Everyone is talking about agents. Should you install OpenClaw or is it too risky? Should you buy a Macbook Mini or is it unnecessary? confusion galore.
In an effort to educate myself, I went on a research mission to understand what are the various alternatives out there for AI Agents, the trade-offs, and the risks that should shape how you build and where you invest.
What Are AI Agents, Really?
For the past two years, the AI narrative centered on chatbots: systems that respond to prompts. Agents are fundamentally different. An AI agent is software that can observe its environment, make decisions, and take autonomous action to accomplish goals. It does not just suggest code edits; it opens your IDE, writes the code, runs the tests, and commits the changes. It does not just draft an email; it logs into your inbox and sends it.
The shift from “chat” to “act” is what makes 2026 feel like a genuine inflection point. When an AI can browse the web, read your files, execute shell commands, send messages, and manage your calendar, all in a continuous loop with persistent memory, you are no longer looking at a tool. You are looking at a digital worker. OpenClaw pitches itself as “the AI that actually does things.” Anthropic describes Cowork as outcome-driven software that works across desktop files and apps. Tencent explicitly describes its new products as moving AI from passive chatbots to active agents. The framing is converging across every major lab.
And the market knows it: OpenClaw surpassed 135,000 GitHub stars faster than any repository in history, it is currently at over 312,000 stars, ranking 9th overall, Manus AI was acquired by Meta for $2 billion, and every major AI lab scrambled to ship a competitor within weeks.
A survey of almost 3,000 employees and executives in global enterprises, conducted by Workday in June 2025, showed general acceptance of AI agents as co-pilots.
For founders, the question is where to build. For investors, the question is where the value accrues. Is it the open-source runtime layer, the model provider, the enterprise wrapper, the vertical application, or the trust and governance layer underneath? Let’s walk through the main contenders.
1. OpenClaw
The open-source agent that went viral and kicked off the entire category.
Created by Austrian developer Peter Steinberger (originally as “Clawdbot,” later renamed Moltbot, and finally OpenClaw in January 2026), this is the project that started the fire. OpenClaw runs locally, connects LLMs to over 100 built-in “skills” covering file management, browser control, email, and APIs, and maintains persistent memory across sessions. It supports chat surfaces including WhatsApp, Telegram, and Slack, plus an isolated browser profile. In February 2026, Steinberger announced he would join OpenAI, and the project moved to an open-source foundation.
By March 2026, OpenClaw had over 135,000 GitHub stars and was being used by millions globally, with China actually surpassing the US in adoption. Its own security docs are unusually candid: these systems can execute shell commands, read and write files, send messages as you, and be manipulated through prompt injection if you are not careful.
Pros:
- Free, open-source (MIT license), zero cost to start
- Runs locally, giving users full data control
- Massive community and ecosystem of skills
- Model-agnostic: works with GPT, Claude, Gemini, local models
- The de facto standard others are building on top of
Cons:
- Serious security vulnerabilities (CVE-2026-25253, CVSS 8.8)
- 12% of skills on ClawHub found to be malicious
- 135,000+ instances exposed to the public internet via default config
- No enterprise governance, audit trails, or compliance controls
- Requires technical skill to set up and secure properly
2. Manus AI
The finished product you use, not the framework you build with. Works while you sleep.
If OpenClaw is the open-source framework, Manus (by Butterfly Effect, the team behind Monica.im) is the polished product on the other end of the spectrum. Launched in March 2025, Manus gained notoriety for completing complex, multi-hour tasks: building full-stack apps, conducting deep market research, compiling multi-source reports, all asynchronously in a sandboxed cloud environment. You give it a goal, close your laptop, and it pings you when the job is done. It orchestrates multiple specialized sub-agents under the hood, calling different models (Claude, Qwen, and others) depending on the step.
In March 2026, Meta acquired Manus for $2 billion, a signal of just how seriously the big platforms are taking the agent category. Pricing runs from a free tier (1,000 starter credits) through a $39/month Starter plan up to $199/month Pro.
