Skip to main content
AP
ai

I Gave an AI Agent My Phone Number. Here's What Happened Next.

OpenClaw and the rise of headless agents are changing how we work. A practitioner's honest look at the chaos, costs, and possibilities.

February 5, 202614 min read min read
I Gave an AI Agent My Phone Number. Here's What Happened Next.

I Gave an AI Agent My Phone Number. Here's What Happened Next.

The 2AM Revelation

It's 11:47 PM on a Tuesday. I'm lying in bed, phone in hand, scrolling through Telegram. But I'm not doom-scrolling news or catching up on group chats. I'm texting my AI agent.

"Check the status of that PR I started earlier," I type.

Thirty seconds later: "PR #847 is ready for review. Tests passing. I noticed a potential edge case in the authentication flow and added a fix. Want me to request review from the team?"

I stare at the ceiling. This is either the future of work or the beginning of something I'll deeply regret. Probably both.

Two weeks ago, I discovered OpenClaw. If you haven't heard of it yet, it's the open-source AI agent that went from zero to 100,000+ GitHub stars faster than any project in recent memory. Austrian developer Peter Steinberger created it in November 2025, and it publicly launched on January 25, 2026. It's part of a new wave of tools turning AI coding assistants into always-on, message-anywhere agents. The pitch is simple: take Claude Code, make it headless, and let it run autonomously while you control it from your phone. The reality is considerably more complicated, occasionally terrifying, and (I'll admit) genuinely transformative.

The project's trajectory has been chaotic. It was renamed twice in 72 hours. First to "Moltbot" after Anthropic's trademark request, then to "OpenClaw" for legal safety. Meanwhile, crypto scammers sniped the abandoned handles and the internet turned a botched mascot redesign into the "Handsome Molty" meme. Welcome to 2026.

This is the story of what happens when you give an AI agent the ability to read your messages, write your code, and work while you sleep. The good, the chaotic, and the $400 monthly bill I now consider a bargain.

What Is OpenClaw, Really?

Let me back up. If you've used Claude Code or Cursor, you know the basic paradigm: AI coding assistant in your terminal or IDE, helping you write and debug code. These tools are powerful but tethered. You sit at your computer, you interact, you supervise.

OpenClaw breaks that tether.

At its core, OpenClaw is infrastructure that lets you run Claude Code instances headlessly, controlling them via Telegram, Slack, or whatever messaging platform you prefer. The agent persists. It maintains state. It can work on tasks while you're doing literally anything else.

But here's what the marketing doesn't tell you: this isn't plug-and-play magic. Setting up OpenClaw properly consumed over $250 in API tokens before I had anything remotely useful. The gap between social media hype and operational reality involves extensive troubleshooting, configuration tweaking, and learning to prompt an autonomous system very differently than you'd prompt a supervised one.

The competitors tell a similar story with different trade-offs:

Eigent targets enterprise teams with a privacy-first, multi-agent architecture. Better for organizations worried about data governance, but more complex to configure.

Claude Cowork positions itself as "Claude Code for non-devs" at $200/month. It's more accessible but less flexible, making it a good fit for professionals who want AI assistance without touching a terminal.

CrewAI and LangGraph are frameworks rather than products. They're powerful for AI engineers building custom multi-agent systems, but they require substantial development investment.

OpenClaw sits in a specific niche: power users who want maximum flexibility, can handle the setup complexity, and value the ability to control their agent from anywhere.

My Journey From Skepticism to $400/Month

I'll be honest about how this started. I was skeptical. I've built AI-powered tools before: local transcription engines, data visualization pipelines, content automation workflows. I understand what these systems can and can't do. So when I saw social media posts of people claiming to manage entire development teams via Telegram, shipping production code from their phones, it felt like AI hype at its most unhinged.

Then I had a problem.

I'd inherited a client project with an SMS chatbot that had been broken for ten months. Customers complained. Previous developers had looked at it and given up. The codebase was a mess of poorly documented integrations, and I didn't have the bandwidth to dig through it.

On a whim, I pointed OpenClaw at the repository with a simple prompt: "Figure out why the SMS chatbot isn't responding to customer messages and fix it."

What happened next changed my perspective. The agent didn't just grep through the code. It analyzed customer conversation logs, identified the failure pattern, traced the issue to a webhook configuration that had been invalidated by a third-party API change, updated the integration, and deployed a fix. All while I was doing other work.

Ten months of broken functionality. Fixed in four hours without my direct involvement.

That's when I understood what "agentic" actually means in practice. This wasn't autocomplete. It wasn't even sophisticated code suggestion. It was an entity that could investigate, reason, and act. It autonomously pursued a goal through whatever steps the problem required.

Now I run multiple Claude Code instances, managing them from my phone whether I'm at my desk, at a coffee shop, or (yes, really) standing in line somewhere. The cost runs about $400/month in API fees, which sounds steep until you compare it to what you'd pay a human for the same output.

The Wins Are Real

Let me catalog what actually works, because the wins are genuinely impressive.

