PicoClaw vs OpenClaw: A Technical Comparison
The Question
OpenClaw is a personal AI assistant that runs on local hardware, connects to WhatsApp and Telegram, controls a browser, and runs as a persistent daemon. Its requirements are substantial: Node.js 22, 1GB+ of RAM, Docker images around 8GB each. The recommended setup is a Mac Mini at AUD$999.
PicoClaw targets the opposite end of the hardware spectrum. Written in Go, it boots in under a second, runs in 10-20MB of RAM, and ships as a single static binary for x86, ARM, and RISC-V.
The question: do these two projects solve the same problem, and if not, what problem does each solve?
Head-to-Head Comparison
| Dimension | OpenClaw | PicoClaw |
|---|---|---|
| Language | TypeScript / Node.js (>=22) | Go 1.21+ |
| RAM | ~1GB+ per instance | 10-20MB |
| Startup | >500s normalized to 0.8GHz | <1s on 0.6GHz single core |
| Deployment | npm global install + daemon; Docker; Nix | Single static binary; Docker Compose also available |
| Hardware floor | Mac Mini ~AUD$999 (recommended) | LicheeRV-Nano ~AUD$25; any Linux SBC or old Android phone |
| Architectures | x86_64 (macOS/Linux/WSL2) | x86_64, ARM64, RISC-V |
| License | MIT | MIT |
| LLM Providers | Anthropic (OAuth), OpenAI (OAuth); API keys supported | Gemini, Zhipu, Groq, OpenRouter, Anthropic, OpenAI, DeepSeek (all confirmed working; display bug in picoclaw status may show providers as "not set" when configured, tracked as issue #53) |
| Channels | WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage/BlueBubbles, Teams, Matrix, Zalo, WebChat | Telegram, Discord, QQ, DingTalk, LINE (WhatsApp present in config, disabled) |
| Voice (TTS) | ElevenLabs TTS, Voice Wake, Talk Mode (macOS/iOS/Android) | None |
| Voice (STT) | Transcription via media pipeline | Telegram voice messages transcribed via Groq/Whisper |
| Browser automation | Dedicated Chrome/Chromium via CDP | Planned (issue #293); not yet implemented |
| Memory | Persistent sessions; local store | File-based (MEMORY.md); sessions written to disk per-session |
| Skills platform | ClawHub (bundled + managed + workspace skills) | Workspace skills folder; discovery via find_skill planned (issue #287) |
| Multi-agent | sessions_send, sessions_list, sessions_history | Spawn tool for async subagents with sandbox inheritance; full swarm mode planned (issue #294) |
| Scheduled tasks | Cron jobs + webhooks + Gmail Pub/Sub | Cron tool + Heartbeat (HEARTBEAT.md, every 30 min) |
| Companion apps | macOS app, iOS node, Android node | None |
| Remote access | Tailscale Serve/Funnel; SSH tunnels | Not built-in |
| Maturity | Production (12k+ commits, CI, changelogs) | Early development, no v1.0; built in one day on Feb 9, 2026 |
| Code origin | Primarily human-authored; Claude is a top-5 commit contributor; founder describes an "agentic engineering" workflow | 95% AI-agent-generated (self-described) |
| Security warnings | Prompt injection risk documented; Cisco AI Defense audit found data exfiltration and prompt injection in top-ranked ClawHub skill (source); 26% of 31,000 scanned skills contained at least one vulnerability | "May have unresolved network security issues" (authors' own warning); AGENTS.md defines per-agent behavior policies |
What OpenClaw Actually Is
OpenClaw is a local gateway: a WebSocket control plane running at ws://127.0.0.1:18789 that connects AI models to messaging platforms and gives the agent tools including a browser, a file system, scheduled jobs, camera access, screen recording, and a visual canvas.
The target experience: a user sends a message on WhatsApp, the assistant reads it, decides what to do, opens a browser tab, fills out a form, sends a voice reply, and schedules a follow-up. All of it runs on hardware the user controls. Data does not leave the local network unless explicitly sent.
The cost is the stack. Node.js is not a small runtime. The Docker images are large. The Mac Mini recommendation is not arbitrary; the project needs memory, persistent connections, and a stable daemon process. On a Raspberry Pi Zero, it does not run. On a Pi 4 with 4GB RAM it might, but it is not the intended target.
