# PocketClaw — full content map Comprehensive content index for LLM crawlers and assistants. Includes all published guides, agents, devices, CVEs, glossary terms and providers with full descriptions. ## All guides ### [proot-distro Manual Install](https://pocketclaw.dev/guides/proot-distro-manual) Manually installing proot-distro on Termux when the package is missing from apt-android-5 repos, by downloading the .deb from GitHub and patching TERMUX_PREFIX placeholders with sed. **Problem:** proot-distro not available in Termux repos for Android 5/6 (ARM32, old API level). **Solution:** Download from GitHub releases, manually fix TERMUX_PREFIX placeholders, install with dpkg. Tags: proot, termux, dpkg, android, arm32 Updated: 2026-02-18 ### [Ubuntu 25.10 Rootfs Manual Extraction](https://pocketclaw.dev/guides/ubuntu-rootfs-manual) Manual extraction of Ubuntu 25.10 armhf rootfs into Termux proot when proot-distro install fails on old Termux. **Problem:** Official proot-distro install script fails on old Termux versions. **Solution:** Download Ubuntu 25.10 armhf rootfs tar.xz manually, extract into proot directory. Tags: proot, ubuntu, termux, rootfs, arm32, infrastructure Updated: 2026-02-18 ### [Git Wrapper Bridge](https://pocketclaw.dev/guides/git-wrapper-bridge) Bridge git from Termux into proot Ubuntu using a wrapper script that calls the native binary through bind mounts. **Problem:** npm needs git for some dependencies but git can't install in proot (dpkg broken on ARM32). **Solution:** Wrapper script at /usr/local/bin/git that calls Termux's native git binary via the proot bind mount. Tags: git, proot, wrapper, termux, npm, bridge Updated: 2026-02-18 ### [Git Argument Parser](https://pocketclaw.dev/guides/git-argument-parser) An enhanced git wrapper with full argument parsing that extracts URLs and destinations regardless of order, handling the many different invocation patterns npm uses during package installation. **Problem:** npm passes git arguments in unexpected order that the simple wrapper doesn't handle. **Solution:** Enhanced wrapper with argument parsing that extracts URL and destination regardless of order. Tags: git, wrapper, npm, proot, argument-parsing Updated: 2026-02-18 ### [--ignore-scripts (Skip Native Compilation)](https://pocketclaw.dev/guides/ignore-scripts) Skip native module compilation during npm install on resource-constrained ARM32 device using --ignore-scripts flag. **Problem:** llama.cpp and other native modules try to compile with gcc/make — impossible on 1 GB RAM ARM32. **Solution:** npm install --ignore-scripts skips all native compilation. Use cloud API providers instead of local models. Tags: npm, native-modules, compilation, arm32, infrastructure Updated: 2026-02-18 ### [npm Cache on SD Card](https://pocketclaw.dev/guides/npm-cache-sd) Move npm cache to SD card to free internal storage on Moto E2 with only 700 MB available space. **Problem:** 700 MB internal storage, npm cache + node_modules = 500 MB+. No space for anything. **Solution:** Redirect npm cache to SD card: npm config set cache /sdcard/npm-cache Tags: npm, storage, sd-card, termux, fat32, infrastructure Updated: 2026-02-18 ### [run-proot.sh Helper Script](https://pocketclaw.dev/guides/run-proot-helper) A helper script that encapsulates the full proot invocation with all bind mounts, environment variables, kill-on-exit, and link2symlink flags needed to run Ubuntu on the Moto E2. **Problem:** Running proot with all bind mounts, env vars, and flags is complex and