Self-hosted AI agents in 2026 — the complete landscape report

Scope of this report

This is a landscape report on self-hosted AI agents — software you install on hardware you control, that calls one or more language models to do useful work autonomously. It covers the major projects (OpenClaw, Hermes Agent, Nanobot, NanoClaw, IronClaw, ZeroClaw, Moltworker), the architectural patterns they implement, the security posture of the ecosystem after the OpenClaw crisis of early 2026, the hosting economics, the model integration patterns, and the regulatory environment.

It does not cover hosted agent products (OpenAI Assistants, Anthropic Computer Use as a service, Google Gemini agentic features, etc.) — those are a different category with a different threat model. It also does not cover agent frameworks (LangChain, smol-agents, BabyAGI, AutoGPT) — those are libraries you build your own agent with, not products you install.

This report is updated quarterly. The version you are reading is from April 28, 2026. The next update is scheduled for late July 2026. Subscribe to [the newsletter](/newsletter) if you want it in your inbox.

Section 1 — Ecosystem map

The self-hosted AI agent ecosystem in April 2026 contains seven major projects, three architectural patterns, two licensing camps and one deeply contentious governance question. We will treat each in turn.

1.1 The seven major projects

A few observations about the table.

OpenClaw remains the largest project by install base (~88k installs as of April, down from a January peak of ~135k). The decline is partly real churn (users switching to alternatives), partly accounting (the install script no longer phones home, so post-2026.3 installs aren't counted the same way). The truth is somewhere in the 70k-100k range and getting harder to measure as the ecosystem fragments.

Hermes Agent is the fastest-growing project by absolute star count, but star counts are a vanity metric — the more meaningful number is that Hermes is now recommended by name in most major install guides published since March 2026, including ours.

Nanobot is the surprise of the cohort. A 4,000-line Python implementation out of an academic research group at Hong Kong University, Nanobot shipped a v0.1 in January, hit Hacker News on a slow news day in February, and accumulated 26.8k stars in two months. The codebase is small enough to read in an afternoon. Most of those stars are “I starred it to remember to read it” bookmark stars, not deployment indicators. Real deployments are probably in the low thousands.

NanoClaw, IronClaw and ZeroClaw are all responses to the OpenClaw security crisis. NanoClaw says “use Apple containers and ditch multi-LLM complexity.” IronClaw says “use gVisor and a real audit log.” ZeroClaw says “don't touch the cloud at all.” Each has a clear use case, and none of them is in genuine competition with each other.

Moltworker is interesting for what it represents more than what it is — it's a self-hostable agent designed to run on Cloudflare Workers, shipped as a launch-blog example by Cloudflare. The point of Moltworker isn't the agent itself (it's fine, ~5k stars, modest install base). The point is that “run your agent on Workers” is now a documented Cloudflare pattern with a worked example. That changes the hosting calculus across the ecosystem.

1.2 The three architectural patterns

The seven projects above implement, broadly, three architectures.

Pattern A: Docker-sandboxed multi-LLM (Hermes Agent, OpenClaw 2026.4+, Moltworker). The agent runs in a container with a defined network allowlist, an explicit filesystem mount, and a tool execution layer that goes through approval before invoking anything that touches the host. LLM-agnostic — supports Claude, GPT, Gemini, Llama-via-Ollama, etc. This is where the broad middle of the ecosystem is consolidating, and where new entrants tend to start.

Pattern B: Local-only / privacy-first (ZeroClaw). The agent runs entirely on local hardware — no cloud LLM, no telemetry, no auto-update calls. Often paired with Ollama or llama.cpp for inference. The use case is data residency, regulated industries, or developers who actively prefer their data not leave the machine. The tradeoff is real: local LLMs in 2026 are still meaningfully worse than Claude or GPT-4 for complex agentic tasks, especially planning across many tool calls.

Pattern C: Minimal-readable / extensible (Nanobot). The agent is small enough to read top-to-bottom in an afternoon. No vendor SDK abstractions. No plugin marketplace. No telemetry. The use case is “I trust nothing and want to verify everything.” Often used as a base to build proprietary agents on top of, or as an educational artifact.

A note on what isn't a pattern: “maximum capability,” “most plugins,” and “largest community” are not architectural patterns. They are popularity metrics that follow from patterns. The most-installed agent in 2026 is the one that hits the sweet spot of one of the three patterns above.

1.3 The licensing question

There are two licensing camps in the 2026 ecosystem:

• Permissive / restorative — MIT, Apache 2.0, AGPL-3.0. OpenClaw,
• Source-available — IronClaw and a handful of smaller projects.