What OpenClaw Does Well
Channel coverage is the widest available. Fourteen channels: WhatsApp (via Baileys), Telegram, Slack, Discord, Google Chat, Signal (via signal-cli), iMessage via BlueBubbles or the legacy bridge, Microsoft Teams, Matrix, Zalo, and WebChat.
Voice works end to end. Voice Wake runs continuously on macOS, iOS, and Android. Talk Mode provides a full-duplex voice conversation overlay. ElevenLabs handles text-to-speech (TTS). The pipeline is implemented, not planned.
Browser control works. OpenClaw manages its own Chrome/Chromium process via Chrome DevTools Protocol (CDP). The agent navigates pages, takes snapshots, interacts with elements, and uploads files, which distinguishes it from assistants limited to text responses.
The access control model is explicit. Unknown senders receive a pairing code and cannot interact until approved. Elevated shell access is toggled per-session. openclaw doctor reports misconfigured policies. The project documentation recommends Claude Opus 4.6 for its prompt-injection resistance.
Multi-agent coordination is built in. Sessions communicate via sessions_send. Different channels can be routed to isolated agents with separate workspaces.
The skills platform has community depth. ClawHub provides bundled, managed, and workspace skills with an install interface. The agent discovers and installs new skills automatically.
Where OpenClaw Has Problems
The hardware requirement is a barrier. A Mac Mini is not typical tinkering hardware. The project runs on Linux, but documentation, companion apps, Voice Wake, and Talk Mode are Mac-first. Raspberry Pi and low-spec laptop support is secondary.
The creator is leaving. Peter Steinberger announced on February 14, 2026 that he is joining OpenAI and transferring OpenClaw to an open-source foundation. The project is MIT-licensed. Foundation governance, maintenance velocity, and roadmap ownership are currently undefined. The project has 212,000 GitHub stars and a large community, but community size does not guarantee continued development toward any particular direction.
WhatsApp support relies on an unofficial library. The Baileys integration uses an unofficial WhatsApp protocol implementation. It works until it does not. WhatsApp has historically broken such clients on purpose.
Prompt injection is a structural risk. An assistant with browser access, file system access, and messaging access to a user's contacts can cause significant damage from a successful prompt injection. The authors document mitigations, but the risk is inherent to the architecture. A Cisco AI Defense audit found the top-ranked ClawHub community skill contained active data exfiltration via a silent curl command and a prompt injection that forced safety guideline bypass. A broader Cisco scan of 31,000 ClawHub skills found 26% contained at least one vulnerability, and a coordinated campaign (ClawHavoc) seeded 341 malicious packages into the registry before discovery. OpenClaw has since added VirusTotal scanning for newly published skills.
What PicoClaw Actually Is
PicoClaw is a Go binary that wraps an LLM API call in an agent loop, adds a set of tools, and hooks into a few messaging platforms. It launched on February 9, 2026, built in one day per the README. Within a week it had 12,000 GitHub stars.
The goal is explicit: run an AI assistant on the cheapest hardware available. The Raspberry Pi 4 costs AUD$70. PicoClaw boots in under a second on it and runs in 10-20MB of RAM, a tight footprint for a persistent agent process.
PicoClaw is one week old at the time of this writing. All major providers, including Anthropic, OpenAI, DeepSeek, Gemini, Zhipu, Groq, and OpenRouter, are confirmed working. A display bug in picoclaw status may incorrectly report configured providers as "not set"; this is tracked as issue #53 and does not affect actual provider connectivity.
What PicoClaw Does Well
The binary footprint is the headline, and it is accurate. One statically-compiled Go binary covers x86_64, ARM64, and RISC-V. No Node.js, no npm, and no Docker required, though Docker Compose is available. It runs on an old Android phone via Termux in three commands. The resource profile puts it within reach of hardware most users already own.
The workspace layout is predictable. Everything lives under ~/.picoclaw/workspace/: sessions, memory, state, cron jobs, skills, and identity files. The identity format (SOUL.md, IDENTITY.md, TOOLS.md, USER.md, AGENTS.md) mirrors OpenClaw's. Existing OpenClaw identity files transfer directly.
