Autonomous Agent Runtimes & Claws

Karpathy's March 2026 framing on the No Priors podcast and follow-up X threads places claws as a distinct layer above LLM agents — the way agents sit above raw LLMs. A claw owns its sandbox, persists identity across sessions, schedules its own work, and communicates over messaging protocols rather than a chat UI. Where an agent executes a task, a claw resides on a machine. Karpathy's own claw "Dobby" runs his smart home over WhatsApp. The framing is still settling — "claw" was popularized by OpenClaw (originally Clawdbot, renamed January 2026 after a trademark complaint), and Karpathy adopted and abstracted the term.

Peter Steinberger (Austrian developer, ex-PSPDFKit) first published the project November 2025 as Clawdbot, renamed to OpenClaw in late January 2026. The architecture: a local-first Node.js daemon (the "Gateway") that maintains persistent connections to 20+ messaging platforms, routes channels to isolated per-agent workspaces, and reads two human-editable markdown files on every wake — SOUL.md (the agent's character spec / behavioral context) and MEMORY.md (an append-only continuity log). On Feb 14, 2026 Steinberger announced he was joining OpenAI to drive next-gen personal agents; the OpenClaw Foundation was established to hold stewardship and OpenAI committed to sponsoring it as MIT-licensed OSS. Star trajectory: 9K on launch day, 60K by day 3, 190K within two weeks, 250K by Mar 3, 2026, 350K+ by Apr 8 — faster than React, Linux, or Kubernetes.

The OpenClaw moment spawned a sub-ecosystem in weeks. Identity files split into specialized concerns; runtimes forked into lighter and heavier variants; vendors layered enterprise controls on top.

Claws share DNA with autonomous coding agents but the scope is different. A coding agent is task-bounded: open a PR, fix a bug, ship a feature, then exit. A claw resides — it answers messages on Sunday morning, runs cron jobs Tuesday night, edits its own MEMORY.md before sleep. Compare on persistence and interface, not just capability.

The through-line across the ecosystem: agent state as plain human-editable markdown, version-controllable with Git, separated by concern. SOUL.md holds the character spec (what the agent embodies internally); IDENTITY.md holds the public-facing name/avatar (3-5 lines max); USER.md holds user facts; AGENTS.md holds rules and guardrails; TOOLS.md holds environment notes; MEMORY.md holds learned patterns and continuity. The pattern is load-bearing because it makes the agent's behavior auditable and debuggable by a human reading a file — not a vector store inspection ritual. memsearch then indexes those files into Milvus for semantic recall without ever becoming the source of truth. The files stay primary, the vectors are a derived index.

The same properties that make claws useful — persistence, messaging ingestion, tool access, autonomy — invert into the attack surface. Trend Micro's March 2026 "CISOs in a Pinch" analysis and the ISACA "Security Claw" piece (Richard Beck, April 2026) both flag the gap between deployment pace and control regimes. Documented vectors: the "Good Morning" attack (innocent-looking link contains hidden instructions the agent ingests as context), persistent memory poisoning (malicious prompt embedded in a benign email that triggers weeks later), emotional manipulation / guilt-tripping the model into self-sabotage, supply-chain compromise of skills, and exposed Gateway instances with RCE. Karpathy publicly noted hesitation about running OpenClaw specifically because of the "vibe-coded 400K lines being actively attacked at scale." NVIDIA's NemoClaw responds with kernel-level sandboxing and a Rust policy engine that lives outside the agent's reach — guardrails that prompt injection cannot rewrite.

A claw running on hardware you own, with memory in markdown files you control, talking to local models via Ollama, is the convergence point with the other three domains: home-ai-labs (the rig), ai-chips-silicon (the inference substrate), sovereign-ai-compute (the policy stack). The privacy router pattern NemoClaw introduced — keep sensitive context on-device, only reach for frontier models when policy allows — formalizes the hybrid. memsearch makes the memory layer portable. SOUL.md makes the identity layer portable. The claw becomes the user-facing surface of sovereign AI.