OpenClaw Ecosystem: Comparing 9 Agent Frameworks
The definitive comparison of every major framework born from the OpenClaw explosion. Feature matrix, security analysis, performance benchmarks, and a decision guide to help you choose the right one for your use case.
By Jose Nobile | 2026-04-20 | 22 min read
The OpenClaw Explosion
In November 2025, Peter Steinberger -- founder of PSPDFKit and a veteran of the Apple developer ecosystem -- quietly published a project called "Clawdbot" on GitHub. It was a TypeScript-based AI agent framework that could connect to messaging platforms like WhatsApp and Telegram. Within weeks, it was renamed OpenClaw, and the trajectory that followed was unlike anything the open-source world had seen.
By January 2026, OpenClaw had surpassed React's decade-old GitHub star record -- reaching 346,000+ stars by mid-April 2026. The project struck a nerve: developers wanted personal AI assistants that lived in their messaging apps, had persistent memory, and could actually do things -- browse the web, manage files, run cron jobs, automate banking.
On February 14, 2026, Steinberger joined OpenAI as VP of Developer Experience. To ensure the project's independence, OpenClaw was transferred to an independent foundation with a multi-company governance board. The MIT license was preserved, and the 22+ channel adapters continued to grow.
But the meteoric growth came with growing pains. In early 2026, multiple CVEs were disclosed -- culminating in CVE-2026-25253, a critical 1-click remote code execution vulnerability that exposed any OpenClaw instance reachable over the network. The security concerns, combined with OpenClaw's hefty 1GB+ RAM footprint and 500ms+ cold starts, spawned an entire ecosystem of alternatives, each addressing different pain points.
This guide compares all 9 major frameworks in the OpenClaw family tree: the original and 8 derivatives that have collectively reshaped how developers build and deploy AI agents.
Note: This ecosystem is less than 6 months old. Stars, features, and security postures change weekly. Data in this guide reflects the state as of April 19, 2026. OpenClaw reached v2026.4.14 with Claude Opus 4.7 defaults, Gemini TTS, Active Memory, GPT-5.4-pro forward compatibility, and continued security hardening. The ecosystem now spans 346K+ stars on the main repo with 44K+ community skills on ClawHub.
Feature Comparison Matrix
The following table compares all 9 frameworks across key dimensions. Click any project name to visit its GitHub repository.
| Feature | OpenClaw | Nanobot | Paperclip | ZeroClaw | PicoClaw | NanoClaw | NemoClaw | OpenFang | IronClaw |
|---|---|---|---|---|---|---|---|---|---|
| Language | TypeScript | Python | TypeScript | Rust | Go | TypeScript | TS+Python | Rust | Rust |
| GitHub Stars | 346k | 38k | 34k | 30k | 27k | 26k | 18k | 16k | 12k |
| RAM Usage | >1 GB | 191 MB | Varies | <5 MB | <10 MB | ~50 MB | OC+ | 40 MB | ~5 MB |
| Cold Start | >500 ms | Fast | Fast | <10 ms | ~1 s | Fast | Seconds | 180 ms | Fast |
| Channels | 22+ | 10+ | N/A | 22+ | 17+ | 5+ | 22+ | 40+ | 5+ |
| Security Model | Opt-in | Docker | N/A | Defaults-on | Minimal | Container | Sandboxed | 16 layers | TEE+WASM |
| Binary Size | ~200 MB | ~80 MB | ~150 MB | ~8 MB | ~12 MB | ~120 MB | ~250 MB | ~15 MB | ~6 MB |
| License | MIT | MIT | MIT | MIT/Apache | MIT | MIT | Apache 2.0 | MIT/Apache | Apache/MIT |
When to Choose Each One
Each framework in the ecosystem occupies a distinct niche. Here is a breakdown of the ideal audience and use case for each one.
OpenClaw
Choose OpenClaw when you need maximum features, the largest plugin ecosystem, and the most active community. It supports 22+ channels, has hundreds of contributed skills, and offers the most mature personality system (AGENTS.md, SOUL.md, MEMORY.md). Accept the trade-offs: >1 GB RAM, opt-in security, and a Node.js runtime. Best for power users who want everything and have the resources to run it.
GitHubNanobot
Choose Nanobot if you are learning AI agents, prefer the Python ecosystem, or work in academia. Its 191 MB footprint runs comfortably on a Raspberry Pi. The Python codebase makes it accessible to data scientists and ML engineers who think in NumPy and pandas. Excellent documentation with Jupyter notebook tutorials. 10+ channels and Docker-based security isolation.
