In partnership with
Want to get the most out of ChatGPT?
ChatGPT is a superpower if you know how to use it correctly.
Discover how HubSpot's guide to AI can elevate both your productivity and creativity to get more things done.
Learn to automate tasks, enhance decision-making, and foster innovation with the power of AI.
Deep Dive: Clawdbot—The Open-Source Personal Agent Revolution
Your 24/7 AI Assistant That Actually Does Things
TL;DR: - Clawdbot is an open-source, self-hosted AI assistant that runs on your own hardware - It connects to all major messaging platforms (WhatsApp, Telegram, Slack, Discord, iMessage, Signal, Teams) Created by Peter Steinberger, founder of PSPDFKit; GitHub stars jumped from 5K to 44K+ in days Key differentiator: Persistent memory, self-expanding skills, and you own your data - Requires: Node ≥22, API access to Claude/OpenAI, and a machine that stays on Why it matters now: This week, Google launched UCP to let AI agents shop for you inside their ecosystem. Clawdbot is the open-source alternative—AI that acts on your behalf, but you control it. |
|---|
The Linux vs. App Store Moment for AI Agents
This week’s newsletter frame Clawdbot and Google’s Universal Commerce Protocol as two sides of the same story: AI is moving from “answer engine” to “action engine.”
But they represent fundamentally different visions:
Clawdbot | Google UCP | |
Who controls the agent? | You | |
Where does data live? | Your hardware | Google’s ecosystem |
Who benefits from your actions? | You | Retailers + Google |
Lock-in | None (swap models anytime) | Deep platform integration |
Setup friction | High (30-60 min, technical) | Low (already in Search/Gemini) |
Google’s UCP will win on convenience. Most people will let AI Mode buy things for them without thinking twice.
But for anyone who wants an AI agent that acts on their behalf—managing email, scheduling, automating business operations—without feeding every action to a platform, Clawdbot is the only serious option right now.
This deep dive is for people who want to understand how it works, whether it’s safe, and how to set it up properly.
By the Numbers
Metric | Value |
GitHub stars | 44,000+ (was 5,000 one week ago) |
Contributors | 190+ |
Discord members | 8,900+ |
Minimum hardware | 2GB RAM (chat), 4GB RAM (browser automation) |
Supported messaging channels | 12+ (WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, BlueBubbles, Microsoft Teams, Matrix, Zalo, WebChat) |
Recommended model | Claude Opus 4.5 (via Anthropic Pro/Max) |
Setup time (technical user) | 30-60 minutes |
Cheapest cloud deployment | ~$5/month (Hetzner VPS) |
1. The Gateway (Control Plane)
The Gateway is your front door. It connects to messaging platforms, handles scheduling (cron jobs for proactive briefings), and manages sessions. It runs on a local port (default: 18789) and stays active 24/7.
When you message your assistant on WhatsApp, the Gateway receives it, routes it to the appropriate agent, and sends the response back through the same channel.
Critical security note: By default, the Gateway binds to loopback (127.0.0.1). If you expose it to the internet without proper authentication, you’re exposing your entire system. Hundreds of misconfigured gateways have already been found on Shodan.
2. The Agent (The Brain)
The Agent is where your AI model lives. It can use Claude, GPT, or local models via Ollama. The Agent has access to:
Your filesystem (read/write files)
Shell commands (execute terminal operations)
Browser control (via Puppeteer/Playwright)
Cron scheduling (proactive check-ins)
Skills system (expandable capabilities)
3. Memory (Persistent Context)
Unlike standard chatbots that reset each session, Clawdbot maintains persistent memory. Mention something casually on Monday, reference it two weeks later—the assistant remembers. This memory is stored locally in your workspace as files and Markdown documents.
4. Skills (Self-Expanding Capabilities)
When you request something Clawdbot doesn’t know how to do—“convert this video to a GIF”—it writes new code, installs the skill on itself, and executes the task. The assistant literally evolves as you use it.
Case Study: Dan Peguine’s Full-Stack Personal Operating System
Dan Peguine (@danpeguine) has turned Clawdbot into a complete personal and business operating system. His public tweets document what’s possible when you push the platform to its limits.
What his Clawdbot does daily:
Category | Automation |
Calendar | Time-blocks tasks by importance, resolves conflicts autonomously, scores urgency using a custom algorithm they’re developing together |
Morning Brief | Weather, weekly objectives, health stats (Whoop/Apple Health), meetings agenda, key reminders, trending topics on X/LinkedIn, RSS items matched to current goals, relevant book quotes |
Checks incoming mail, removes spam, drafts replies | |
Research | Researches people before meetings, creates briefing docs, spawns background sub-agents when he says “idea:” |
Business | Creates invoices, summarizes work, tracks |
content opportunities, manages his parents’ tea company (scheduling, corporate follow-ups, inventory, customer service) | |
Family | Notifies him and his wife about their son’s upcoming school tests |
Integrations | GitHub issues, Google Places sync, Notion reminders, Beeper messages |
His conclusion: “In a few months, Clawdbot will probably be able to manage businesses of any scale.”
The key insight: Dan didn’t configure this all at once. Clawdbot’s skills compound over time. Each new automation builds on the last, and the AI learns his preferences. After a few weeks, the assistant anticipates needs rather than just responding to requests.
Security Hardening Checklist
Clawdbot is powerful because it’s dangerous. It has full access to your user session by design. Use this checklist before going live:
✅ Pre-Deployment (Do These First)
☐ Bind Gateway to loopback — In config, set gateway.bind: "loopback". This prevents external exposure. Do not skip this.
