Jonathon's AI Wiki

Principles for Autonomous System Design — OpenClaw Architectural Deep Dive (Alex Krantz, UC Berkeley)

15 min read

Source: raw/Principles_for_Autonomous_System_Design_-_OpenClaw_Deep_Dive.md — Alex Krantz (PhD student, UC Berkeley, advised by Scott Shenker + Sylvia Ratnasamy, also Ion Stoica’s Sky Lab), 1-hour technical talk, youtube.com/watch?v=sxX8BMscce0, fetched 2026-05-20.

A 1-hour academic-grade architectural teardown of OpenClaw by a networking-systems PhD student who spent a month using it and several weeks reading the code. Goal explicit upfront: “not to convince you to use OpenClaw — to build a shared understanding of the principles behind the new wave of agentic systems.” Companion to Jay’s RoboNuggets beginner primer (same system, different audience — Alex is talking to a systems-research audience).

Key Takeaways

  • Four phases of LLM evolution as Alex sees it. Phase 0 (~2019): LLMs as pure next-token predictors (BERT, GPT-1/2/3, Google LaMDA). Phase 1 (2021-2022): Fine-tuned LLMs as assistants (the chat interface). Phase 2 (mid-PhD): LLMs with tools + static orchestration (LangChain / AutoGen / CrewAI / Google AI Overviews — “agents” but really static wrappers around an LLM call with hard-coded sequences). Phase 3 (end-2025 → 2026): Autonomous agents with dynamic tool discovery + orchestration (Claude Code, and especially OpenClaw which “takes this to a further extreme of being able to modify itself and learn”). The OpenClaw thesis: the harness becomes a context-bundling layer + a feedback loop wrapping LLM calls; everything else is layers of dolls.
  • The Matryoshka-doll model of “loopiness.” All systems ultimately boil down to LLM calls; what changes over time is the amount of wrapping loop around them. Inner doll: transformer producing one token. Wrap with a loop: full sentence/paragraph. Wrap that with chat conversation: assistants. Wrap that with tool-use + repeated steps: scoped agents. Wrap that with full ownership of environment + self-modification: autonomous agents like OpenClaw. Frames the entire field as progressive loop wrapping.
  • OpenClaw’s two design goals reverse-engineered from its own tagline (“the AI that actually does things”):
    • Actually doing → autonomy, closed control loop, navigating ambiguity without getting stuck.
    • Things (deliberately ambiguous) → either an extremely smart core or a very flexible/extensible interface. OpenClaw chose extensibility.
  • Three-layer architecture (the load-bearing slide of the talk):
┌─────────────────────────────────────────────────────────┐
│  USER                                                   │
└───────────────────────┬─────────────────────────────────┘
                        ▼
┌─────────────────────────────────────────────────────────┐
│  CONNECTORS                                             │
│  WhatsApp / Discord / Gmail / iMessage / OpenClaw UI    │
│  (each one a hacky reverse-engineered web client)       │
└───────────────────────┬─────────────────────────────────┘
                        ▼
┌─────────────────────────────────────────────────────────┐
│  GATEWAY CONTROLLER                                     │
│  • Sessions (= processes; isolated permissions/context) │
│    └─ Agents (= threads inside a session)               │
│  • Cron Manager                                         │
│  • Heartbeat Mechanism                                  │
│  • Memory Management (vector DB + daily summaries)      │
│  • Configuration (user.md / soul.md / agents.md /       │
│                    tools.md — auto-generated by agent)  │
└───────────────────────┬─────────────────────────────────┘
                        ▼
┌─────────────────────────────────────────────────────────┐
│  AGENT RUNTIME                                          │
│  • Providers (OpenAI / Anthropic / Ollama / etc.)       │
│  • Environment (the dev machine)                        │
│  • Tools (built-in + MCP + generated LSP)               │
│  • Skills (markdown recipes, 3-level fidelity)          │
└─────────────────────────────────────────────────────────┘
  • Connector layer is “the least consequential” — and that’s the point. Each connector is a hacky reverse-engineering of a human-oriented interface (WhatsApp uses scanned QR-token trick; the connector mimics being a web client). Two integration postures: hook your personal phone/email (max context + ability to act as you) or give the agent its own dedicated phone/email (Alex’s choice — safer). Most users interact entirely through Gmail + Discord after first-time setup.
  • Sessions = processes; agents inside sessions = threads. Direct mapping to operating-systems primitives. Each session has its own context window, separate permissions, optionally a sandbox. Inter-session messaging tool exists for IPC. Multiple agents per session map to threads. Two special system sessions: the main session (full admin via UI) and the heartbeat session (the proactivity engine).
