optimization to meal planning to managing fleets of coding agents overnight.

So why isn't everyone just using it?

The security problem no one wants to talk about (until something breaks)

This is where the story gets complicated, and where your ears should perk up if you're in a GTM role evaluating any of this for your team.

To be useful, an AI agent needs access to your stuff: your email, your files, your messaging apps, your passwords and credentials. OpenClaw runs locally on your machine, which is good for privacy (your data isn't going to a cloud server), but it also means the agent has the same access to your computer that you do. When something goes wrong, the results can be spectacular.

The cautionary tales have been piling up. A Meta AI security researcher reported that her OpenClaw agent went rogue and started deleting all of her work email. Another user discovered that an agent had downloaded their entire WhatsApp message history in plain text. In one particularly strange incident, a computer science student's agent created a dating profile on his behalf on an agent-oriented dating platform, then started screening potential matches without his knowledge or consent.

Then there's the malware problem. Security researchers at Cisco tested a third-party OpenClaw skill and found it was quietly stealing user data. The skill repository, despite being community-managed, lacked adequate vetting to catch malicious submissions. Chinese authorities went so far as to restrict government agencies and state-owned enterprises from running OpenClaw entirely, citing security concerns.

One of OpenClaw's own maintainers put it bluntly in a Discord message: if you can't understand how to run a command line, this project is too dangerous for you to use safely.

That warning gets at the core tension. OpenClaw is wildly powerful and wildly popular, but the people most excited about using it (non-technical professionals who want to automate their work) are often the least equipped to configure it safely.

The response: NanoClaw, Tank OS, and NemoClaw

The security concerns didn't kill interest in open-source agents. They created a market for safer alternatives and hardening tools. Three are worth knowing about.

NanoClaw is the one you're most likely to encounter. Israeli developer Gavriel Cohen built it in late January 2026, over a single weekend, using Claude Code. It positions itself as the security-first alternative to OpenClaw. The core philosophy is radical simplicity: where OpenClaw has grown to roughly 400,000 lines of code, NanoClaw's core logic fits in about 500 lines. Andrej Karpathy, one of the most influential researchers in AI, noted publicly that the entire codebase is small enough for a single person to read and understand.

The big difference is how it handles safety. In OpenClaw, the agent runs directly on your machine with broad access to everything. In NanoClaw, each agent runs in its own sealed-off environment that can only see the files and services you explicitly hand it. If the agent makes a mistake or gets compromised, the damage stays contained. It can't touch anything else on your computer. In March, NanoClaw partnered with Docker to make that isolation even stronger. More recently, NanoClaw teamed up with Vercel to add approval prompts: when the agent tries to do something sensitive (making a payment, deleting a cloud resource), it asks for your permission first through whatever messaging app you're using.

Cohen and his brother Lazer have since formed a startup called NanoCo and are positioning the project as the management layer that companies will use to run and coordinate their agents.

Tank OS is the newest arrival and is more narrowly targeted. Released today by Sally O'Malley, a Red Hat principal engineer who also serves as an OpenClaw maintainer, it wraps OpenClaw in the same kind of secure, sealed-off packaging that enterprise IT teams already use to manage software at scale. The real audience is IT administrators who may need to manage dozens or hundreds of OpenClaw agents across corporate machines. Each agent runs in isolation, credentials aren't shared between them, and updates work the same way IT teams already update everything else. It's enterprise plumbing, not a consumer product. But it tells you something that the big infrastructure players are building tooling for the Claw ecosystem.

NVIDIA NemoClaw takes yet another approach. It's an open-source stack that layers privacy and security controls on top of OpenClaw, with the option to run AI models entirely on your own hardware rather than sending data to outside servers. For organizations that want the flexibility of OpenClaw but have strict requirements about where their data lives, it's worth a look, though it requires serious hardware investment and technical expertise to deploy.

Where does Claude Cowork fit?

If the open-source Claw ecosystem is the Linux of AI agents (powerful, flexible, endlessly configurable, and requiring real technical skill to run safely), then Claude Cowork is closer to the Mac.

Anthropic launched Cowork in January 2026 as what they called "Claude Code for the rest of your work." It runs on your desktop, connects to your local files and applications, and handles multi-step tasks on its own: organizing messy download folders, compiling research reports from source documents, pulling metrics from dashboards, drafting weekly updates. In late February, it launched fully with enterprise connectors for Google Drive, Gmail, Slack, and more.

The differences from the open-source options aren't really about capability. They're about who it's built for and how it handles trust.

Cowork doesn't require any technical setup. You point it at a folder, describe what you need, and it shows you a plan before it acts. Consequential actions require your approval. Enterprise admins get role-based access controls, usage analytics, and a governance layer that CIOs actually sign off on. You trade some customizability for simplicity and safety, but for a marketing or ops team that wants AI automation without hiring a DevOps engineer to babysit it, that trade usually makes sense.

Microsoft's Copilot Cowork (which runs on the same Claude engine, notably) takes this a step further by operating inside a customer's existing Microsoft 365 tenant with all of Microsoft's governance controls built in. Google's Gemini Agent Mode and OpenAI's Operator are also competing for this same managed-agent space.

The mental model that matters

Here's the simplest way to think about all of this:

Open-source agents (OpenClaw, NanoClaw) give you maximum flexibility and control. You own your data, you choose your AI model, you can customize everything. But you're also responsible for security, maintenance, and making sure the agent doesn't do something catastrophic. This path makes sense if you have technical resources on your team and specific automation needs that off-the-shelf products don't cover.

Enterprise hardening tools (Tank OS, NemoClaw, AgentWard) exist because the open-source agents weren't built with enterprise deployment in mind. They add the security, compliance, and management layers that IT teams need before they'll approve anything for company-wide use. If your engineering org is already running OpenClaw and leadership wants guardrails, these are the tools that come up in that conversation.

Managed agents (Claude Cowork, Copilot Cowork, Operator) take the infrastructure off your plate entirely. You pay more, you give up some customization, but you get something that works out of the box with enterprise governance included. This is where most marketing, ops, and GTM teams will realistically start, and for good reason.

These aren't competing categories so much as layers in a stack that's still forming. The most sophisticated organizations will probably use a combination: managed agents for broad knowledge work across non-technical teams, open-source agents for specialized workflows where customization and cost control matter, and enterprise tooling to tie it all together.

What this means for your team, right now

You don't need to pick a side today. But there are a few things worth doing now:

Get literate. The vocabulary in this piece (agents, skills, sandboxing, human-in-the-loop) is becoming the baseline for strategic conversations about AI at work. You don't need to deploy anything to be conversant.

Ask your engineering team what they're already running. There's a decent chance someone on your team has been experimenting with OpenClaw or NanoClaw already. Knowing what's in the building is step one.

Start small with managed tools. If you want to see what an AI agent can actually do for GTM work, not just chat but real task execution, Claude Cowork is the lowest-friction entry point for non-technical teams. Use it to automate a recurring workflow you hate, learn what agents are good and bad at, and build intuition before making bigger bets.

Watch the security conversation closely. The pattern playing out in the Claw ecosystem (explosive adoption, then security incidents, then a rush to build guardrails) is going to repeat in every corner of enterprise AI. Understanding it now gives you a head start when it inevitably hits your stack.

The lobster is out of the tank. The question isn't whether AI agents are coming to your workflow. It's whether you'll be the one shaping how they show up, or the one scrambling to catch up after they do.