The security sandbox is on by default, and it is tighter than it appears. restrict_to_workspace: true prevents the agent from reading, writing, or executing anything outside the workspace unless explicitly disabled. The exec tool blocks dangerous patterns even when the sandbox is off: no rm -rf, no disk formatting commands, no fork bombs, no writes to block devices. Subagents and heartbeat tasks inherit the same restriction; there is no path through the subagent layer that bypasses the sandbox. AGENTS.md defines per-agent behavior policies, setting guardrails before the LLM is invoked. OpenClaw's elevated shell access, by contrast, is toggled per-session: a flexible approach that places the trust decision at runtime rather than configuration time.
Heartbeat and cron are practical primitives. HEARTBEAT.md defines tasks that run every 30 minutes. The spawn tool creates async subagents for long-running tasks without blocking the heartbeat loop. Cron handles one-time and recurring reminders stored in ~/.picoclaw/workspace/cron/. These are simple features that cover the scheduling needs of most personal assistant workflows.
Telegram voice transcription works. With Groq configured, Telegram voice messages are automatically transcribed via Whisper. There is no TTS or Voice Wake. For casual mobile use, the speak-into-Telegram-and-get-text-back pattern covers a significant portion of practical voice interactions. Full-duplex voice is tracked in issue #348.
Hardware-native tools distinguish PicoClaw from browser-first agents. Running natively on Linux single-board computers (SBCs), PicoClaw can expose I2C, SPI, and GPIO interfaces as agent tools, enabling the assistant to read sensors, toggle relays, or drive peripherals directly. OpenClaw has no equivalent. For use cases involving physical hardware (home automation, environmental monitoring, robotics), PicoClaw on a Raspberry Pi is the more capable platform, not a compromise.
The roadmap is specific and tracked. Browser automation via CDP (issue #293), MCP support (issue #290), Ollama/local model integration, a skill marketplace, multi-agent swarm mode, WhatsApp, and WeChat are all tracked issues with assigned owners or status notes. At 12,000 stars in one week, contributor pressure to ship is substantial.
Where PicoClaw Falls Short
A display bug in picoclaw status may confuse provider setup. All major providers are confirmed working, but picoclaw status may report configured providers as "not set" even when correctly configured. Issue #53 tracks this. The bug is cosmetic; provider connectivity functions normally.
Memory is flat files, not a database. Conversation state persists to sessions/ on disk, and a MEMORY.md file stores long-term notes. There is no vector search, no semantic retrieval, no hybrid keyword-and-embedding lookup. The agent's memory is what fits in a markdown file and what the LLM can reason over in a single context window. For use cases that accumulate hundreds of memories across weeks of use, this becomes a limitation.
TTS is not implemented. PicoClaw receives and transcribes voice messages via Groq/Whisper but cannot generate voice responses. TTS is not on the near-term roadmap.
Browser automation is not implemented. Issue #293 tracks CDP-based browser control. It is not in the current codebase. Any workflow requiring the agent to interact with a web page cannot be completed.
Channel breadth is limited. Telegram, Discord, QQ, DingTalk, and LINE are confirmed. WhatsApp is present in the config template but disabled. The roadmap targets WhatsApp, WeChat, Slack, Signal, and Email. Users on WhatsApp or Signal cannot currently connect to PicoClaw.
The codebase is one week old and not yet audited. The authors describe it as 95% AI-generated. AI-generated code is not inherently insecure (Claude is a top-5 commit contributor to OpenClaw), but the security surface has not received human review proportionate to its complexity. The sandbox and exec guards are real controls, but the authors' CAUTION block explicitly states "may have unresolved network security issues" and advises against production deployment before v1.0. The roadmap includes a full security hardening section covering prompt injection defense, SSRF protection, cryptography upgrades, and OAuth flows. Treat PicoClaw as a trusted-network, personal-use tool until that work lands.