GitHubPaperclip
Choose Paperclip for multi-agent orchestration and business goal optimization. Paperclip is designed for "zero-human companies" where multiple agents collaborate toward a shared objective. It excels at task decomposition, agent delegation, and feedback loops. Not a messaging bot -- it is a backend orchestration engine for autonomous workflows.
GitHubZeroClaw
Choose ZeroClaw for the best efficiency-to-capability ratio. Written in Rust, it delivers 99% less RAM than OpenClaw (<5 MB vs >1 GB) while maintaining full channel parity (22+). Security defaults are on from the first run -- no configuration needed. Sub-10ms cold starts make it ideal for serverless and edge deployments. The strongest all-around alternative to OpenClaw.
GitHubPicoClaw
Choose PicoClaw for embedded and IoT use cases on hardware as cheap as $10. Written in Go, it targets RISC-V, ARM, and MIPS architectures. Under 10 MB RAM and a 12 MB binary mean it runs on ESP32-class devices, routers, and single-board computers. 17+ channels. The go-to choice when your agent must run on the edge, off-grid, or on constrained hardware.
GitHubNanoClaw
Choose NanoClaw for security-first deployments in regulated environments. Built on a partnership with Docker, every agent runs inside a hardened container with namespace isolation, read-only filesystems, and network policies. TypeScript for familiarity, but container boundaries prevent any escape. Ideal for healthcare, finance, and government deployments where compliance is non-negotiable.
GitHubNemoClaw
Choose NemoClaw for the full OpenClaw experience enhanced with NVIDIA guardrails and local GPU inference. It combines TypeScript channel adapters with Python ML pipelines, offering sandboxed execution and native integration with NVIDIA NeMo Guardrails. 22+ channels. Best for teams that want OpenClaw's feature set with enterprise-grade AI safety and local model inference on NVIDIA hardware.
GitHubOpenFang
Choose OpenFang for running multiple autonomous agents 24/7. Its "agent-as-OS" paradigm treats each agent as a first-class process with its own filesystem, network stack, and lifecycle management. 40+ channels -- the most in the ecosystem. 16-layer security model. 40 MB RAM per agent. Designed for organizations that need fleets of always-on agents operating independently with minimal human oversight.
GitHubIronClaw
Choose IronClaw for regulated industries where cryptographic audit trails and hardware-level isolation are required. Built on Trusted Execution Environments (TEE) and WebAssembly (WASM), every agent action is signed, logged, and verifiable. ~5 MB RAM, Apache/MIT dual license. The choice for banking, defense, and critical infrastructure where every action must be provably secure and auditable.
GitHubPerformance Benchmarks
Performance matters differently depending on your deployment target. A 1 GB footprint is irrelevant on a 64 GB workstation but disqualifying on a Raspberry Pi. Here are the key metrics across all 9 frameworks.
| Project | Binary Size | RAM (idle) | Cold Start | Min. Hardware Cost |
|---|---|---|---|---|
| OpenClaw | ~200 MB | >1 GB | >500 ms | ~$50 (2 GB VPS) |
| Nanobot | ~80 MB | 191 MB | ~200 ms | ~$15 (Raspberry Pi) |
| Paperclip | ~150 MB | Varies | ~300 ms | ~$30 (1 GB VPS) |
| ZeroClaw | ~8 MB | <5 MB | <10 ms | ~$5 (cheapest VPS) |
| PicoClaw | ~12 MB | <10 MB | ~1 s | ~$10 (ESP32/Pi Zero) |
| NanoClaw | ~120 MB | ~50 MB | ~400 ms | ~$20 (512 MB VPS) |
| NemoClaw | ~250 MB | OC+ (GPU req.) | ~2 s | ~$100 (GPU instance) |
| OpenFang | ~15 MB | 40 MB | 180 ms | ~$10 (512 MB VPS) |
| IronClaw | ~6 MB | ~5 MB | ~50 ms | ~$30 (TEE-capable) |
Key takeaway: ZeroClaw and IronClaw deliver the smallest footprints (under 10 MB RAM each), while NemoClaw requires the most resources due to GPU inference. OpenClaw's >1 GB footprint is the primary driver behind most alternatives.
Security Comparison
Security is the single biggest differentiator in the OpenClaw ecosystem. The original project's opt-in security model led to multiple CVEs that directly motivated the creation of most alternatives. Here is the security posture of each framework.
OpenClaw
Opt-in security. The critical CVE-2026-25253 (1-click RCE) was the catalyst for the ecosystem. Additional CVEs: CVE-2026-25254 (SSRF via channel adapters), CVE-2026-25255 (plugin sandbox escape). Security hardening was added in 2026.2.x but remains opt-in. Sandbox defaults to off. Plugin auto-load was disabled after CVE-2026-25255.
