The Agentic Frontier

The Tool-Use Threshold

When we study primate evolution, the defining leap isn't bigger brains. It's tool use. A chimpanzee that uses a stick to extract termites has crossed a cognitive threshold that separates it from nearly every other species. The stick isn't impressive. The insight — that an external object can extend your capabilities — changes everything.

Agentic AI is crossing the same threshold right now.

The most powerful AI agents in 2026 don't necessarily run the largest models or score highest on reasoning benchmarks. They stand out because they can pick up tools — a terminal, a browser, a file system, an API — and use them to accomplish real work in the real world.

Claude Code: The Reference Implementation

Anthropic's Claude Code is, in our view, the clearest example of what the agentic frontier looks like today. It's not a chatbot that happens to write code. It's an agent that lives in your terminal, reads your codebase, makes plans, executes multi-step tasks, and ships working software.

What makes it notable isn't raw intelligence — it's the tool-use loop. Claude Code can read files, edit them, run shell commands, search codebases, manage git workflows, and call external services. Each tool gives it another stick to extract another termite. And crucially, it decides which tools to use and in what sequence based on the situation it encounters.

This is the pattern that defines the agentic frontier: a reasoning core surrounded by a growing set of tools, with the agent orchestrating their use autonomously.

The Model Context Protocol (MCP) takes this further by standardizing how agents discover and connect to tools. Instead of hardcoding integrations, an agent can dynamically learn what tools are available and how to use them — the way a child learns that a screwdriver turns screws without needing a manual for every screw.

OpenClaw: The Agent That Escaped the IDE

If Claude Code demonstrates agentic tool use within software development, OpenClaw (formerly ClawdBot) demonstrates it across your entire digital life.

OpenClaw started as a weekend project by Peter Steinberger — a way to send text messages from his phone and have an AI agent execute tasks on his computer. It grew into something much more ambitious: a self-hosted agent runtime that connects to WhatsApp, Telegram, Slack, email, calendars, browsers, smart home devices, and over fifty other integrations. With more than 145,000 GitHub stars, it became one of the most rapidly adopted open-source AI projects in history.

The agent can browse the web, manage emails, schedule meetings, summarize documents, and even write code to create new capabilities for itself. It's model-agnostic — it works with Claude, GPT, DeepSeek, and others. The user provides the reasoning engine; OpenClaw provides the tool belt.

What's striking about OpenClaw is how it mirrors the primate tool-use analogy. The individual capabilities are simple — send a message, read a file, make an API call. But composed together by an agent that understands context and intent, they produce behavior that feels qualitatively different from anything a chatbot can do.

The project also serves as a cautionary tale. Its explosive adoption outpaced its security model. Researchers discovered a critical remote code execution vulnerability, hundreds of malicious community-built skills, and over a thousand unprotected gateways exposing personal data. When you give an agent real tools, the stakes become real too.

The Broader Ecosystem

Claude Code and OpenClaw aren't isolated examples. A wave of agentic tools has emerged, each extending the tool-use paradigm in different directions:

OpenCode — a Go-based terminal coding agent supporting 75+ models, now with over 95,000 GitHub stars and an official GitHub partnership allowing Copilot subscribers to authenticate directly.

Goose (by Block) — an open-source agent framework used weekly by 60% of Block's 12,000 employees. It builds projects, executes code, debugs failures, and orchestrates workflows using MCP for integrations.

Cline — a VS Code extension that brings agentic coding directly into the editor, letting developers split tasks across planning and implementation roles with any model provider.

Each of these tools looks different on the surface. But they share the same architecture: a language model core + tool access + autonomous decision-making about how to use those tools.

What Makes Tool Use Hard

If tool use is just "call functions," why isn't every AI system agentic? Because the hard part isn't calling a function. It's knowing which function to call, when, with what inputs, and what to do with the output — especially when the first attempt fails.

Planning under uncertainty. An agent editing a codebase needs to read files, form a mental model of the architecture, identify the right place to make changes, make the changes, verify they work, and handle failures — often across dozens of files. Each step depends on the output of the previous one. The agent is planning in real time with incomplete information.

Error recovery. When a tool call fails — a test doesn't pass, an API returns an error, a file doesn't exist where expected — the agent needs to diagnose what went wrong and try a different approach. This is where most simple agents break down. They retry the same failing action instead of reasoning about alternatives.

Scope management. The hardest skill for an agentic system is knowing when to stop. Without boundaries, an agent with tool access can spiral — making increasingly speculative changes, exploring tangential paths, or over-engineering simple fixes. The best agents are disciplined about scope.

The Security Question

Giving AI agents real tools means giving them real power — and real risk. This is the central tension of the agentic frontier.

OpenClaw's security issues illustrate what happens when tool access is too broad and trust is too high. But the same risk exists in any agentic system. An agent with terminal access can delete files. An agent with email access can send messages. An agent with browser access can navigate to malicious sites.

The emerging best practices include:

• Principle of least privilege. Give agents only the tools they need for the current task, not all tools all the time.
• Human-in-the-loop for irreversible actions. Agents can autonomously read, search, and draft. But deleting, publishing, or sending should require human confirmation.
• Sandboxing. Run agent tool calls in restricted environments where the blast radius of mistakes is limited.
• Audit trails. Log every tool call, every decision, every action. When something goes wrong, you need to understand exactly what the agent did and why.

Where This Is Heading

The trajectory is clear. AI agents will get access to more tools, not fewer. They'll operate across more systems, with longer time horizons, and with increasing autonomy.

The open question is how fast trust will build. Every security incident — every data leak, every accidental deletion, every malicious skill — slows adoption. And every reliable, well-scoped agentic system that ships working software, manages complex workflows, or automates tedious operations accelerates it.

We believe the agents that win won't be the ones with the most tools or the most autonomy. They'll be the ones with the best judgment about when and how to use the tools they have. Just like the primate that figures out which stick works for which task — and knows when to put the stick down and use its hands.