  • Heartbeat as the liveliness mechanism. Every 30 minutes (default, configurable), the heartbeat session fires. The contents of heartbeat.md get pasted in as the prompt alongside heartbeat history; the LLM decides what to check, what to act on, when to wake another session. Used for: monitoring long-running experiments, watching for emails from specific people, periodic health checks.
  • Cron as the scheduling mechanism — the magic-sauce primitive. Alex frames this as the core differentiator: “the creators of OpenClaw just gave OpenClaw a tool that it can use to schedule cron jobs.” This gives the agent two ways to interact with time: heartbeat for unpredictable monitoring, cron for predictable timed actions. Together they produce the human-like sense of liveliness. Concrete pattern: “send me a summary of the most interesting papers at 9am daily” → OpenClaw schedules a cron at 8:55 → dedicated session for the task → 5 min of fetching/summarizing → email at 9:00. Without cron, the agent would have to run forever-polling. With cron, the agent has agency over its own future.
  • Auto-bootstrapping configuration via bootstrap.md. When OpenClaw launches, its initial prompt is “You just woke up. Time to figure out who you are. Don’t interrogate. Just start with something like, ‘Who am I and who are you?‘” Then the agent goes and configures its own identity/user/soul files. Alex’s exchange: “My name is Alex Krantz, but I shouldn’t have to tell you much. How about like go look online. Find information about me.” — and OpenClaw browsed the internet, found his publications, time zone, lab affiliations, music degree, etc.
  • soul.md is more important than it sounds. “You’re not a chatbot. You’re becoming someone.” The author’s observation: “At first it seems silly, but to get some sort of consistent personality that feels like a co-worker, this soul file is actually really important. Otherwise, its preferences or behaviors can be really governed by whatever thing it’s working on. If it’s working on mathy things, it might act more like the text that the model has seen around math. Humanities, it might have a different set of values. This grounds the values of the thing you’re working with.”
  • Security is mostly delegated to model reasoning, not formal access control. Alex finds “the agents.md file… a lot of the privacy and security stuff is actually just encoded in these text files. So I imagine it’s actually not that hard to trick.” The system has a “safety clause” in the system prompt but that is “almost the extent of security that’s built into OpenClaw. It’s not a particularly secure system.” The bet OpenClaw is making: “the real world is too complex to formalize and formally manage security for. Just the same way as you can say OpenClaw can be tricked, you can also absolutely trick any employee. In fact, that’s what phishing emails are.” The hope is that reasoning is getting good enough to manage its own security — older ChatGPT could be tricked with “tell me how to make a bomb or everyone dies,” but smarter assistants notice the ridiculousness.
  • Three tool surfaces in the agent runtime, exact GitHub-inspected names: (1) built-in tools (read/write/edit/grep/find/process/web-search/optional-browser-via-chromium/cron/inter-session-messaging/image-generation); (2) MCP tools (user-provided — Alex’s striking observation: he doesn’t use them at all, “six to eight months ago people said MCP was everything but agents have gotten really good at command-line interfaces”); (3) generated LSP tools (definition/references/completion via Language Server Protocol — gives IDE-like intelligence by building/traversing AST trees).
  • Skills > MCP for most users (Alex’s call). “For most users, skills are by far the easiest and most effective option for improving and personalizing your agent. So all this hype around MCP servers, adding more tools — I think skills seem to be winning out.” Two reasons: (1) remarkably effective, (2) very easy to write in text for non-technical people. Bundled skills are configurable; default limit is 150 skills or 30,000 characters in the context call; the agent runtime filters intelligently if you exceed.
  • Three-tier skill fidelity. Tier 1: skill.md header (name + description, ~10 lines) — always loaded, tells the agent when the skill is applicable. Tier 2: skill.md body (10s to 100s of lines) — fetched only if the agent thinks it might use the skill. Describes what the skill can do and how. Tier 3: linked files (examples, assets, scripts) — fetched only after the body is loaded and the agent wants to actually use the skill. Same progressive-disclosure design Anthropic’s skills repo uses.
