6 framework branches, 6 design philosophies — and hard-won lessons from security incidents
Loading comments...
Get weekly insights on AI, automation, and shipping fast. Join 500+ founders.
Detailed review of all 6 Claw branches (OpenClaw, ZeroClaw, NullClaw, IronClaw, MimiClaw, BlueClaw), full technical comparison table, lessons from the Moltbook security incident and ClawHub malware campaign, and a decision framework for choosing the right runtime.
In November 2025, a developer named Peter Steinberger — co-founder of PSPDFKit — began a personal project to accelerate his workflow. Rather than using ChatGPT through a browser, he wanted an AI Agent that lived in his terminal, understood his working context, remembered notes, and automated repetitive tasks.
By late January 2026, the project had its official name: OpenClaw — with a short README: "An AI agent that lives in your terminal."
What nobody expected: in just 3 months from launch, the repo had 180K stars. ClawHub (the ecosystem's package registry) surpassed 50K packages. In February 2026, Peter Steinberger joined OpenAI — but the ecosystem he had ignited was already running on its own momentum. The community forked, re-architected, and transformed Peter's idea into 6 distinct framework branches, each serving a completely different problem space.
This is the Claw family tree for 2026.
Philosophy: Everything you need to get started, right out of the box.
OpenClaw remains the most popular framework — not because it's the fastest, but because it's the easiest to get started with and has the largest ecosystem.
Built on Node.js with TypeScript, the Soul System stores 3 memory layers:
OpenClaw supports MCP (Model Context Protocol) natively. ClawHub has over 50,000 packages.
When to choose: Developer productivity, content creation, prototyping, when plugin ecosystem matters most.
Weakness: Cold start 150–300ms, RAM idle 80–150MB — unsuitable for Edge or IoT.
Philosophy: Speed is not a feature — it's a prerequisite.
Completely rewritten in Rust by engineers from Cloudflare and Mozilla. Cold start under 10ms (7ms p99 in benchmarks).
Cold Start Benchmark (p99, 1000 iterations):
──────────────────────────────────────────
OpenClaw (Node.js): 247ms
ZeroClaw (Rust): 7ms ← 35x faster
NullClaw (Zig): 1.8ms ← 137x faster
Hybrid Memory combines Vector search (semantic similarity) + SQLite FTS5 (exact match, BM25 ranking).
When to choose: Production server-side agents, high traffic, latency-sensitive applications, financial systems.
Weakness: High Rust learning curve, longer compile times.
Philosophy: If you can't explain every byte in the binary, you don't truly understand your agent.
Written in Zig — an emerging systems programming language. Pushes minimalism to the extreme.
// NullClaw agent initialization — zero hidden allocations
const agent = try NullAgent.init(allocator, .{
.model = "openclaw-nano",
.memory_backend = .sqlite_only,
.max_tokens = 4096,
});
defer agent.deinit();
When to choose: WebAssembly targets (binary under 1MB), Edge computing, high-frequency calls, security-critical contexts (no dependencies = no supply chain risk).
Weakness: Zig pre-1.0, no plugin ecosystem, bare-metal API unfriendly for beginners.
Philosophy: Compliance is not an afterthought — it's the foundation.
Forked from ZeroClaw, optimizes security and compliance rather than latency.
Every plugin runs in a separate WebAssembly sandbox:
[Plugin A: WASM Sandbox] [Plugin B: WASM Sandbox] [Plugin C: WASM Sandbox]
↓ ↓ ↓
[IronClaw Core — Policy Engine + Audit Logger]
↓
[Encrypted Memory Store] + [Audit Trail → SIEM]
Compliance out-of-the-box:
| Standard | Support |
|---|---|
| SOC2 Type II | Audit logs, access control, encryption at rest |
| HIPAA | PHI data isolation, breach notification hooks |
| GDPR | Right-to-erasure, data residency controls |
| ISO 27001 | Policy engine, incident response workflows |
LDAP/SAML SSO (Okta, Azure AD, Google Workspace). Role-based permission matrix.
When to choose: Finance, healthcare, government, any environment requiring full audit trails.
Weakness: Commercial license, WASM overhead adds 20–40ms per plugin call.
Philosophy: AI Agents don't need the cloud. They need an ESP32.
Pure C (POSIX-compliant), no OS dependency, runs directly on hardware.
| Board | Price | Flash | RAM | Status |
|---|---|---|---|---|
| ESP32-S3 | ~$5 | 8MB | 512KB | ✅ Fully supported |
| RP2040 (Raspberry Pi Pico) | ~$4 | 2MB | 264KB | ✅ Supported |
| STM32F4 | ~$8 | 1MB | 192KB | ⚠️ Limited |
| ESP8266 | ~$2 | 1MB | 80KB | ❌ Too small |
Minimum requirements: Flash <4MB, RAM <256KB, no OS.
MimiClaw doesn't run LLMs locally — handles edge preprocessing locally, offloads complex reasoning to cloud via MQTT/WebSocket.
Real-world uses: Smart factory anomaly detection, agriculture soil monitoring, smart home power management.
Weakness: Embedded C requires deep expertise, difficult debugging.