The interesting case is AGPL-3.0 (ZeroClaw). AGPL-3.0 is open source by the OSI definition, but its “network use is distribution” clause means anyone running ZeroClaw as part of a hosted service has to publish their source modifications. This rules out building a managed-ZeroClaw-hosting business that the upstream wouldn't approve of, which is the entire point. ZeroClaw is the privacy-first collective's vaccine against being commercialised away from its mission.

Source-available licenses (IronClaw) are a bigger question. The IronClaw license forbids competing products and forbids public-cloud hosting without a commercial license. This is an explicitly non-open-source license, and the project knows it. The bet is that enterprise customers will pay for licensed access to a hardened agent they can run in their own VPC, and the source-available model lets the vendor capture that revenue without giving competitors a fork. We think this bet works for the specific niche IronClaw is targeting (regulated industries, high-touch enterprise sales), and we have serious reservations about it scaling beyond that niche.

1.4 The governance question

The deeply contentious governance question, in April 2026, is: who decides what an “OpenClaw alternative” means as a community label, and how should new entrants be assessed?

This is not an abstract question. Several projects launched in March and April 2026 marketed themselves as “OpenClaw alternatives” while implementing materially weaker security postures than even the pre-crisis OpenClaw. The community has, so far, no widely-accepted test for whether a given new project meets the safety bar that the post-crisis ecosystem has settled on.

Our editorial position is straightforward: a project should have to pass a baseline before we cover it as an “OpenClaw alternative.” The baseline:

• A documented threat model.
• Sandbox-on by default.
• Authenticated dashboard.
• Explicit network egress controls.
• A security disclosure policy with a working contact address.
• A patch SLA for critical vulnerabilities.

Projects that don't meet this bar are perfectly welcome to exist — but we don't list them in comparison tables next to projects that do. We say so explicitly when this matters.

Section 2 — Vendor breakdown

This section goes one layer deeper into the seven major projects: who they're for, what they ship, what they don't, and what we think.

2.1 OpenClaw (post-2026.4)

The post-crisis OpenClaw is a different product from the pre-crisis one. It has authenticated dashboards, sandbox-on defaults, encrypted credential storage and a foundation governance model. It is, by every serious measure, a substantially more secure product than the November 2025 launch version.

It is also a substantially less convenient product. Setup that used to take 30 seconds now takes ten minutes if you read the docs and longer if you don't. Configs that worked in 2026.1 don't work in 2026.4 without migration. The plugin ecosystem is in flux. The “just works” story is gone.

We recommend OpenClaw 2026.4+ for users who already have a working install, are comfortable with the migration work, and have a specific reason to stay (existing plugins, team familiarity, etc.). For new users, Hermes Agent is the easier on-ramp.

2.2 Hermes Agent

Hermes Agent is the de-facto safe default for new self-hosted AI deployments in April 2026. It ships Docker-sandboxed, supports the major LLM providers, has a clean approval flow for tool calls, and includes an honest threat model in the docs. The team at Nous Research is responsive on issues and has been transparent about roadmap and deprecation.

Drawbacks: the Docker container is heavy (1.4 GB), the browser tool needs an additional 800 MB of Chromium, and the sandbox model adds latency to tool calls. None of these are dealbreakers but they do mean Hermes is not the right pick for resource-constrained deployments.

We recommend Hermes Agent for:

• New deployments without specific constraints.
• Teams that want a single agent to support multiple LLM providers.
• Anyone who prefers receiving safe-by-default behaviour over

We do not recommend Hermes Agent for: highly resource-constrained hosts (consider Nanobot), strict no-cloud requirements (consider ZeroClaw), or compliance-mandated environments (consider IronClaw).

2.3 Nanobot

Nanobot is the answer to “I want to read every line of code I run in production.” The 4,000-line Python codebase is unusually clean, the dependencies are minimal, and the entire thing fits in one tab. Adding a custom tool is roughly 30 lines.

Drawbacks: there is no sandbox, by design. The default mode is “run everything as the current user.” For most home setups this is a footgun. For a single-engineer team that knows exactly what their agent is going to do, it's a feature. The provider support is OpenAI-compatible only, so Anthropic users need a shim. There is no auth layer.

We recommend Nanobot for:

• Engineers who want full code-level visibility.
• Highly constrained environments where a 1.4 GB Docker container is
• Anyone using Nanobot as a starting point for a custom proprietary

We do not recommend Nanobot for: multi-user environments, anyone who needs sandbox guarantees they didn't write themselves, or environments that need broad LLM compatibility out of the box.