Pros:
- True async execution: runs in the cloud while you do other things
- Multi-modal: browses, codes, analyzes data, manages files
- Zero setup: no GitHub repos, no Docker, no API keys
- Free tier available for testing; credit-based pricing scales smoothly
- Meta acquisition signals massive backing and resources
Cons:
- Proprietary black box: you cannot inspect its reasoning or code easily
- Pro tier at $199/month is expensive for individual users
- All data runs through their servers, not ideal for sensitive corporate work
- Credit-based pricing makes costs hard to predict on complex tasks
- Post-acquisition direction under Meta is uncertain
3. NemoClaw (NVIDIA)
Not trying to out-hype OpenClaw. Trying to civilize it.
Announced at GTC 2026 on March 16, NemoClaw is the most interesting response to OpenClaw because it is not a replacement. It is a hardened reference stack that sits on top of OpenClaw and adds what enterprises need: security controls, policy enforcement, and NVIDIA’s own Nemotron AI models. The centerpiece is OpenShell, a sandboxed runtime where companies define exactly what an agent can do, what it cannot touch, and what requires human sign-off. It is a cleaner answer to the question every CIO eventually asks: “how do I stop this thing from going rogue?” Install is a single command, and it runs on any hardware, not just NVIDIA GPUs.
Pros:
- Enterprise-grade security and policy controls out of the box
- OpenShell sandboxing gives CISOs real governance levers
- Hardware-agnostic despite being an NVIDIA product
- Pairs with Nemotron models for on-prem, air-gapped deployments
- One-command install lowers the barrier for IT teams
Cons:
- Brand new (March 2026), production track record is nil
- Still built on OpenClaw, inheriting some of its attack surface
- NVIDIA’s core business is hardware; long-term software commitment unclear
- Pricing and licensing for enterprise use not yet fully transparent
4. Claude Cowork / Dispatch (Anthropic)
Anthropic’s managed, desktop-first agent for knowledge work. The “safe” alternative.
Philosophically, Claude Cowork sits at the opposite end of the spectrum from OpenClaw. It is not about self-hosting or hacking together your own agent stack. Cowork is a managed, desktop-first agent that moves through local files, folders, and everyday applications to finish tasks.
Dispatch, launched March 17, 2026, extends this by letting you send instructions from your phone and have Claude execute them on your desktop. The key differentiator is Anthropic’s focus on safety: built-in guardrails, content filtering, and a managed infrastructure model where Anthropic controls the security perimeter. It is probably the cleanest option for researchers, finance teams, legal teams, and operators who want outcomes, not infrastructure.
Pros:
- Strong built-in security and safety guardrails
- Managed infrastructure, no self-hosting headaches
- Phone-to-desktop control (Dispatch) is a compelling UX innovation
- Backed by Anthropic’s safety-first research reputation
- Integrated with Claude’s strong reasoning capabilities
Cons:
- Requires a paid subscription (Claude Pro at $20/mo minimum)
- Not open-source, vendor lock-in to Anthropic’s ecosystem
- Data routes through Anthropic’s servers, a trade-off for privacy-conscious users
- Smaller skill/plugin ecosystem compared to OpenClaw’s community
- Still in research preview
5. Devin (Cognition)
The specialist: an autonomous software engineer, not a general-purpose assistant.
While the other agents on this list try to do everything, Devin does one thing and bets its entire product on doing it better than anyone else: writing, debugging, and deploying software. Created by Cognition, Devin plans features, builds entire repositories, reads unfamiliar documentation to learn new libraries, and deploys working code. Devin 2.0 slashed pricing from $500/month to a $20/month Core plan (with Agent Compute Units at $2.25 each), making it accessible to solo developers. The Team plan ($500/month) adds API access and collaboration features.
For founders, Devin matters because it demonstrates the power of vertical agents: narrow scope, deep capability, clear ROI. If you are building an agent startup, the “Devin model” of picking one workflow and owning it completely is arguably more defensible than trying to be the next general-purpose assistant.