Feature Comparison
| Feature | OpenClaw | PicoClaw Today | PicoClaw Roadmap |
|---|---|---|---|
| Telegram | Yes | Yes | Yes |
| Discord | Yes | Yes | Yes |
| Yes (Baileys) | Config only, disabled | Planned | |
| Signal | Yes | No | Planned |
| Slack | Yes | No | Planned |
| iMessage | Yes (BlueBubbles) | No | Not mentioned |
| TTS / Voice Wake | Yes (ElevenLabs) | No | Not on roadmap |
| STT | Yes | Telegram only (Groq/Whisper) | Attachments (issue #348) |
| Browser automation | Yes (CDP) | No | Planned (issue #293) |
| Local models | No | No | Planned (Ollama, vLLM) |
| MCP | No | No | Planned (issue #290) |
| Skills / plugins | Yes (ClawHub) | Workspace only | Marketplace planned |
| Multi-agent | Yes (sessions_send) | Yes, spawn/subagents with sandbox inheritance | Full swarm mode planned |
| Scheduled tasks | Yes (cron + webhooks) | Yes (cron + heartbeat) | Yes |
| File system access | Yes | Yes (sandboxed) | Yes |
| GPIO / I2C / SPI | No | Yes (native on Linux SBCs) | Yes |
| Companion apps | macOS, iOS, Android | None | None mentioned |
| Remote access | Tailscale, SSH | None | None mentioned |
| Hardware floor | Mac Mini ~AUD$999 | AUD$9.90 RISC-V board | Same |
| Production-ready | Yes | Personal use; not recommended for public-facing production pre-v1.0 | v1.0 target |
Who Should Use What
PicoClaw suits:
Users with a spare Raspberry Pi, an old Linux laptop, or an unused Android device. Users who want to evaluate an agent runtime without hardware cost. Users who primarily interact via Telegram or Discord. Users comfortable with early-stage development where APIs change and the README is the primary reference after each release.
Setup is fast: download a binary, run picoclaw onboard, paste an API key, run picoclaw gateway. A working Telegram connection on existing hardware takes under five minutes.
The caveat: do not route sensitive data through it yet. Do not expose it to the public internet without understanding what "unresolved network security issues" means for the deployment's threat model. Run it on a local network as an experiment.
OpenClaw suits:
Users on macOS hardware who need a production-ready assistant now. Users who need WhatsApp, Signal, or iMessage. Users who need TTS, Voice Wake, or Talk Mode. Users who need the agent to interact with web pages. Users who need a deep skills library with community-built capabilities.
OpenClaw is the more complete tool. It has been in development longer, has a larger contributor base, and has features PicoClaw will not have for months. The hardware requirement is the barrier. Users who can meet it will find OpenClaw delivers what it documents.
Run both:
Deploy OpenClaw on a Mac or Linux server as the primary gateway. Deploy PicoClaw on a cheap SBC as a secondary endpoint for lightweight Telegram tasks. Treat PicoClaw as a project to follow, not a replacement for a working system.
What to Watch
PicoClaw's trajectory depends on shipping two roadmap items: browser automation via CDP (issue #293) and a credible security audit. Provider coverage is solved; all major providers work. If browser control and the security review land before mid-2026, this comparison changes significantly.
OpenClaw's trajectory depends on how the open-source foundation handles the creator transition. The code is MIT. The community is large. But concentrated maintainership transitioning to distributed governance historically reduces velocity rather than increasing it.
Both projects merit attention. Neither is going away. The choice between them is primarily about available hardware and tolerance for unfinished-product risk.
Bottom Line
OpenClaw is a production AI assistant with substantial feature depth that requires substantial hardware. PicoClaw is a fast, lightweight agent runtime that runs on minimal hardware and is missing several features that matter.
For users with suitable hardware, OpenClaw is the better tool today; not because PicoClaw's architecture is poor, but because OpenClaw ships the features most users will need within a week of deployment. For users evaluating without committing hardware, PicoClaw is a reasonable starting point: low cost, fast setup, and transparent about what it cannot do.
The worst outcome is treating them as direct alternatives when the hardware constraints are incompatible. A AUD$9.90 board cannot run OpenClaw. A Mac Mini is not necessary to evaluate PicoClaw. Start with available hardware, understand what each tool provides, and choose from there.
Source repositories verified February 20, 2026
Cisco ClawHub security findings: Cisco AI Blog