OpenClaw + Composio

Picture this. It’s 8 AM. You haven’t opened your laptop. Your AI assistant has already checked Gmail for anything urgent, summarized three client emails, posted a status update to Slack, checked if last night’s deployment succeeded on Vercel, and sent you a Telegram message: “Morning. Two things need attention — a failed health check on staging and a client asking about invoice #260111. Everything else is handled.”

That’s not science fiction. That’s OpenClaw connected to Composio, running on a $5/month server.

I’ve been running a version of this for about three months. The first morning I woke up to a summary of everything that had happened overnight, neatly prioritized in my Telegram, I felt two things simultaneously: relief that I wasn’t starting my day with 45 minutes of inbox archaeology, and mild unease that an AI was reading my email while I slept. Both feelings were appropriate. Both are still there.

The two pieces

Building an AI assistant that does real work requires solving two problems. The runtime: the AI needs to stay running, remember things across conversations, listen on channels you use (Telegram, Slack, WhatsApp), and decide when to act without being asked. The integrations: the AI needs to safely connect to your actual tools — Gmail, GitHub, Slack, Stripe, Notion, your database.

OpenClaw solves the runtime. Composio solves the integrations. Together: an always-on assistant that reaches into your real tools and takes real actions.

OpenClaw

An open-source project that turns any AI model into a persistent personal assistant. Created by Peter Steinberger (founder of PSPDFKit), it crossed 250,000 GitHub stars in roughly four months — faster than React. MIT-licensed. Free.

What makes it different from a chatbot: it stays running between conversations, remembers what you’ve told it, proactively checks things on a schedule, reaches you through your actual messaging apps, and can chain multiple actions together. It knows your name, your projects, your preferences, your timezone. A chatbot forgets you exist when you close the tab.

The memory system stores conversation summaries and facts in a local database, loading relevant context when you interact. The scheduling system runs cron-based checks — “check deployment status every 30 minutes,” “summarize unread emails at 7 AM.” And it connects to any AI model through OpenRouter or direct API keys.

Composio

A managed authentication gateway for AI agents. Over 500 integrations (Gmail, GitHub, Slack, Stripe, Notion, Jira, Salesforce, HubSpot, and more). Each integration handles OAuth flows, token refresh, and permission scoping. You connect a service once and every agent action uses properly scoped credentials.

The key feature: granular permission control. When you connect Gmail, you can grant “read inbox” but not “send email.” When you connect GitHub, you can allow “read issues” but not “push code.” This matters enormously when an AI is acting on your behalf.

Composio has 11 million monthly downloads and raised $6.2 million in 2025. Free tier: 10,000 actions per month. Pricing at $29-99/month for higher volumes. An open-source alternative called Arcade exists for teams that want to self-host.

The pattern: harness + gateway

The architectural insight that will outlast both tools: separate the agent runtime from the integration layer. The runtime (OpenClaw) handles memory, channels, scheduling, and the agent loop. The gateway (Composio) handles authentication, tool discovery, and secure API execution.

This is how Claude Code works too — Claude is the runtime, MCP servers are the integration layer. The difference: Claude Code is a developer tool you interact with in the terminal. OpenClaw is a personal assistant you interact with through messaging apps. Claude Code is for building. OpenClaw is for operating.

The security section you should not skip

Both tools have had real security incidents.

OpenClaw’s Gateway API (the HTTP endpoint agents use to manage memory) was exposed without authentication in early versions. Researchers demonstrated reading agent memory, injecting false facts, and modifying behavior — all without authentication. The vulnerability was patched, but it illustrates the risk: a personal assistant with access to your email, calendar, and code repos is a high-value target.

Composio’s X/Twitter integration was exploited in February 2026. Malicious community-contributed integrations bypassed the standard MCP sandboxing, allowing attackers to post unauthorized tweets from connected accounts. The incident affected a “small number” of users. Composio has since added review processes for community contributions.

The practical rules: run OpenClaw behind a VPN or SSH tunnel, never expose it publicly. Start with read-only permissions on every integration — add write access only when you trust the workflow. Review community-contributed skills before installing. Keep approval gates on for anything that writes or sends. Monitor what the agent does, especially in the first weeks.

The autonomy-reliability math from Chapter 17 applies. Even 95% per-step reliability produces 36% completion on 20-step workflows. An always-on assistant that checks your email and posts to Slack has many steps per day. Scope it tightly.

The bottom line

OpenClaw and Composio represent a pattern: give the brain judgment, give the keychain access controls, and don’t combine them into one system. The power is genuine — a morning briefing that saves 30 minutes of inbox triage, automated monitoring that catches failures before clients notice, invoice tracking that nudges you about overdue payments.

The risks are also genuine. Build carefully. Build incrementally. Start with read-only. And always know where the off switch is.

This is the free web edition of Chapter 18. The full text — with OpenClaw installation walkthroughs, Composio configuration examples, scheduling patterns, security hardening guides, and the complete threat model analysis — is available in 42: The AI Builder’s Stack, coming Q3 2026 on Amazon in hardcover, paperback, and digital.