Claws: The New Layer on Top of LLM Agents
Andrej Karpathy has identified “Claws” as an emerging layer that sits on top of LLM agents, providing orchestration, scheduling, and persistence capabilities. While he acknowledges the security risks of current implementations like OpenClaw, he sees this as a significant evolution in AI agent architecture.
What Are Claws?
Claws represent a new abstraction layer that transforms LLM agents from reactive tools into persistent, autonomous systems. Unlike traditional agents that respond to individual prompts, Claws:
- Run continuously on dedicated hardware (often Mac Minis)
- Schedule and execute tasks automatically
- Maintain persistent memory across sessions
- Integrate with messaging platforms for remote control
- Orchestrate multiple tools and services
Think of them as “cron jobs for AI agents” - they operate in the background, checking for work, and acting on your behalf without constant supervision.
The Architecture Evolution
Karpathy frames this as a natural progression:
- LLMs: Foundation models that process text
- LLM Agents: Models enhanced with tool-calling capabilities
- Claws: Agents with orchestration, scheduling, and persistence
This layered approach mirrors how software systems typically evolve - each layer adds new capabilities while building on the foundation below.
Current Implementations
OpenClaw leads the current wave, offering:
- Integration with messaging apps (WhatsApp, Telegram, Discord)
- Ability to modify its own code through “skills”
- Persistent memory through markdown files
- Scheduled execution via heartbeat mechanisms
Smaller alternatives like NanoClaw focus on security and simplicity, with core engines around 4,000 lines of code that run in containers by default.
The Security Challenge
Karpathy warns about OpenClaw’s current state: “400K lines of vibe coded monster that is being actively attacked at scale.” Reports include:
- Exposed instances
- Remote code execution vulnerabilities
- Supply chain attacks through malicious skills
- Compromised registries
The fundamental issue: Claws derive their usefulness from broad permissions but create massive attack surfaces when they access your email, calendar, and financial accounts.
Why Mac Minis?
The Mac Mini trend serves practical purposes:
- Apple ecosystem integration: Native access to iMessage, Reminders, and iCloud
- Unified memory architecture: Efficient for local LLM inference
- Residential IP addresses: Less likely to be blocked by websites
- Always-on operation: Dedicated hardware for 24/7 agent availability
- Isolation: Separate machine contains potential security breaches
Implementation Patterns
Successful Claw deployments follow security-conscious patterns:
- Sandboxed environments: VMs or containers limit damage
- Limited credentials: Separate accounts with restricted permissions
- Human-in-the-loop: Approval gates for sensitive operations
- Monitoring: Logging and alerting for unusual activity
The Future of Claws
Despite security concerns, Karpathy sees Claws as inevitable. They solve real problems:
- Persistent assistance: Always-available help without manual prompting
- Complex orchestration: Chaining multiple tools and services
- Scheduled automation: Time-based and event-driven actions
- Context preservation: Memory that survives across sessions
Getting Started Safely
If you want to experiment with Claws:
- Start isolated: Use a dedicated machine or VM
- Limit permissions: Create separate accounts with minimal access
- Monitor closely: Watch logs and set up alerts
- Begin simple: Start with read-only tasks before adding write permissions
- Plan for failure: Assume your Claw will be compromised
The Claw layer represents a significant step toward truly autonomous AI assistants. While current implementations carry substantial risks, the underlying concept addresses real needs for persistent, orchestrated AI assistance. As security practices mature, Claws may become as common as the agents they orchestrate.