Nanobot
Docker isolation. Every agent runs inside a Docker container by default. No known CVEs as of April 2026. The attack surface is limited to the Docker daemon and the Python runtime. Network policies restrict outbound traffic. However, the Docker requirement adds operational complexity.
Paperclip
Backend-only. No messaging channels means no direct user-facing attack surface. Security depends entirely on your deployment infrastructure. No known CVEs. The risk is in the orchestration layer -- a misconfigured agent delegation could chain unintended actions.
ZeroClaw
Security defaults on from first run. Mandatory sandbox, capability-based permissions, and seccomp profiles. No known CVEs. The Rust memory safety model eliminates entire classes of vulnerabilities (buffer overflows, use-after-free). The strongest default security posture in the ecosystem.
PicoClaw
Minimal attack surface. The Go binary has no plugin system, no dynamic code loading, and no eval. Security comes from simplicity -- there is less to exploit. One known CVE: CVE-2026-30101 (channel adapter path traversal, patched in 0.4.2). Suitable for isolated IoT deployments but lacks enterprise security features.
NanoClaw
Docker partnership, container-first. Official Docker integration with hardened base images, read-only root filesystem, dropped capabilities, and mandatory network policies. No known CVEs. Undergoes quarterly third-party security audits. The gold standard for container-isolated agent security.
NemoClaw
NVIDIA NeMo Guardrails. AI-level safety on top of process-level sandboxing. Content filtering, prompt injection detection, and output validation are built into the inference pipeline. One known CVE: CVE-2026-31200 (guardrail bypass via Unicode normalization, patched in 1.2.1). The only framework with AI-specific security layers.
OpenFang
16-layer security model. Network isolation, filesystem sandboxing, capability tokens, process separation, encrypted IPC, rate limiting, audit logging, anomaly detection, credential vaulting, TLS mutual auth, binary signing, memory protection, syscall filtering, resource quotas, dead-man switches, and automatic rollback. No known CVEs. The most comprehensive security architecture.
IronClaw
Trusted Execution Environments + WebAssembly. Every agent action executes inside a TEE (Intel SGX, ARM TrustZone, or AMD SEV) with WASM as the execution sandbox. Cryptographic audit trails sign every action with a hardware-backed key. No known CVEs. The only framework offering hardware-level attestation that a given action was performed by a specific agent version.
Critical context: CVE-2026-25253 (OpenClaw 1-click RCE) was disclosed January 2026 and affected all versions before 2026.1.8. It allowed arbitrary code execution on any reachable OpenClaw instance via a crafted message. This single CVE was the direct catalyst for ZeroClaw, NanoClaw, OpenFang, and IronClaw.
Ecosystem Trends
The OpenClaw ecosystem is less than 5 months old, yet it already reveals clear architectural trends that will shape the future of AI agent development.
Security Is the #1 Differentiator
Every major alternative to OpenClaw was born from security concerns. ZeroClaw, NanoClaw, OpenFang, and IronClaw all cite CVE-2026-25253 in their README as motivation. The trend is clear: defaults-on security, mandatory sandboxing, and zero-trust architecture are table stakes for new frameworks. Opt-in security is a liability.
Rust Dominance
4 of the top 9 frameworks (ZeroClaw, OpenFang, IronClaw, and parts of NemoClaw) are written in Rust. The language's memory safety guarantees, zero-cost abstractions, and tiny binary sizes make it ideal for agent frameworks where security and efficiency matter. Rust-based agents use 99% less RAM than their Node.js counterparts.
Container Isolation
NanoClaw's Docker partnership and Nanobot's container-first approach represent a growing trend: treating every agent as an isolated workload with its own container boundary. This approach trades some performance for strong security guarantees and operational simplicity. Expect more frameworks to adopt container-native architectures.
Remarkable Architectural Diversity
In under 5 months, the ecosystem has produced frameworks in 4 languages (TypeScript, Python, Rust, Go), targeting hardware from $10 ESP32 boards to GPU-equipped servers, with security models ranging from minimal to TEE-backed cryptographic attestation. This diversity reflects the breadth of AI agent use cases -- no single framework can serve them all.
Looking ahead, the ecosystem will likely consolidate around 3-4 major frameworks while the others serve specialized niches. OpenClaw will remain the feature leader, ZeroClaw the efficiency champion, and IronClaw the compliance standard. The real question is whether the foundation model will address its security debt fast enough to retain its dominant position.