error-prone. **Solution:** run-proot.sh encapsulates all proot arguments: bind mounts, kill-on-exit, link2symlink, env loading. Tags: proot, script, termux, bind-mount, helper Updated: 2026-02-18 ### [Node.js 22 in proot](https://pocketclaw.dev/guides/node22-proot) Installing a pre-compiled Node.js 22.12.0 ARM binary directly inside the proot Ubuntu rootfs, bypassing broken dpkg/apt and the outdated Termux-native Node v12. **Problem:** dpkg broken in proot, can't install Node via apt. Termux native Node is v12. **Solution:** Download pre-compiled Node.js 22.12.0 ARM binary from nodejs.org, extract directly. Tags: nodejs, proot, binary, arm32, v22 Updated: 2026-02-18 ### [hijack.js (Bionic Bypass + GC + Lazy Loading)](https://pocketclaw.dev/guides/hijack-js) Monkey-patch Node.js internals via -r flag to fix Android 6 bionic crashes, add GC, lazy loading, and dashboard endpoints. **Problem:** os.networkInterfaces() crashes on Android 6 bionic libc. Multiple runtime incompatibilities. **Solution:** hijack.js loaded via Node -r flag. Patches os, fs, adds GC timer, lazy loading, dashboard endpoints. Tags: hijack, monkey-patch, nodejs, bionic, gc, lazy-loading, dashboard Updated: 2026-02-18 ### [Bypass systemd (gateway run)](https://pocketclaw.dev/guides/bypass-systemd) Run OpenClaw gateway in foreground mode to bypass systemd dependency in Termux/proot environment. **Problem:** openclaw gateway start tries to register as systemd service. No systemd in proot. **Solution:** Use gateway run (foreground mode). Set DBUS_SESSION_BUS_ADDRESS=disabled. Tags: systemd, dbus, gateway, foreground, termux, proot Updated: 2026-02-18 ### [Git Wrapper sed Rewrite](https://pocketclaw.dev/guides/git-wrapper-sed) Using sed in the git wrapper to rewrite all three SSH URL formats (git+ssh://, ssh://, git@) to HTTPS in a single pass, since proot has no SSH agent for GitHub authentication. **Problem:** npm passes SSH URLs in 3 formats: git+ssh://, ssh://, git@. Bash substitution catches only one. **Solution:** Use sed in git wrapper to rewrite all 3 SSH URL patterns to HTTPS in a single pass. Tags: git, ssh, https, sed, wrapper, npm Updated: 2026-02-18 ### [Native node22-icu (proot eliminated)](https://pocketclaw.dev/guides/native-node22-icu) Cross-compile Node.js 22 with NDK r26c and small-icu for ARM32 Android, eliminating proot with an 8.4 KB LD_PRELOAD shim. **Problem:** proot adds ~30 MB overhead and causes subtle syscall translation bugs. **Solution:** Cross-compiled Node.js 22.12.0 with NDK r26c targeting API 24 + small-icu. Created libapi23compat.so shim for 11 missing symbols. Tags: nodejs, ndk, cross-compile, arm32, icu, ld-preload Updated: 2026-02-18 ### [fs.promises Patching](https://pocketclaw.dev/guides/fs-promises-patch) Extending the hijack.js path-rewriting shim to also intercept fs.promises methods, which are a separate API surface from the synchronous and callback-based fs methods already patched. **Problem:** OpenClaw uses fs.promises.mkdir('/root/...') which fails on native Android (no /root directory). **Solution:** Extended hijack.js path-rewriting shim to also patch fs.promises methods. Tags: fs, promises, path-rewriting, hijack, native, android Updated: 2026-02-18 ### [Low-Memory Mode (--max-old-space-size)](https://pocketclaw.dev/guides/low-memory-mode) Configure V8 heap limit to prevent OOM kills on 1 GB Android device, starting at 384 MB and refined down to 112 MB. **Problem:** Gateway needs 218+ MB heap, OOM kill with Android + proot overhead. **Solution:** --max-old-space-size=384 initially. Kill Google services before launch (but NOT GMS!). Tags: v8, heap, ram, oom, nodejs, optimization Updated: 2026-02-18 ### [ESM Dead Module Stubs](https://pocketclaw.dev/guides/esm-stubs) Replace unused ESM channel SDKs with stub packages exporting empty classes, saving ~80 MB RAM and 262 MB disk. **Problem:** OpenClaw bundles ALL channel SDKs via ESM. import resolves at link-time, can't skip unused ones. **Solution:** Create stub ESM packages that export empty classes/functions. 