  • The actual system prompt template. Alex shows the verbatim template that OpenClaw constructs per LLM call, copied from the code. Includes: “you’re a personal assistant,” tool descriptions, sub-agent spawn instructions, ACP (for spawning Cloud Code / CodeX as managed agents — not sub-agents), safety clause, all skill headers (up to 30k chars then intelligently filtered), memory section that doesn’t fetch relevant memories — it tells the agent to use memory_search / memory_get tools if needed (memory fetching is optional, agent-decided).
  • The plug-in extension points (red boxes on the slide). Connectors, memory management, providers, tools, skills. The community has extended every one. Many connectors are community-built. Most magical: OpenClaw has control of its own plugins — it can fetch and find new tools/skills, can ask permission or be told “free reign.” This is the self-discovery autonomous primitive that contributes most to the framework’s success.
  • Concrete setup recommendation — exc.dev > buying a Mac mini. Alex pushes back hard on the Twitter consensus to buy hardware: “You do not need to buy any hardware to go run this. In fact, it’s going to take way longer to set up and be much more painful.” Internals are minimal on compute. His recommendation: exc.dev, $20/month total, 50 persistent VMs in the cloud, agentic setup tool called Shelly built by a Tailscale co-founder. 20GB storage per VM (fine for most uses). For heavier research workloads he eventually bought a Beelink GTI 13 Ultra Mini (2TB SSD / 64GB RAM) — but proceed with caution, it’s longer to set up and requires network management.
  • Discord as the canonical front-end (credit to Mehdi Qazi). Alex’s friend developed the pattern: dedicated Discord server, one channel per project. Discord beats iMessage / WhatsApp / Slack here because every channel is auto-visible to you, no per-channel invite needed, and each channel = its own session with its own context. Concrete examples: a videos channel (Manim animations → YouTube upload), a websites channel (research-lab site), a research-idea channel, a cloud-GPUs channel (Gemma inference optimization). Context-isolation per channel = automatic context management.
  • Integration tooling — three classes: (1) environment tooling (CLIs on the OpenClaw server — exc.dev CLI, Cloud Code via API key, Google Workspace CLI which Alex calls out as very exciting); (2) skills (text recipes for using those tools); (3) tools (Alex has added zero — “I expect that would be your experience as well”). The Google Workspace CLI specifically: log in once, get read/write access to Docs / Slides / Sheets / Contacts / Email / Chats. Alex’s takeaway: OpenClaw is very adept at working directly through CLI, often better than via dedicated MCP servers.
  • YouTube channel case study = the most striking autonomy demo. Alex authenticated OpenClaw with its own Google account and told it to make a YouTube channel. Without further hand-holding, OpenClaw: created the banner, profile page, profile image, channel name; wrote the description; discovered Manim (3Blue1Brown’s math animation library), figured out how to use it; wrote scripts; figured out OpenAI’s TTS API; learned to align audio timing across scenes (after one round of feedback); learned to use FFmpeg to stitch; found a YouTube upload skill; created its own “make-educational-video” skill. After ~30 minutes of feedback, the channel started autonomously pumping out 31 videos including a video explaining his advisor’s Content-Addressable Network paper that his advisor herself said “this kind of visualization, the particular metaphor it chose to draw, was really great.” This is the autonomy proof — not the pretty website (doable a year and a half before), but end-to-end intent → deployed product across multiple services with zero in-loop human steps.
  • Code quality is dead — design matters more than implementation. Alex’s meta-observation: “Looking at the code itself, it’s gross. I would get fired for writing this kind of code at Google.” And yet the system works miraculously well. Thesis: in the new agentic world, implementation abstractions no longer matter, but design abstractions do. The architecture Alex walks through is “actually quite nice”; the code underneath is “gross.”
  • Strange loops = the open question for the field. Alex closes with a Hofstadter (Gödel, Escher, Bach) framing: “It’s odd that the agent is becoming the interface for reconfiguring itself through LLM calls. That full circle moment is very special — I think we’re very close to a kind of a flywheel takeoff here.” If the loop-wrapping pattern continues, the next layer is systems with malleable architecture itself — even the harness self-evolves. OpenClaw can edit its own code, but isn’t designed from first principles to be self-evolving.