Pros:
- End-to-end coding: plans, builds, debugs, and deploys
- Strong technical reasoning; can learn unfamiliar libraries on its own
- Dramatically lower price point with 2.0 ($20/mo entry)
- Clear vertical focus makes the value proposition easy to measure
Cons:
- Not a general-purpose agent: cannot do research, email, or scheduling
- Compute-unit pricing makes costs unpredictable on large tasks
- Core plan’s 9 ACUs only buys roughly 2 hours of active work
- Enterprise plan requires custom pricing with no public transparency
6. Base44 Superagents
No-code agent builder: describe what you want, get an always-on autonomous worker.
Launched March 11, 2026, Base44 Superagents take a fundamentally different approach. Instead of a single general-purpose agent, users describe tasks in natural language and Base44 creates purpose-built agents that run 24/7 in the background. These agents connect to tools like Slack, Google Calendar, GitHub, WhatsApp, and Telegram, and maintain persistent memory across interactions. The emphasis is on accessibility: no code, no infrastructure, no API keys required. The trade-off is clear: the easier something is to stand up in a managed layer, the less raw control you have over the underlying stack. That is fine for many workflows, but it matters for sensitive enterprise use cases.
Pros:
- Truly no-code, accessible to non-technical users
- Always-on background execution with triggers and schedules
- Pre-built integrations with popular workplace tools
- Sandboxed environments with clear permission controls
- Persistent memory makes agents more effective over time
Cons:
- Less customizable than code-first alternatives
- Closed platform, dependent on Base44’s infrastructure and roadmap
- Newer entrant with less proven track record at scale
- Integration depth may lag behind OpenClaw’s 100+ skills
7. Perplexity Comet
An AI browser that does not just search. It acts.
Perplexity’s Comet is an AI-native browser that turns Perplexity from an “answer engine” into an “action engine.” Launched on iPhone in March 2026, Comet embeds an AI assistant directly alongside web content: it can summarize pages, pull out specific details, and execute web-based workflows (e.g., “find the five best laptops, add them to a spreadsheet, and draft a comparison email”). For Pro users it runs on Claude Sonnet 4.6, for Max users on Opus 4.6. Perplexity also offers a “Personal Computer” product: an always-on M4 Mac mini that runs autonomously with persistent access to your apps and services.
However, Comet has already attracted legal trouble: Amazon won a court order in March 2026 blocking Comet from accessing password-protected sections of Amazon, accusing Perplexity of computer fraud for failing to disclose when the agent is shopping on a real person’s behalf. That lawsuit is a preview of the legal battles every browser-based agent will face.
Pros:
- World-class search combined with the ability to act on results
- Highly optimized for quick, web-based research and task loops
- Personal Computer product offers always-on, persistent execution
- Built-in audit trails and approval workflows
Cons:
- Already facing legal action (Amazon injunction) over agent behavior
- Personal Computer is expensive: $200/month plus Mac mini hardware
- Limited autonomy outside of web-based tasks
- Personal Computer is Mac-only and waitlist-only at launch
8. Accio Work (Alibaba)
Alibaba’s enterprise agent army for global SMBs, from sourcing to compliance.
Unveiled today (on March 23, 2026), Accio Work evolved from Alibaba’s B2B sourcing engine (launched November 2024, now serving 10M+ monthly active users) into a full enterprise agent platform. Rather than a single agent, it deploys specialized “squads” covering analysts, creators, and logistics experts that work in parallel. It handles automated compliance across 100+ markets, autonomous supplier negotiations, marketing automation, and logistics management through WhatsApp and Telegram. Reuters describes it as a plug-and-play, no-code AI taskforce for SMBs with strict permission protocols around sensitive data and financial actions.
Alibaba also has Wukong, an enterprise orchestration layer that coordinates multiple agents for documents, spreadsheets, meeting transcription, and research. It is closer to a real enterprise agent platform than a flashy consumer assistant, but remains in invitation-only beta.