9 packages stubbed, 13 deleted entirely. Tags: esm, stubs, modules, ram, dead-code, optimization Updated: 2026-02-18 ### [V8 Heap Binary Search](https://pocketclaw.dev/guides/heap-binary-search) Systematically binary-search the minimum V8 heap cap that survives OpenClaw startup on 1 GB RAM. **Problem:** V8 heap too large wastes RAM for Android, too small = OOM. Need minimum viable heap. **Solution:** Binary search from 384 down. 128 = OOM at startup. 192 = stable. RSS ~175 MB is incompressible. Tags: v8, heap, binary-search, ram, testing, methodology Updated: 2026-02-18 ### [Compile Cache Cleanup](https://pocketclaw.dev/guides/compile-cache-cleanup) Periodic cleanup of Node 22's V8 compile cache directory, which accumulates 51 MB of stale .cache files that waste disk space on a storage-constrained phone. **Problem:** Node 22 compile cache accumulates 51 MB of duplicate .cache files. **Solution:** Periodic rm -rf of node compile cache directory. Rebuilds at 27 MB, saves 24 MB. Tags: compile-cache, v8, disk, cron, cleanup Updated: 2026-02-18 ### [Lazy Loading v3 (Proxy-based deferred require)](https://pocketclaw.dev/guides/lazy-loading-v3) Defer 40 MB of module loading at startup using ES6 Proxy-based lazy require with 37 intercepted package prefixes. **Problem:** OpenClaw loads 1547 modules at startup. Most are never used (Discord when using Telegram, etc.). **Solution:** Proxy-based deferred require in hijack.js. 37 package prefixes return ES6 Proxy that loads real module on first property access. Tags: lazy-loading, proxy, require, ram, modules, optimization Updated: 2026-02-18 ### [Dead Packages (_DEAD_PKGS instant stubs)](https://pocketclaw.dev/guides/dead-packages) Splitting intercepted packages into dead (instant empty stub, zero RAM) and lazy (proxy-deferred, loaded on demand), with 23 packages stubbed out completely to save memory and I/O on a 1 GB phone. **Problem:** Even lazy loading loads modules when accessed. Some providers will NEVER be used on this device. **Solution:** Split into _DEAD_PKGS (instant stub, 0 MB) vs _LAZY_PKGS (defer until use). 23 dead, 6 deferred. Tags: dead-code, stubs, require, ram, modules Updated: 2026-02-18 ### [V8 Heap 192 MB Minimum](https://pocketclaw.dev/guides/v8-heap-192-minimum) Establish 192 MB as the minimum V8 heap for OpenClaw startup, surviving the ESM module linking spike. **Problem:** 128 MB heap OOMs during startup compilation phase (~186 MB needed for ESM module linking). **Solution:** 192 MB as minimum viable heap. Survives boot peak, GC keeps it stable after. Tags: v8, heap, esm, startup, oom, ram Updated: 2026-02-18 ### [V8 Semi-Space 2 -> 1 MB](https://pocketclaw.dev/guides/v8-semi-space) Shrink V8 young generation semi-space from default to 1 MB, saving RAM on I/O-bound gateway with minimal GC overhead. **Problem:** V8 young generation (semi-space) defaults to 2 MB. Wasted for I/O-bound gateway. **Solution:** --max-semi-space-size=1 + --max-old-space-size=150. RSS dropped 216 -> 180 MB (-36 MB). Tags: v8, semi-space, young-gen, gc, ram, optimization Updated: 2026-02-18 ### [UV_THREADPOOL_SIZE=1](https://pocketclaw.dev/guides/uv-threadpool) Reduce libuv thread pool from 4 to 1 on single-core ARM32, saving 2 MB RAM with zero performance impact. **Problem:** libuv spawns 4 worker threads by default, each consuming stack memory. **Solution:** UV_THREADPOOL_SIZE=1 saves ~2 MB. No performance impact on single-core ARM32. Tags: nodejs, libuv, ram, optimization, thread-pool, arm32 Updated: 2026-02-18 ### [Android Debloat (No Root)](https://pocketclaw.dev/guides/android-debloat-no-root) Remove 31 stock Android packages without root using pm uninstall, freeing ~100 MB RAM on Moto E2. Permanent on Android 6. **Problem:** Stock Android uses ~450 MB RAM. No room for the gateway. **Solution:** pm uninstall -k --user 0 for 31 packages in 3 waves. PERMANENT on Android 6 (no pm install-existing). Tags: android, debloat, pm-uninstall, ram, no-root Updated: 2026-02-18 ### [Don't Kill GMS (WiFi Routing Dependency)](https://pocketclaw.dev/guides/dont-kill-gms) Critical lesson: killing Google Mobile Services on Android 6 removes the default WiFi route, breaking all internet connectivity. **Problem:** Killing GMS frees 270 MB but breaks WiFi routing — default gateway route disappears. **Solution:** NEVER kill com.google.android.gms or gsf on Android 6. GMS manages DHCP routing. Tags: gms, wifi, dhcp, routing, android, critical-lesson Updated: 2026-02-18 ### [Static IP + GMS Kill](https://pocketclaw.dev/guides/static-ip-gms-kill) Configure static IP to decouple WiFi from Google Play Services, enabling safe GMS kill to reclaim 270 MB. **Problem:** GMS uses 270 MB but killing it breaks WiFi. Need a way to kill GMS safely. **Solution:** With static IP configured, route is proto static — doesn't depend on GMS. Kill works! But GMS respawns in ~2 min. Tags: gms, static-ip, wifi, debloat, ram, android Updated: 2026-02-18 ### [boot-debloat.sh (51+ Packages via Dirty COW)](https://pocketclaw.dev/guides/boot-debloat) Automated debloat script using Dirty COW root to disable 51+ Android packages on Moto E2 in a single command. **Problem:** After factory reset all packages are back. Manual pm disable one-by-one is tedious. **Solution:** Single script: Dirty COW root + pm disable 51+ packages in one command. Tags: android, debloat, dirty-cow, adb, pm-disable, moto-e2 Updated: 2026-02-18 ### [Extended Boot Debloat (+3 Packages)](https://pocketclaw.dev/guides/extended-boot-debloat) Second debloat pass adding Chrome, defcontainer, and qcrilmsgtunnel to the disabled list, saving additional 100 MB RAM. **Problem:** Chrome (45 MB), defcontainer (35 MB), qcrilmsgtunnel (35 MB) still running after initial debloat. **Solution:** Added 3 more packages to boot-debloat.sh. Total 54+ disabled. ~100 MB additional savings. Tags: debloat, android, chrome, defcontainer, ram, pm-disable Updated: 2026-02-18 ### [Proot Rootfs Diet (741 -> 550 MB)](https://pocketclaw.dev/guides/proot-rootfs-diet) Trim the proot Ubuntu rootfs from 741 MB to 550 MB by removing unused dev headers, Python, and locale data. **Problem:** Proot Ubuntu rootfs bloated at 741 MB. Most space wasted on things OpenClaw never touches. **Solution:** Removed Node headers (65 MB), Python (52 MB), locales (37 MB), i18n (18 MB), man/docs (23 MB). Tags: proot, rootfs, disk, debloat, ubuntu Updated: 2026-02-18 ### [Deep Rootfs Diet (550 -> 498 MB)](https://pocketclaw.dev/guides/deep-rootfs-diet) Second-pass rootfs cleanup removing gconv