Philosophy: Agents don't just serve humans — they can connect with each other.
Built on AT Protocol (Bluesky's backbone). Each agent gets a Decentralized Identifier (DID):
did:plc:agent-autonow-research-7x9k
→ handle: @research.autonow.vn
→ follows: 3 agents, 12 humans
→ followers: 847 accounts
Agent mesh networking allows BlueClaw agents to subscribe to each other's feeds, share findings, self-organize, and delegate tasks by reputation score.
Example: Research Agent publishes findings → Writing Agent automatically picks them up → article generated. No human in the middle.
Open questions: Accountability for misinformation, distinguishing agents from humans, scale of potential spam. Explicit disclosure labels required but enforcement is unsolved.
Moltbook was launched by Matt Schlicht in late January 2026 — the same week OpenClaw got its official name. Within weeks, it became the most popular OpenClaw note-taking plugin: 40K downloads/month, 4.9 stars on ClawHub, clean README, solid documentation.
But by Q1/2026, a Japanese security researcher named Yuki Tanaka discovered something alarming: Moltbook was silently uploading the entire ~/.claw/soul/ directory to a server in Frankfurt every 24 hours.
The soul/ directory holds the agent's entire long-term memory — personal notes, work context, sensitive project information. Over 12,000 users affected — the largest data breach in Claw ecosystem history at that point.
Root cause: Plugin vibe-coded by its author. Malicious upload code injected via a fake account PR. Reviewer approved without reading the code.
Lessons:
Also in early 2026, as the ecosystem was exploding in growth, 7 malicious packages appeared on ClawHub:
| Fake package | Real package | Malicious behavior |
|---|---|---|
claw-http-utils | claw-http-util | Crypto mining |
claw-postgress | claw-postgres | Credential harvesting |
@openclaw/corr | @openclaw/core | Keylogger |
claw-mcp-servr | claw-mcp-server | C2 beacon |
Downloaded 8,400 times before removal.
Lessons:
claw verify --hash before installingclaw.lockclaw audit regularlyBoth incidents share a root: Vibe Coding — generating code fast without understanding it.
Double risk in the Claw ecosystem:
If you can't read and understand every line of code in a Claw plugin, don't run it in your production agent.
| Criterion | OpenClaw | ZeroClaw | NullClaw | IronClaw | MimiClaw | BlueClaw |
|---|---|---|---|---|---|---|
| Language | TypeScript | Rust | Zig | Rust | C (POSIX) | TypeScript |
| Cold start | 150–300ms | <10ms | <2ms | 80–150ms | <5ms | 200–400ms |
| RAM idle | 80–150MB | <12MB | <1MB | 40–80MB | <256KB | 90–160MB |
| Binary/deps | ~120MB | ~8MB | 678KB | ~15MB | <4MB flash | ~130MB |
| Memory system | Episodic+Semantic | Hybrid (Vector+FTS5) | SQLite only | Encrypted Vector | SQLite/LiteFS | AT Protocol |
| Plugin sandbox | Partial | None | None | WASM full | None | Lexicon-based |
| MCP support | Native | Native | Manual | Native+audit | MQTT bridge | AT proxy |
| License | MIT | MIT+Apache | MIT | Commercial | MIT | MIT |
| GitHub stars | 180K | 42K | 18K | N/A (private) | 9K | 6K |
| Best for | Dev/Content | Production | Edge/WASM | Enterprise | IoT/Embedded | Agent mesh |
Q1: What's your target environment? Cloud/server → ZeroClaw or OpenClaw | Edge/CDN → NullClaw | Microcontroller → MimiClaw | Enterprise → IronClaw
Q2: Does your team have Rust/Zig experience? Rust → ZeroClaw or IronClaw | Zig → NullClaw | TypeScript/Node only → OpenClaw or BlueClaw
Q3: What are your latency requirements? Under 5ms → NullClaw | Under 10ms → ZeroClaw | Not critical → OpenClaw
Q4: Do you have compliance requirements (SOC2, HIPAA, GDPR)? Yes → IronClaw (only one with built-in compliance)
Q5: Does your agent need social presence or agent-to-agent connections? Yes → BlueClaw (combined with a base runtime)
Just starting out, want to run now → OpenClaw
Production server, high traffic → ZeroClaw
Edge computing, small binary → NullClaw
Enterprise, need audit trail → IronClaw
IoT, running on a $5 chip → MimiClaw
Agent network, social identity → BlueClaw
The Claw ecosystem has proven an important point: No single framework is "best" for all situations.
Peter Steinberger started with a personal project in November 2025. By February 2026 — just three months later — he had joined OpenAI, and the community had already taken the ecosystem far beyond what any single person could build. Six frameworks, six distinct philosophies, six sets of users who each needed something different.
The question isn't "which Claw is best?" but "which Claw fits my problem?"
And once you've chosen: read the code before installing. Audit your dependencies. Don't vibe-code into production.
This article is part of Autonow's AI Agent Era 2026 series. Also see: OpenClaw: The Self-Hosted AI Revolution and MCP Protocol: How AI Agents Connect to Tools.