Skip to content

I Built My Own AI Agent. Here Is Why It Looks Nothing Like OpenClaw.

OpenClaw is everywhere right now. A personal AI assistant that runs 24/7 on your own machine, connects to your messaging apps, and takes autonomous action on your behalf. It has over 100,000 GitHub stars. Cisco, Microsoft and Kaspersky have all published security analyses. The hype is real. So is the risk.

Fat Agent vs Thin Agent — a lobster connected to everything versus a robot arm doing one thing well

I built something that solves a similar problem. But I made very different architectural choices. This post explains why, and what it means for anyone thinking about deploying AI agents in a business context.

What I actually built

Every morning I receive an email with a structured summary of all the newsletters I subscribe to.

My daily Newsletter Intelligence Digest

The same summaries are stored as notes in my personal knowledge base (Obsidian), searchable and linked to related topics.

Newsletter summaries in Obsidian, with metadata, topics and tags

The pipeline is straightforward. It reads my inbox, identifies newsletters, runs them through an LLM for summarisation, writes the output to Obsidian, and sends me a daily digest by email. I built it using the Datalumina GenAI Launchpad, a platform I gained access to through their AI engineering programme.

It is not glamorous. Nobody will post a video of it on X with fire emojis. But it runs reliably every day, and I know exactly what it does.

Fat agents vs thin agents

OpenClaw is what I would call a fat agent. It connects to everything: your email, calendar, file system, terminal, messaging apps, smart home, payment APIs. It interprets free-text instructions and decides for itself which actions to take. That flexibility is impressive. It is also the root cause of nearly every security incident reported so far.

In February 2026, security researchers found a vulnerability (CVE-2026-25253, CVSS 8.8) that allowed any website to silently take full control of a developer's OpenClaw instance. No plugins needed. No user interaction required. The fix came within 24 hours, credit to the maintainers. But the architectural problem remains: when an agent can do everything, a single breach gives an attacker access to everything.

More than 800 malicious skills were discovered on ClawHub, OpenClaw's community marketplace. Over 30,000 instances were found exposed on the public internet, many without authentication. Microsoft's security team explicitly recommended running it only in fully isolated environments with dedicated, non-privileged credentials.

My newsletter pipeline is what I would call a thin agent. It does one thing. It has access to one data source (my inbox) and two outputs (Obsidian and email). It cannot execute shell commands. It cannot browse the web. It cannot send messages on my behalf. The attack surface is minimal by design.

The complete pipeline: from incoming newsletter to daily digest

Why this matters for business

If you are considering AI agents for your organisation, the fat-vs-thin distinction is the most important architectural decision you will make.

A fat agent is a demo that impresses stakeholders. A thin agent is a solution you can actually put into production, maintain, and defend in a security audit.

The pattern that works is this:

  1. Identify a specific, repetitive workflow that costs real time.
  2. Build a focused automation with clearly defined inputs and outputs.
  3. Give it the minimum access it needs. Nothing more.
  4. Monitor what it does. Log everything.
  5. Expand scope only when you have confidence in the boundaries.

This is not exciting. It does not make for viral social media posts. But it is how you turn friction into flow without introducing uncontrollable risk.

OpenClaw is not the enemy

I want to be clear: OpenClaw is an impressive project. Peter Steinberger and the community have built something that shows where personal AI is heading. The concept of a persistent, context-aware agent that works across your communication channels is genuinely powerful.

But the project is four months old. The security model is still maturing. The skills marketplace has proven vulnerable to supply-chain attacks. One of the project's own maintainers said publicly: if you cannot understand how to run a command line, this is far too dangerous for you to use safely.

That is an honest assessment, and I respect it. It also tells you this is not ready for business-critical workflows.

The bottom line

The question is not whether AI agents will transform how we work. They will. The question is whether you deploy them responsibly or recklessly.

Start with thin agents. Solve one real problem well. Keep the scope tight and the access minimal. Expand when you have earned confidence in the system.

The future of AI automation is not one omniscient agent that does everything. It is a set of focused, reliable, auditable automations that each do their job well.

That is less exciting than a lobster emoji. It is also what actually works.

Kort samengevat: OpenClaw is een AI-agent die overal bij kan en alles zelf beslist. Indrukwekkend, maar een beveiligingsnachtmerrie. Ik bouwde een gerichte pipeline die mijn nieuwsbrieven samenvat en in mijn kennisbank zet. Eén taak, minimale toegang, voorspelbaar gedrag. Voor zakelijk gebruik is dat de verstandige keuze.

Jan Keijzer is founder of Imperial Automation, an AI automation consultancy helping European businesses turn friction into flow. With a PhD in Nuclear Reactor Physics from TU Delft and 30+ years of software development experience, he helps organisations deploy AI effectively.