charset modules, perl, systemd, and PAM from proot Ubuntu, cutting rootfs from 550 to 498 MB. **Problem:** Still 50+ MB of unused system libraries after first diet. **Solution:** Removed gconv (21 MB), perl (6.6 MB), systemd (12 MB), PAM (3.7 MB). Total diet: 741 -> 498 MB (-33%). Tags: proot, rootfs, diet, gconv, debloat Updated: 2026-02-18 ### [Tier 1.5: Headless Server Mode](https://pocketclaw.dev/guides/tier15-headless) Disable Android's SystemUI, Phone, Media, and Keychain services via Dirty COW root to reclaim 67 MB on a headless server phone. **Problem:** SystemUI (70 MB), Phone (42 MB), Media (40 MB), Keychain (35 MB) still running on headless server. **Solution:** pm disable via Dirty COW root. Android base 244 -> 196 MB. Total 441 -> 374 MB. Tags: headless, systemui, debloat, dirty-cow, pm-disable Updated: 2026-02-18 ### [npm Cache on ext4](https://pocketclaw.dev/guides/npm-cache-ext4) Migrate npm cache from FAT32 SD card to ext4 rootfs partition, eliminating ENAMETOOLONG errors on deep git dependency paths. **Problem:** FAT32/sdcardfs can't handle deep nested paths that git creates during npm install. **Solution:** Move npm cache inside rootfs (ext4): npm config set cache /root/.npm-cache Tags: npm, ext4, fat32, cache, storage Updated: 2026-02-18 ### [ESM Stubs at HOST Path](https://pocketclaw.dev/guides/esm-stubs-host-path) Fix invisible ESM stubs by placing them at the Termux host path instead of inside the proot rootfs, where bind mounts shadow them. **Problem:** Stubs created in rootfs are invisible — proot bind mount shadows them with real packages. **Solution:** Create stubs at HOST path ($PREFIX/lib/node_modules/...) directly, not inside rootfs. Tags: esm, stubs, proot, bind-mount, node-modules Updated: 2026-02-18 ### [setsid Gateway Detach](https://pocketclaw.dev/guides/setsid-gateway) Detach PocketClaw gateway from Termux process tree using setsid to survive Dalvik VM kills and cgroup cascades. **Problem:** Gateway is child of Termux bash. Killing Dalvik VM kills the gateway too (cgroup cascade). **Solution:** Launch with /system/bin/setsid — new session, no controlling terminal, survives Dalvik kill. Tags: setsid, process, detach, termux, cgroup, android Updated: 2026-02-18 ### [Dirty COW Root (CVE-2016-5195)](https://pocketclaw.dev/guides/dirtycow-root) Exploit CVE-2016-5195 Dirty COW race condition on kernel 3.10.49 to gain temporary root on locked-bootloader Moto E2. **Problem:** Need root to kill GMS and pm disable packages. Bootloader locked. Kernel 3.10.49 unpatched. **Solution:** Dirty COW race condition in copy-on-write. Overwrite /system/bin/run-as to get root shell. Tags: dirty-cow, cve-2016-5195, root, android, kernel-exploit, arm32 Updated: 2026-02-18 ### [Recovery After Boot Loop](https://pocketclaw.dev/guides/boot-loop-recovery) Documentation of 8 failed recovery attempts after disabling a critical Motorola package caused a permanent boot loop. **Problem:** Removed com.motorola.android.providers.settings -> permanent boot loop. Framework NPE every 90s. **Solution:** 8 fix attempts all failed (SELinux blocks everything). Only fix: factory reset. Tags: boot-loop, recovery, factory-reset, selinux, critical-lesson, motorola Updated: 2026-02-18 ### [Dirty COW SELinux Bypass (zygote context)](https://pocketclaw.dev/guides/dirtycow-selinux-bypass) Two-phase Dirty COW exploit bypassing SELinux by running code as zygote process to write kernel parameters and kill daemons. **Problem:** SELinux blocks ALL writes to /data/system/ even