Pros:
- Purpose-built for e-commerce and global trade workflows
- Multi-agent orchestration with specialized agents working in parallel
- Already backed by 10M+ users from the Accio sourcing platform
- Strict permission protocols for financial and sensitive actions
Cons:
- Tightly coupled to Alibaba’s ecosystem, limited outside e-commerce
- Data sovereignty concerns for Western enterprises using a Chinese platform
- Not open-source; black box decision-making
- Not yet publicly available (expected end of March 2026)
9. The Chinese Agent Boom
A Cambrian explosion from every major Chinese tech giant, moving at staggering speed.
China has surpassed the US in OpenClaw adoption, and every major tech company has shipped its own variant:
Tencent launched ClawBot (integrating OpenClaw directly into WeChat), plus WorkBuddy (“deployment-free OpenClaw”), QClaw, Lighthouse, and an AI Agent Security Sandbox. If the future of agents is chat-native, Tencent is extremely well positioned: over a billion WeChat users can invoke agents directly from chat. ByteDance shipped ArkClaw through its Volcano Engine cloud platform. Minimax launched MaxClaw. MoonShot shipped Kimi Claw, whose massive context window lets agents read 50+ research papers at once to synthesise reports. Zhipu AI released AutoGLM, a direct competitor focused on smartphone automation: it literally taps through apps on your phone. Baidu is pushing agents across desktop, cloud, mobile, and smart-home devices, though the public picture is still fuzzier (the clearest reporting is via Reuters rather than an official product page).
Meanwhile, the Chinese government has moved to restrict state agencies and SOEs from using OpenClaw on office computers, citing security concerns. A mirror image of US concerns about Chinese AI platforms.
Pros:
- Massive user bases (WeChat alone has 1B+ users)
- Deep integration with dominant local platforms and ecosystems
- Aggressive development pace and competitive dynamics
- Purpose-built for Chinese market workflows and compliance
Cons:
- Fragmented ecosystem: too many forks, unclear which will survive
- Government restrictions create regulatory uncertainty
- Data sovereignty and censorship concerns for international users
- Most are wrappers around OpenClaw, not independent platforms
The Risks: What Should Keep Founders and Investors Up at Night
The agent category is exciting, but the risk profile is unlike anything we have seen in previous software cycles.
Here is what founders building in this space and investors funding them need to internalize:
1. Security Is Not a Feature. It Is an Existential Threat.
OpenClaw’s track record is a warning to the entire category. A critical vulnerability (CVE-2026-25253, CVSS 8.8) allowed attackers to steal authentication tokens simply by tricking a user into visiting a malicious website. Researchers found that 12% of all skills on ClawHub (341 out of 2,857) were malicious, complete with professional documentation and innocuous names. Over 135,000 OpenClaw instances were found exposed to the public internet because the default configuration binds to all network interfaces. This is what happens when a developer tool goes mainstream before the security infrastructure catches up.
2. The “Lethal Trifecta” of Agent Risk
Palo Alto Networks identified three properties that make agents uniquely dangerous when combined: access to private data (files, emails, credentials), exposure to untrusted content (web pages, messages from others), and the ability to perform external communications (send emails, post messages, make API calls). Any two of these three would be manageable. All three together create a system where a single prompt injection can lead to data exfiltration, unauthorised actions, or lateral movement through connected services. Every agent platform on this list exhibits this trifecta to some degree.
3. Supply Chain Attacks at Scale
The skill/plugin marketplaces that make agents powerful also create a new software supply chain attack vector. When users install third-party skills that have access to their email, file system, and API keys, they are extending trust to unknown developers in a context where the blast radius is enormous. We have already seen this play out with ClawHub. Enterprise skill curation and signing will become a critical infrastructure need, and a startup opportunity.
4. The Recursive Spend Problem
Because agents self-correct and retry when they fail, they can accidentally burn through thousands of dollars in API credits in minutes if they get stuck in a loop. This is not hypothetical. Reports from 2026 include: four agents in a research pipeline entering an infinite conversation loop for 11 days, racking up $47,000 in charges; a data enrichment agent misinterpreting an API error and running 2.3 million calls over a weekend. Across the Fortune 500, unbudgeted agent compute spend is estimated at $400 million and climbing. For founders building agents, cost controls (token budgets, step limits, time caps, and automatic kill switches) are not optional. For investors, ask every agent startup what happens when their system gets stuck.