2.4 NanoClaw

NanoClaw is the macOS-and-Claude opinionated fork. It ships as a .pkg installer, sandboxes tool execution in Apple's container framework, and supports only Anthropic models. The ecosystem is small, the integration is tight, the boot time is sub-second.

Drawbacks: macOS only — Linux users can stop reading. Claude only — if your bill spikes or Claude is down, you're stuck. Smaller plugin ecosystem.

We recommend NanoClaw for: Mac developers with active Claude subscriptions who don't need cross-platform portability.

2.5 IronClaw

IronClaw is the answer to “we have a CISO and a procurement process.” The product ships with gVisor sandboxing, immutable hash-chained audit logs, RBAC, SAML SSO, an active vulnerability bounty programme, and a contracted SLA. Air-gap mode genuinely works: no telemetry, no auto-update, no calls home.

Drawbacks: source-available license (not OSI open source). $750/seat/year. Multi-day setup. Smaller plugin ecosystem. Pricing that excludes hobbyist use.

We recommend IronClaw for: regulated industries (finance, healthcare, government) and large enterprises with strict compliance requirements. For everyone else, the price-performance ratio doesn't make sense.

2.6 ZeroClaw

ZeroClaw is the answer to “my data cannot leave the machine.” Bundled with Ollama or llama.cpp for local inference. Network egress is denied by default at the iptables level. AGPL-3.0 license prevents hosted variants from being commercialised without source disclosure. Bundled offline RAG implementation works on any local document folder.

Drawbacks: hardware floor is real (64 GB unified memory or a 24 GB GPU minimum for usable models). Local LLMs in 2026 still trail Claude and GPT-4 noticeably on multi-step planning. Setup involves model downloads measured in tens of gigabytes.

We recommend ZeroClaw for: highly privacy-sensitive deployments, regulatory environments where data residency rules are strict, and developers with strong feelings about not paying OpenAI.

2.7 Moltworker

Moltworker is the agent-on-Cloudflare-Workers reference implementation. It runs as a Worker, persists state in Durable Objects, and is small (~600 lines TypeScript) by design. The performance is good. The cold-start times are negligible. The hosting is genuinely free at low volume.

Drawbacks: ties you to Cloudflare. Worker runtime constraints (no arbitrary native binaries, no long-running processes, etc.) mean some agent capabilities (browser automation, heavy local tooling) just don't work. Plugin ecosystem is in early days.

We recommend Moltworker for: developers who already use Cloudflare heavily and want a low-friction agent that fits their existing infrastructure. Less compelling for self-hosters who want runtime flexibility.

Section 3 — Security posture

The 2026 self-hosted AI security landscape changed more in five months than the broader open-source security landscape did in the preceding five years. The OpenClaw crisis was the catalyst. The result is an ecosystem with stronger defaults, clearer threat models and faster patch cadences than what came before — and also a meaningfully steeper learning curve for anyone new to the space.

3.1 The threat model, in 2026

The realistic threat model for a self-hosted AI agent in 2026 includes, at minimum:

• Web-origin attacks. A malicious site can attempt WebSocket
• Prompt injection. A document, web page, or tool description
• Supply chain. Plugins, MCP servers, and pre-built tool
• Credential exfiltration. API keys, SSH keys, browser cookies
• Tool execution privilege escalation. Tools that legitimately

Each of the seven major agents has a different posture against this threat model. Our [agent comparison](/guides/openclaw-alternatives-2026) covers the per-project specifics in detail.

3.2 Patch cadence and disclosure norms

Patch cadence in 2026 has settled around weekly-to-fortnightly minor releases for the active projects, with critical security patches shipped within 72 hours of disclosure. This is significantly faster than 2025 norms. The OpenClaw foundation publishes patches under a formal CVE process. Hermes uses GitHub Security Advisories. Nanobot and ZeroClaw use mailing lists. NanoClaw uses Apple's standard notarisation channels.

Disclosure norms are still in flux. The 90-day embargo standard from the broader software industry has been generally respected since the OpenClaw crisis, with the exception of a small number of incidents where independent researchers published earlier than the coordinated disclosure. We expect this to settle as the ecosystem matures.