with root uid=0 in shell context. **Solution:** Cross-compile 2232-byte ARM binary, embed COW race, overwrite app_process32 to run as zygote. COW race bypasses SELinux write checks. Tags: dirty-cow, selinux, zygote, kernel, arm32, exploit Updated: 2026-02-18 ### [API Keys Out of ps Output](https://pocketclaw.dev/guides/api-keys-security) Move API keys from command-line arguments to a chmod 600 env file, hiding them from ps output. **Problem:** API keys (Kimi, Telegram, OpenAI) visible in clear text in ps -eo args when passed as proot arguments. **Solution:** Load keys from /root/.openclaw/env file inside proot instead of command line arguments. Tags: security, api-keys, ps, environment, secrets Updated: 2026-02-18 ### [--legacy-peer-deps](https://pocketclaw.dev/guides/legacy-peer-deps) Use --legacy-peer-deps to bypass npm's strict peer dependency resolution during OpenClaw installation on constrained ARM32 device. **Problem:** npm dependency version conflicts during OpenClaw install. **Solution:** --legacy-peer-deps flag alongside --ignore-scripts to bypass peer dependency conflicts. Tags: npm, peer-deps, dependency, install, compatibility Updated: 2026-02-18 ### [PocketClaw Launcher APK (8.5 KB)](https://pocketclaw.dev/guides/launcher-apk) Build a minimal 8.5 KB Android launcher APK without Android Studio using javac, d8, aapt, and apksigner. **Problem:** KISS Launcher uses 33 MB RAM for an unused search bar on a headless phone. **Solution:** 8.5 KB APK: HOME intent, fullscreen WebView to localhost:9000/dashboard. Built without Android Studio. Tags: apk, launcher, android, webview, minimal, no-ide Updated: 2026-02-18 ### [Native APK: Kill the WebView (216 -> 45 MB)](https://pocketclaw.dev/guides/native-apk) Replace WebView launcher with native Android Activity using ScrollView and TextView, cutting RSS from 216 MB to 55 MB. **Problem:** WebView launcher uses 216 MB RSS — more than the gateway itself (186 MB). **Solution:** Complete rewrite: native Activity + ScrollView + TextView, HTTP fetch, manual JSON parsing. 12.6 KB APK, 45 MB RSS. Tags: apk, native, android, launcher, webview, ram Updated: 2026-02-18 ### [APK v2: Escape Hatches (Post-Brick Fix)](https://pocketclaw.dev/guides/apk-v2-escape-hatches) Five escape hatch protections added to PocketClaw launcher after near-brick experience with fullscreen WebView blocking ADB auth. **Problem:** APK v1 was a brick trap: fullscreen hid ADB auth popup, back disabled, no escape to Settings. **Solution:** 5 protections: visible status bar, triple-tap Settings, double-back chooser, emergency button, ADB kill switch. Tags: apk, launcher, escape-hatch, brick, safety, android Updated: 2026-02-18 ### [Dashboard v6: Green Cyberpunk + RAM Breakdown](https://pocketclaw.dev/guides/dashboard-v6-cyberpunk) Redesigned dashboard with green CRT theme and per-process RAM breakdown that revealed WebView as the #1 memory consumer. **Problem:** Dashboard was red-themed, had unused tabs, didn't explain WHY RAM was high. **Solution:** Green Matrix CRT theme, boot animation, RAM process breakdown reading /proc/[pid]/status for ALL processes. Tags: dashboard, crt, proc-filesystem, ram, monitoring, green-theme Updated: 2026-02-18 ### [Process Name Cleanup in Dashboard](https://pocketclaw.dev/guides/process-name-cleanup) Clean up Android package names in PocketClaw dashboard display using regex chain for readability on small screens. **Problem:** Dashboard shows ugly raw Android package names, wastes space on 4.5-inch screen. **Solution:** Regex chain to clean names: com.android.