5. Shadow Agency
Just as enterprises dealt with “Shadow IT” in the 2010s (employees spinning up unauthorised SaaS tools), they now face Shadow Agency: employees deploying autonomous agents like OpenClaw on local machines that bypass corporate firewalls, data governance policies, and compliance controls. The difference is that shadow SaaS was mostly passive data storage. Shadow agents actively execute: they send emails, call APIs, move files, and make decisions with delegated authority. The blast radius of an unauthorised agent is dramatically larger than an unauthorised Dropbox folder.
6. Liability and Compliance Vacuum
When an agent autonomously sends an email, negotiates a supplier contract, or files a tax document on behalf of a business, who is liable if it gets it wrong? Current legal frameworks do not have clear answers. Amazon’s injunction against Perplexity’s Comet is an early signal. Enterprises adopting agents for regulated workflows (financial services, healthcare, government) face a genuine compliance gap. This is both a risk and an opportunity: the companies that solve agent governance will capture significant enterprise value.
7. Geopolitical Fragmentation
China banning OpenClaw from government use while Chinese companies ship a dozen clones, the US scrutinizing data flows through Chinese agent platforms, the EU likely to regulate agent autonomy under the AI Act. The agent ecosystem is fracturing along geopolitical lines faster than previous technology waves. Cross-border agent startups will need to navigate this from day one.
8. Human Oversight Still Matters
Anthropic’s own internal research found that employees report they can fully delegate only about 0-20% of their work to Claude, even while using it in roughly 60% of their tasks. Most high-stakes work still requires active supervision and validation. That feels like the right mental model for the whole category: agents are already useful, but they are not yet trustworthy enough to be unsupervised co-workers in every workflow. For founders, that means building for human-in-the-loop, not human-out-of-the-loop. For investors, be skeptical of any pitch that assumes full autonomy is around the corner.
The biggest gold rush since… the last gold rush
Where does the value accrue?
- The agent runtime layer (OpenClaw and its variants) is commoditizing in real time. It is open-source, it is being forked by every major cloud provider, and it will be table stakes within a year. The model layer is a fierce but separate battle. The durable value likely sits in four places:
- Enterprise security and governance: NemoClaw’s approach, but as an independent startup play. Identity, permissions, audit trails, memory boundaries, safe tool use, policy, sandboxing, observability.
- Vertical agent applications: The Devin model. Pick one workflow, own it completely, build proprietary data advantages. Scoped enough to earn real trust, narrow enough to deliver measurable ROI.
- Trust infrastructure: Skill marketplaces with signing and curation, compliance layers for regulated industries, cost-control middleware that prevents runaway spend.
- Agent-native distribution: Tencent embedding agents inside WeChat, Perplexity building an agent-native browser. Whoever controls the surface where users invoke agents captures an enormous amount of value.
The winners in this wave may not be the loudest “superagents.” They may be the companies that solve the missing control layer around them. The excitement is real, but the moat may end up sitting one layer below the agent itself.
The more useful question for founders and investors is not “which agent is hottest?” It is: which products are actually safe enough, scoped enough, and opinionated enough to earn real workflows? That is where the market will get sorted.
Explore more AI agents and vertical AI analysis
VC Cafe now groups this coverage inside the AI Agents and Vertical AI hub. From here, continue with Vertical AI in 2026 and The Web’s Next Customer Isn’t Human.
He is a former General Partner at Google Ventures (GV) in Europe, former head of Google for Entrepreneurs in Europe, and founding head of Campus London, Google's first startup hub. Eze writes on Israeli tech, venture capital, artificial intelligence, and founder strategy.
He is also the founder of Techbikers, a nonprofit that brings together the startup ecosystem on cycling challenges in support of Room to Read.
- Weekly Firgun Newsletter – May 8 2026 - May 8, 2026
- Israel’s 2026 National AI Strategy - May 7, 2026
- The Chokepoint Thesis: Moats, Affordance and Diffusion - May 7, 2026