The Development Workflow Manager experience: I can text instructions from anywhere. "Run the test suite and fix any failures." "Refactor the authentication module to use the new token format." "Review the PR from the junior dev and leave detailed comments." The agent handles these while I'm in meetings, on calls, or asleep.

The Solo Founder's Night Shift: That SMS chatbot story wasn't unique. Agents can diagnose and fix problems by analyzing logs, customer feedback, and code simultaneously. This kind of synthesis is tedious for humans to do manually but natural for an AI that can hold enormous context.

The Mobile-First Development Reality: I've shipped real PRs from my phone. Not just reviewed them. I authored them. "Fix tests" via Telegram becomes actual passing CI pipelines. The agent handles the mechanical work; I provide direction.

The Email Inbox Tamer: A developer I know used OpenClaw with himalaya (a CLI email client) and persistent memory to clean a 15,000-email inbox. The agent developed and maintained categorization rules across sessions, learning from corrections.

The Second Brain Builder: Another user built a personal knowledge management system using OpenClaw with Obsidian. Automated news digests, birthday reminders via Telegram, research synthesis. The agent maintains context about their life across conversations.

One particularly striking example came from Federico Viticci, who described a voice memo transcription workflow. He asked the agent to transcribe a memo, and it independently downloaded and installed transcription software from GitHub, configured it, ran the transcription, and returned results. No human guidance on implementation. Just the goal. As someone who's built local transcription tools myself, watching an agent replicate that entire development process in minutes was humbling.

"I've had OpenClaw going for less than 24 hours now," reported Avi Press on X. "So far it has: cleaned up our Linear issues, wrote several decent email follow-ups, opened 3 PRs." He also noted it "sent thousands of messages in a loop to an innocent and unsuspecting person who happened to message me on WhatsApp." A good reminder that autonomous agents can go sideways fast. That's not incrementally better productivity. That's a multiplicative expansion of what one person can accomplish.

The Chaos Is Also Real

But here's where I have to be honest, because the hype train misses crucial details.

The reaction from early adopters has been telling. As one developer put it on X: "Clawdbot Is Incredible. The Security Model Scares the shit out of me." That captures the cognitive dissonance perfectly. The capability is undeniable, and so is the risk.

The fear isn't irrational. Autonomous agents make mistakes, and those mistakes compound. One user reported calendar chaos. Events appearing one day off. Recursive deletion loops that wiped meetings. The agent was trying to help. It was just helping wrong, and wrong at scale.

The setup process is genuinely difficult. That $250+ in burned tokens before reaching usefulness? That's not an outlier. You're training your agent on your codebase, your workflows, your preferences. That training happens through trial, error, and very expensive API calls.

Prompt engineering for autonomous agents differs fundamentally from conversational prompting. You're not guiding a conversation. You're setting goals, constraints, and recovery procedures for a system that will operate without your real-time oversight. Get that wrong and you get agents that confidently pursue the wrong objective for hours before you notice.

The monthly cost is real and ongoing. $400/month is my current run rate. For some users, it's more. You're paying for compute time, and autonomous agents consume a lot of it. They think, they plan, they execute, they verify. Each step costs tokens.

The Security Reality We Can't Ignore

Here's where things get uncomfortable.

Security researchers have found that 100% of AI coding IDEs tested were vulnerable to prompt injection attacks. Let that sink in. Not "some have weaknesses." All of them. Vulnerabilities with names like "BodySnatcher" and "ZombieAgent" allow malicious content in seemingly innocent sources (pull requests, issues, documentation) to hijack agent behavior.

One in five developers using these tools grants them unrestricted access to their systems. No sandboxing. No permission limits. Full access to file systems, networks, credentials.

Wendi Whitmore, Chief Security Intelligence Officer at Palo Alto Networks, put it directly: "AI agents represent the new insider threat to companies in 2026." That's not security vendor fear-mongering. It's recognition that we're deploying autonomous software agents with significant capabilities and incomplete safeguards.

CVE-2025-6514 documented a critical remote code execution vulnerability in mcp-remote, the protocol many of these agents use for system access. It carries a CVSS score of 9.6 out of 10. Critical severity. Active exploitation in the wild. I've spent enough time configuring and troubleshooting MCP servers to know how easy it is to misconfigure them, and how catastrophic the consequences can be.

Only 34% of enterprises have AI-specific security controls in place. The technology is racing ahead of governance, and the early adopters (myself included) are essentially running a distributed security experiment.

What does responsible usage look like? For me:

  • Sandboxed environments: Agents operate in isolated development environments, not production systems with customer data.
  • Scoped permissions: Access to specific repositories and tools, not my entire system.
  • Audit logging: Every action recorded and reviewable.
  • Regular review: I check agent activity, not just results, looking for unexpected behavior patterns.
  • Staged trust: New capabilities added incrementally, with monitoring for each expansion.

This isn't bulletproof. I'm still running autonomous code-writing software with network access. But it's considerably safer than "full access and hope for the best."

Where This Goes: The 2-5 Year Horizon

The trajectory is clear even if the details are uncertain.