3.3 What 2026 self-hosters should actually do

Concretely:

• Pick an agent with a documented threat model. If the project
• Run the agent in a container. Docker is fine. gVisor or Apple
• Don't expose the dashboard on a public IP. Tailscale, an
• Use the OS keyring for credentials. If the agent doesn't
• Subscribe to your agent's security advisory channel.
• Plan for migration. Be prepared to move agents within 90 days

We have a more detailed [security guide](/guides/openclaw-security-crisis-2026) focused on the OpenClaw-specific risks, but most of the principles apply broadly.

Section 4 — Hosting economics

Self-hosted AI agent hosting in 2026 spans a wide cost range, from “free on Cloudflare Workers” to “$5,000 per month on a beefy dedicated server with local model hosting.” This section covers the realistic cost bands and what each gets you.

4.1 The free tier

There are now meaningful free tiers for self-hosted agents. The options:

• Cloudflare Workers. Free up to 100,000 requests/day. Works
• Oracle Cloud free tier. Genuinely free ARM VMs (4 OCPUs,
• Fly.io free allowance. $5/month of free credit for

The free tier is genuinely usable for individual developers who want a single agent running 24/7 with modest resource needs. It is not enough for multi-user deployments, browser automation tools, or local model inference.

4.2 The $5-15/month tier

The sweet spot for individual self-hosters is the $5-15/month VPS tier. Reference deployments:

• Hetzner CX22 ($5/month, Germany) — 2 vCPUs, 4 GB RAM, 40 GB
• Hostinger Cloud Startup ($9/month) — 2 vCPUs, 2 GB RAM.
• Contabo VPS S ($5-7/month) — 4 vCPUs, 8 GB RAM. Resource

In this tier you're paying for a real VPS with predictable performance. You're responsible for OS updates, firewall configuration, and backup. The agent itself is the easy part; the infrastructure work is the rest.

4.3 The $30-100/month tier

The tier where managed-hosting services compete with VPS-based self-hosting. Reference deployments:

• Hermes Agent on Hetzner CCX13 ($30-40/month) — dedicated CPU,
• Managed OpenClaw services ($20-55/month, e.g. ClawRift,
• Cloudflare Workers Paid + Durable Objects (~$20-50/month) —

In this tier, the choice between self-hosting and managed hosting is mostly about operational preference. Self-hosting gives you more control and more flexibility. Managed hosting saves you the sysadmin work. Both are reasonable.

4.4 The $200+/month tier

The tier where local model hosting starts to make sense. Reference deployments:

• Hetzner AX52 dedicated ($85/month + GPU rental) — for users
• Vast.ai or Lambda Labs GPU rental ($0.50-2/hour for
• Mac Studio M3 Max (one-time $4,000+) — for developers who

In this tier you're mostly making a build-vs-buy decision about local model inference. The cloud-LLM economics get expensive at scale (~$200-500/month is achievable for an active agent on Claude or GPT-4), and local models eventually pay back if you're running sustained workloads.

4.5 The hidden costs

Three hidden costs come up in real deployments and are under-discussed in launch guides:

• Bandwidth. Browser-automation agents can churn through
• Storage. Local-model setups need 30-200 GB for model
• AI provider costs. “Self-hosted” doesn't

The total cost of ownership for a typical self-hosted AI agent deployment in 2026 ranges from $5/month (constrained, cloud-LLM, single-user) to ~$1,000/month (multi-user, browser-heavy, significant AI spend) to several thousand per month (production deployments with on-call coverage).

Section 5 — Model integrations

The model layer changed almost as much as the agent layer in 2026. This section covers the major LLM providers from a self-hosted agent perspective.

5.1 Anthropic (Claude)

Claude (especially Claude 4.5 Sonnet and 4.7 Opus) remains the single most-used model for agentic tasks in 2026, by a margin. Reasons:

• Strong tool-use behaviour out of the box. Claude is unusually
• Long context windows (1M tokens for Claude 4.5+) make
• Anthropic's prompt caching reduces costs by 50-90% for

Drawbacks: pricing is on the high end ($3/M input, $15/M output for Sonnet; more for Opus). Rate limits exist. Anthropic's outage history is decent but not perfect.

We recommend Claude as the default for agentic workloads where quality matters and budget allows. Most of our agent testing uses Claude.

5.2 OpenAI (GPT)

GPT-5 (released early 2026) is competitive with Claude on many agentic tasks but has a more variable record on multi-step tool use. The OpenAI API is the most mature in the market with the broadest SDK support. Pricing is competitive.

We recommend OpenAI for: teams already using OpenAI for other workloads, applications that benefit from GPT's specific strengths (coding, structured output), and as a fallback when Claude is rate-limited.