☐ Set DM policy to “pairing” — Unknown senders receive a pairing code and cannot interact until manually approved. Never use dmPolicy: "open" unless you fully trust every possible sender.
☐ Configure Gateway authentication — Set a strong token or password. Without this, the Gateway refuses WebSocket connections (fail-closed by default).
☐ Use Tailscale or Cloudflare Tunnel for remote access — Never expose ports directly to the internet. SSH tunneling is the minimum acceptable approach.
☐ Disable mDNS broadcasting — Set CLAWDBOT_DISABLE_BONJOUR=1 to prevent your infrastructure details from being broadcast on local network.
✅ Operational Security
☐ Enable sandbox mode for groups — Set agents.defaults.sandbox.mode: "non-main" to run group/channel sessions inside Docker containers. This limits blast radius if prompt injection succeeds.
☐ Use dedicated hardware — Don’t run Clawdbot on your primary machine. A $599 Mac mini or $5/month VPS is cheap insurance.
☐ Use a dedicated phone number for WhatsApp — WhatsApp doesn’t have a
“bot” concept. Using your main number is risky.
☐ Keep secrets out of the agent’s reachable filesystem — If the agent can read a file, assume it can be exfiltrated via prompt injection.
☐ Review SOUL.md regularly — Your bot’s personality and instructions live here. If it “learns” something wrong, git revert.
✅ Ongoing Maintenance
☐ Monitor API costs — If you’re not using Claude Pro/Max OAuth, heavy usage means heavy bills. Set spending alerts.
☐ Prune old sessions — Regularly clear context to manage memory and reduce attack surface.
☐ Watch the Discord — Bugs get discovered and fixed fast. Stay updated.
☐ Run clawdbot doctor --deep — This performs security audits including live Gateway probes.
The bottom line: Clawdbot’s official security guidance is clear: “Start with the smallest access that still works, then widen it as you gain confidence.” Most security failures aren’t sophisticated exploits—they’re “someone messaged the bot and the bot did what they asked.”
Getting Started (Quick Path)
Option 1: Local Machine (Mac/Linux)
npm install -g clawdbot@latest
clawdbot onboard --install-daemon
The wizard walks you through: 1. Gateway configuration (bind to loopback!) 2. Workspace setup 3. Channel connections (WhatsApp, Telegram, etc.) 4. Authentication (Claude OAuth or API key)
Option 2: Cloud VPS ($5/month)
Hetzner or AWS work fine. The cheapest tier (~2GB RAM) handles chat. For browser automation, bump to 4GB.
ssh root@your-server
# Create dedicated user, install Node 22+, then:
npm install -g clawdbot@latest
clawdbot onboard --install-daemon
Option 3: Infrastructure-as-Code (Recommended for Production)
Pulumi has published a complete deployment guide with Tailscale integration: - Automatically removes public ports after Tailscale connects - Handles secrets via Pulumi ESC - Single command to deploy or tear down
Authentication Options: - OAuth (Claude Pro/Max): Uses your existing subscription, no extra API charges - API Key: Direct API access, pay-per-use
Recommended: Anthropic Claude Pro or Max with Opus 4.5 for strongest context handling and better prompt injection resistance.
What to Watch Out For
Onboarding is still rough. Steinberger admits this. Expect weird errors. The Discord community is active—bugs get fixed fast, sometimes while you’re in the chat reporting them.
Hundreds of misconfigured gateways are already on Shodan. If you expose port 18789 without authentication, you’re handing your system to anyone who finds it.
API costs can add up. If you’re not using Claude Pro/Max OAuth, heavy usage means heavy bills. One user reported $200+ in a week of aggressive testing.
WhatsApp requires a dedicated number. WhatsApp doesn’t have a “bot” concept like Telegram. Using your main number is risky—and could get your account banned.
This is not for non-technical users (yet). Anthropic’s Cowork launch is closer to mainstream. Clawdbot is for builders and tinkerers who want full control.
The Bigger Picture: Why This Matters Now
The AI industry is splitting into two camps:
Camp 1: AI as Platform. OpenAI, Google, and Microsoft want you inside their ecosystems—using their apps, paying their subscriptions, generating data they can use. Google’s UCP is the logical endpoint: AI that buys things for you, inside Google, with Google tracking every transaction.
Camp 2: AI as Utility. Clawdbot, local models, and open-source agents represent something different—AI you own, configure, and control. Your data stays local. You choose the model. The assistant comes to you.
This isn’t just a technical preference. It’s a question about who controls the most capable AI systems in your life.
Clawdbot won’t win on convenience. Google’s AI Mode will be frictionless. For most people, that’s enough.
But for anyone building a business, managing sensitive data, or simply unwilling to hand their digital life to a platform—Clawdbot is the proof that another path exists.
The $599 Mac mini running Clawdbot isn’t just a clever hack. It’s the Linux of AI agents. And like Linux, its importance will only become clear over time.
Go Deeper
Official site: clawd.bot
GitHub: github.com/clawdbot/clawdbot
Documentation: docs.clawd.bot
Security Guide: docs.clawd.bot/gateway/security
Discord: discord.gg/clawdbot
Pulumi Deployment Guide: pulumi.com/blog/deploy-clawdbot-aws-hetzner
Peter Steinberger: @steipete on X
Dan Peguine’s setup thread: @danpeguine on X
Stay curious—and stay paranoid.