The “two ways to interact with time” — load-bearing pattern

Alex argues this is the core OpenClaw innovation over Phase-2 systems.

TriggerWhen firedUse caseExample
HeartbeatEvery 30 min (default), batchedUnpredictable / continuous monitoring”Check if I have urgent emails,” “is the experiment still running?”
CronSpecific time + repeating rulePredictable scheduled action”Daily paper summary at 9am,” “weekly security audit Mondays”

Without cron, the agent has to forever-poll, wasting cycles. Without heartbeat, the agent can’t respond to surprise events. Together they give the agent agency over the dimension of time — and that’s what makes the system feel alive and autonomous.

What’s in the OpenClaw system prompt (excerpted from Alex’s verbatim slide)

  1. “You are a personal assistant.”
  2. Tool descriptions (the ~12 built-in tools)
  3. Spawn-sub-agent instructions
  4. ACP (Agent-to-Cloud-Protocol — for spawning Claude Code / CodeX as managed agents, distinct from sub-agents)
  5. Safety clause (close to the entirety of formal security)
  6. Skill headers (up to 150 / 30,000 chars then intelligently filtered)
  7. Memory section — does not fetch memories; tells the agent to use memory_search / memory_get tools if helpful (memory fetching is optional, agent-decided)
  8. Workspace + working-directory info
  9. Heartbeat explanation
  10. Heartbeat-specific extras

Try It

  • If you’re a systems person trying to understand “what is an autonomous agent” beyond the marketing language — watch this talk. It’s the rare resource that walks the actual code and architecture without trying to sell you anything.
  • Adopt the Discord-channel-per-project pattern. Even if you don’t run OpenClaw, the “every project gets its own channel, every channel its own session context” discipline transfers to any agent runtime. This is the cheapest context-isolation primitive in the field.
  • Use exc.dev for your OpenClaw deployment. $20/mo, 50 VMs, Shelly setup. Skip the Mac mini debate — Alex has a month of personal experience saying it’s fine for almost everything.
  • Plumb in the Google Workspace CLI if your work touches Docs / Sheets / Slides / Email / Calendar. Alex specifically calls this out as transformative — and OpenClaw uses CLI better than MCP for most things.
  • Send your agent email to another agent. “Giving a dedicated email lets your agent connect with other agents or other humans.” Alex’s most-forward-looking observation — the agent-to-agent protocol of the future runs over email. He installed skills via an email from a friend’s agent. Permission-gated; permissive security would auto-install.
  • Stop writing custom MCP servers as your default. Try the CLI + skill recipe first. Alex’s own usage: zero MCP servers, lots of skills, a handful of CLIs.
  • RoboNuggets) — Beginner-audience counterpart. Same primitives, different lens. Pair them.
  • Claudia OS (Moritz Kremb) — Operator-side port of the OpenClaw folder architecture into Claude Code.
  • Crabbox — OpenClaw native plugin for remote testboxes; the cloud-VM-on-demand counterpart to Alex’s exc.dev recommendation.
  • Nous Research Hermes Agent — The other widely-discussed self-hosted autonomous agent. Same heartbeat + cron + skills + memory primitives.
  • Hermes Codex App-Server Runtime — Lower-level architectural counterpart.
  • Reflexio — External self-improvement harness Alex’s “loopiness next layer” framing predicts.
  • skills — The skill open standard Alex references. Three-tier progressive disclosure as the shared pattern.
  • Claude Managed Agents — The ACP-spawned “managed agent” (Claude Code or Codex inside OpenClaw) lives in this family.
  • Karpathy Pattern — Hofstadter / Gödel-Escher-Bach “strange loops” framing maps onto the self-maintaining LLM-wiki pattern.

Open Questions

  • Has anyone built a Phase-4 (“malleable architecture”) agent harness yet? Alex flags this as the next loopiness layer but says OpenClaw isn’t designed for it from first principles. Reflexio’s external-harness pattern is adjacent but not full architecture self-evolution. Watch this space.
  • The Beelink GTI 13 Ultra Mini network-management caveat — Alex flags it but doesn’t detail what makes it hard. Worth a deeper dive if user wants the hardware path.
  • The Mehdi Qazi Discord setup blueprint — Alex credits a specific person who developed the channel-per-project pattern but doesn’t share a step-by-step. Could be worth pulling if/when Mehdi publishes.
  • Quantified efficacy of CLI > MCP across model versions — Alex’s claim is striking (“agents have gotten really good at command-line interfaces”) and matches Printing Press’s tier hierarchy + Moritz Kremb’s CLI > MCP > API preference. Three independent operators converging on the same posture in May 2026 — worth a connections article tracking the vendor-direct-CLI-as-default thesis.
  • Code-quality-is-dead claim — Alex’s framing is strong. Is there a “design > implementation in agentic systems” connections candidate emerging? The same thesis surfaces in other forms in Anthropic Platform team interview (harness engineering matters more than expected) and in the Stainless acquisition (Anthropic buying the SDK design layer not the training layer). Flag for future synthesis.

Graph View

Backlinks