5.3 OpenRouter

OpenRouter is a multi-provider gateway with a single API. It lets agents fall back across providers when rate limits or outages hit. Pricing is roughly at-cost with a small markup. Works with most agent frameworks via the OpenAI-compatible endpoint.

We recommend OpenRouter for: cost-sensitive deployments, multi-provider fallback strategies, and anyone who wants to switch providers without code changes. We use OpenRouter in our own testing for fallback scenarios.

5.4 Google (Gemini)

Gemini 2.5 Pro is competitive on many tasks and has a free tier (generous: 1,000 requests/day on flash). Drawbacks: tool-use behaviour is less consistent than Claude or GPT, and the agent ecosystem support is patchier.

We recommend Gemini for: cost-constrained deployments using Gemini Flash, and for tasks where Gemini's specific strengths (multimodal, very long context) matter.

5.5 Local models

Llama 3.3 70B, Qwen 2.5 32B and Mistral 8x22B are the leading local-model options for agentic use in 2026. Each has different hardware profiles and capability characteristics.

The realistic state of local agent capabilities: a Llama 3.3 70B running on a properly-tuned local setup achieves roughly 70-80% of Claude Sonnet's performance on simple agentic tasks (single-step tool use, summarisation, structured output) and roughly 40-60% on complex tasks (multi-step planning, code generation, multi-tool orchestration).

We recommend local models for: privacy-mandated deployments, research environments, and developers who actively want to optimise for local capability. We don't recommend them as a drop-in Claude replacement for general agent workloads.

Section 6 — Regulatory environment

Self-hosted AI agents intersect with several regulatory regimes that have evolved meaningfully in 2026.

6.1 EU AI Act

The EU AI Act's general-purpose-AI provisions came into force in August 2025, with full enforcement starting August 2026. Self-hosted agents are not directly regulated by the Act, but the underlying foundation models they use are. Practically, this means:

• If you're running a self-hosted agent in the EU using
• If you're running a self-hosted agent using local models
• The recordkeeping and transparency obligations apply to

We recommend reading the official AI Act high-risk system definitions and consulting a lawyer for any deployment that might cross into a high-risk category (employment screening, critical infrastructure, education, etc.).

6.2 US executive orders and state-level regulation

The 2024 federal AI executive order remains in force. State-level regulation in California (SB-1047 and successors) and Colorado (the AI Act) creates a patchwork of compliance requirements for deployments that touch consumers in those states.

For most self-hosted AI deployments — internal tools, dev environments, personal assistants — none of this is binding. For consumer-facing deployments built on top of self-hosted agents, professional legal advice is essential.

6.3 Sectoral regulation

Healthcare (HIPAA in the US, equivalent rules in EU), finance (varies by jurisdiction), and government deployments have specific compliance requirements that intersect with AI agents in non-obvious ways. IronClaw is built specifically for these environments. ZeroClaw can satisfy local-only requirements. Hermes Agent and OpenClaw can be configured for compliance but require additional architectural work.

Section 7 — What's next

This report will be updated quarterly. The next update is scheduled for late July 2026. Things we expect to track:

• The OpenClaw foundation's first six months under formal
• Hermes Agent's growth trajectory — does it become the
• Whether any of the IronClaw-style enterprise vendors prove the
• Local-model capability progression — does Llama 3.5 / 4.0 close
• New regulatory developments — particularly EU AI Act

If you want this report in your inbox the day it ships, subscribe to [the Thursday newsletter](/newsletter). If you have data, deployments, or experiences that should inform the next edition, email contact@pocketclaw.dev. We update with attribution. We update silently if the source prefers that.

Methodology and sources

This report was assembled from:

• Direct testing on real deployments — Hetzner CX22, Cloudflare
• Public release notes, foundation announcements, security
• Direct conversations with current and former contributors to
• Public usage and revenue data where available from the
• The CVE database and public security disclosure feeds.

We do not accept payment, sponsorship or advertising in exchange for placement in this report. We do use affiliate links for tools we recommend on their merits — those are flagged explicitly when they appear.

Related guides

• [The complete OpenClaw timeline (Nov 2025 → Apr 2026)](/guides/openclaw-complete-history)
• [OpenClaw security crisis 2026: what you need to know](/guides/openclaw-security-crisis-2026)
• [5 best OpenClaw alternatives in 2026](/guides/openclaw-alternatives-2026)
• [How to migrate from OpenClaw to Hermes Agent](/guides/migrate-openclaw-to-hermes)