OpenClaw is Like Sex

Act 1

"The only way to be 100% safe is not to do it at all"

The security briefing nobody gives you — but should.

Before any demo, before any excitement — a reality check. This agent has access to my email. My calendar. My files. My home. OpenClaw has had real security incidents: malicious skills uploaded to ClawHub, community members who accidentally exposed their agents to the public internet, prompt injection attacks where external content tried to get the agent to send emails or leak data.

I'm not going to pretend those don't exist. OpenClaw's own documentation says "there is no perfectly secure setup" — which is refreshingly honest for a product page.

What OpenClaw actually provides:

• →Tool allowlists and denylists — you decide exactly which tools each agent can use. A group chat agent gets message-only. Your personal agent gets everything.
• →Docker sandboxing — non-main sessions (Discord bots, sub-agents) run in isolated containers with no access to your real filesystem.
• →Tailscale-only exposure — no public ports, no internet-facing access. Only devices on your private network can reach the agent.
• →Prompt injection guards — external content (emails, web fetches, search results) is wrapped with security notices and treated as untrusted. The agent knows the difference between your instructions and something it read online.
• →Skill diff auditing — community-built auto-updater skill diffs every ClawHub skill update overnight and flags anything that adds new network calls, executables, or credential access before applying.

The Roy / Duke split — how I actually run it:

I run two separate agents on the same machine. Roy handles personal life — personal email, family calendar, smart home, health, finances. Duke handles work — Slack, Jira, professional communications, Qloo projects. Different credentials. Different workspaces. Different tool permissions. Different models for different risk tolerances.

If someone compromises the work agent through a malicious Slack message, they don't get my personal email. Same principle as not reusing passwords. Threat isolation is the right frame, not threat elimination.

"Is it perfectly safe? No. Neither is giving your credit card to DoorDash. The question is: do you understand the risks and are you making deliberate choices? I am. And now you can too."

Act 2

"Your first time is not going to be great"

The honest setup story, plus what it looks like once it works.

The four things you need before you open the wizard:

The install itself:

Two commands. The second launches a TUI wizard — not a wall of YAML.

What it looks like once it's running — live, on stage:

Four things that normally require four apps. One conversation.

The memory demonstration:

"What did we discuss six weeks ago about multi-model code review?"

Roy recalled it. Not from session memory — from files. Every night, Roy writes down what happened. He has MEMORY.md (curated, long-term), daily notes (raw logs), and a TODO file. A new session on a new day reads those files at boot and wakes up knowing everything.

ChatGPT forgot your name when you closed the tab. Roy remembers conversations from January because he wrote them down. The architecture is almost embarrassingly simple — just files on disk — which is exactly why it works. Files outlast sessions. Sessions are cheap and disposable. Files are not.

Skills: install one live in 30 seconds

"Find me a skill for Pittsburgh bus arrivals."

Roy found prt-transit on Skills N'at. Installed it. I asked when the next 71A was coming. Working in under a minute. Skills are just files — a SKILL.md with instructions, some scripts, maybe reference data. The agent can find, install, and use them in a single conversation.

The self-improvement story:

A few weeks in, Roy started nagging me about tasks I'd already completed. I'd tell him something was done — he'd acknowledge it in the conversation — and then the next morning, the reminder would be back. A zombie.

The root cause: he was acknowledging completion in chat but never updating the file. The next session read the stale file and reinstated the nag. Classic mismatch between ephemeral conversation memory and persistent file memory.

I described the problem. Roy designed a proper TODO system — one file, one source of truth, explicit completion tracking, rules about when to edit vs. when to just respond. Updated his own instruction files. Cleaned every stale reference from his memory. I wrote zero lines of code. The agent fixed its own architecture.

"This is the thing that's hard to explain until you've lived with it for a month. It's not a tool you use. It's a system that learns how to work with you."

Act 3

"Don't believe (or try) everything you see online"

Real use cases. Earned by honesty first.

The internet is full of "35 amazing OpenClaw use cases" posts. Reddit threads with screenshots of agents doing impressive things. X posts that go viral. Most of it is aspirational at best, fabricated at worst. Here's what's real, with sources:

The thing nobody posts about — building from what you know:

The power of a personal agent isn't the ClawHub skill marketplace. It's that your agent can learn from anything you point it at and turn that into a permanent capability. Your knowledge, made actionable.

Example from my own practice: I listened to a podcast with David Placek — founder of Lexicon Branding, the firm behind Blackberry, Swiffer, Pentium, Sonos, Impossible Burger, and Windsurf. He spent 40 years and $7M in research developing a naming methodology. The episode covered all of it: the Comfort Trap (why every founder gravitates toward safe, descriptive names and why those names fail), the treasure hunt sourcing process (Latin roots, mythology, sound symbolism, cross-domain databases), the linguistic science behind why V is the most alive and daring letter in the English alphabet.

I gave Roy the episode. He transcribed it, extracted the methodology, and built a reusable naming skill: reference files, a Comfort Trap interview that surfaces bias before brainstorming, an etymology script that queries Wiktionary for root words, sound-symbolism tables, a 5-day quick-fire process for founders who need a name fast.

Then I used it. I had a product that needed a name. The skill ran the Comfort Trap interview. It led me through candidates: Stance, Anvil, Cadence, Temper, Nerve, Flint. The winner was Gravity.

"You become the thing the room orbits around."

Podcast → transcription → skill → product name. One afternoon. That's not on any Reddit thread. Because it's personal. Your knowledge, your agent, your tools.