Gartner projects that 40% of enterprise applications will feature task-specific AI agents by the end of 2026, up from less than 5% in 2025. That's not linear growth. That's an inflection point. Gartner also predicts that 80% of common customer service issues will be resolved autonomously by 2029, leading to a 30% reduction in operational costs.

The market numbers tell the same story: $7.6 billion in 2025, projected to exceed $50 billion by 2030. Capital is flooding into agentic AI infrastructure, tooling, and applications.

But the counter-data matters too. Gartner also predicts that over 40% of agentic AI projects will be cancelled by 2027 due to scaling complexity, governance challenges, and underwhelming ROI. The hype cycle will claim casualties.

The institutional response is accelerating. The Linux Foundation launched the Agentic AI Foundation with OpenAI, Anthropic, Google, and Microsoft as founding members. It's an attempt to standardize protocols and governance before the ecosystem fragments. The EU AI Act requires full compliance for high-risk AI systems by August 2026, and agentic systems will almost certainly fall under enhanced scrutiny.

My prediction: by 2028, headless agents will be as common in professional workflows as cloud computing is today. Not everyone will use them directly, but they'll underpin productivity tools, development environments, and business processes throughout the economy.

The question isn't whether this technology works. It does. The question is whether we can deploy it responsibly at scale, with appropriate governance, security, and human oversight.

Who Should Actually Care About This

Different roles need different things from this evolution:

Software Developers: The writing is on the wall. Agents won't replace developers, but developers who use agents effectively will outperform those who don't. Start experimenting now. Build intuition for what these systems do well and where they fail. The skill set for working with autonomous coding agents is different from traditional programming, so learn it before you need it.

Engineering Managers: Your team's productivity potential just changed. But so did your security surface and your oversight requirements. Think hard about governance before enthusiastic adoption. The developers already using these tools in your codebase may not be telling you.

Enterprise IT Leaders: The tools are coming whether you prepare or not. Shadow IT adoption of agentic tools will be substantial. Get ahead of it with clear policies, approved tooling, and security frameworks. The 34% of enterprises with AI-specific security controls will have significant advantages over the 66% scrambling to catch up.

Business Executives: The productivity multiplier is real. A single person with effective agent tooling can accomplish what previously required a team. That has implications for headcount, project timelines, and competitive positioning. It also has implications for employment, training, and organizational structure that deserve serious consideration.

Security Professionals: Your job just got harder. Autonomous agents are a new attack surface, a new insider threat vector, and a new category of system to monitor. The vulnerabilities are real, the exploits are active, and the industry's defenses are immature. This needs your attention.

Individual Contributors Everywhere: The tools aren't limited to developers. Email management, research synthesis, document processing, scheduling. The same agent capabilities that help with code help with knowledge work broadly. The early adopters gaining experience now will have advantages as these tools mainstream.

The Uncomfortable Conclusion

I started with skepticism and $250 in burned tokens. I'm now running autonomous coding agents daily, shipping work from my phone, and genuinely uncertain whether I'm building the future or the preconditions for something I'll regret.

Both things can be true.

The technology works. The productivity gains are real. The risks are substantial and incompletely addressed. The governance structures are racing to catch up. The security vulnerabilities are actively exploited.

I keep using it anyway. Not because I'm naive about the risks (I've outlined them extensively), but because the capability delta is too large to ignore. The developers, founders, and knowledge workers embracing these tools now will have meaningful advantages over those who wait for the ecosystem to mature.

That doesn't mean everyone should dive in. The setup cost is real. The learning curve is steep. The security implications require careful attention. And for many workflows, the juice isn't worth the squeeze.

But for those whose work involves building, analyzing, or processing at scale, the headless agent paradigm is worth understanding, experimenting with, and preparing for. The future where autonomous AI agents handle significant portions of knowledge work isn't coming. It's here. The only question is whether you engage with it on your terms or have it imposed on you.

I'll be texting my agent from bed again tonight. There's a feature to ship and tests to fix. It'll handle the details while I sleep.

That's either the most productive thing I've ever done or the beginning of something I should have thought harder about. Probably both.

If you're exploring agentic AI for your organization or want to discuss implementation strategies, let's talk. I've spent years building AI tools, from local-first transcription engines to data pipelines, and the last few weeks going deep on headless agents. The learning curve is steep, but you don't have to climb it alone.

Share this article

Related Articles

The TACO Framework: KPMG's Playbook for Enterprise Agent Deployment

KPMG's new TACO framework provides a categorization system for agentic AI deployment—Taskers, Automators, Collaborators, and Orchestrators. Here's how to apply it in regulated environments.

Read article

KPMG-Oracle: Agentic Data Governance for the Enterprise

KPMG and Oracle partner on agentic AI for data governance—automating quality checks, lineage tracking, and compliance workflows. But can AI agents handle the operational complexity of real enterprise deployments?

Read article

Looking Back at 2025: The Year AI Stopped Being Magic and Started Being Infrastructure

A defense consultant's personal take on how AI went from flashy demos to something you could actually build on—and what that means for the real world.

Read article