* -> *, com.motorola.* -> moto.*, com.termux -> termux. Tags: dashboard, launcher, regex, android, display, ux Updated: 2026-02-18 ### [IPv6 DNS + autoSelectFamily](https://pocketclaw.dev/guides/ipv6-dns) Fix intermittent DNS resolution failures in proot by pinning Google IPv6 DNS servers and enabling Node.js autoSelectFamily for dual-stack connection attempts. **Problem:** DNS resolution fails intermittently in proot with IPv4-only resolv.conf. **Solution:** Force IPv6 DNS servers in /etc/resolv.conf + autoSelectFamily: true in OpenClaw config. Tags: dns, ipv6, network, resolv-conf, proot Updated: 2026-02-18 ### [Kimi Coding Provider + User-Agent Spoof](https://pocketclaw.dev/guides/kimi-coding-provider) Configure Kimi Coding API provider for OpenClaw with correct endpoint, User-Agent spoof, and reasoning mode disabled. **Problem:** 3 obstacles: wrong endpoint (Kimi Coding != Moonshot), 403 without recognized User-Agent, reasoning_content conflicts. **Solution:** Correct endpoint, User-Agent spoof as claude-code/1.0, reasoning: false in model config. Tags: kimi, api, user-agent, provider, ai, openai-compatible Updated: 2026-02-18 ### [WiFi Watchdog](https://pocketclaw.dev/guides/wifi-watchdog) Automated WiFi recovery watchdog using busybox cron to detect silent disconnections and toggle WiFi back on via svc commands from Termux. **Problem:** WiFi drops silently, gateway can't reach API providers. No automatic recovery. **Solution:** Cron every 2 min: ping 8.8.8.8, toggle WiFi via svc wifi disable/enable if dead. Tags: wifi, watchdog, cron, network, recovery Updated: 2026-02-18 ### [SSH Config + Static IP](https://pocketclaw.dev/guides/ssh-config) SSH config alias with static IP and port forwarding for one-command access to Moto E2 Termux over USB and WiFi. **Problem:** Typing SSH commands with IP, port, key path every time is tedious and error-prone. **Solution:** ~/.ssh/config alias + static IP assigned on router DHCP. adb forward for USB phase. Tags: ssh, network, termux, adb, port-forwarding, config Updated: 2026-02-18 ### [Dashboard via hijack.js (HTTP Intercept)](https://pocketclaw.dev/guides/dashboard-hijack) Inject custom dashboard and status API endpoints into OpenClaw's HTTP server via hijack.js monkey-patching. **Problem:** No way to see phone status at a glance without SSH. **Solution:** Inject /dashboard and /api/status into OpenClaw's HTTP server by monkey-patching http.Server.prototype.listen. Tags: dashboard, hijack, http, monkey-patch, api, status Updated: 2026-02-18 ### [3-Page Dashboard (STATUS / KEYS / LOGS)](https://pocketclaw.dev/guides/3page-dashboard) Three-page dashboard with STATUS, KEYS, and LOGS tabs served from hijack.js alongside the OpenClaw gateway. **Problem:** Single dashboard page insufficient as PocketClaw grew. No way to view logs or manage keys without SSH. **Solution:** Extended hijack.js HTTP interceptor to serve 3 pages with tab navigation and CRT theme. Tags: dashboard, keys, logs, gateway, monitoring, web-ui Updated: 2026-02-18 ### [API Key Management (Dashboard KEYS Page)](https://pocketclaw.dev/guides/api-key-management) Web-based API key management with masked display, inline editing, one-tap provider testing, and live process.env updates. **Problem:** Changing API keys requires SSH access and manual env file editing. **Solution:** Full KEYS page: view (masked), inline edit, one-tap test (hits provider API), add new keys. Tags: api-keys, management, dashboard, security, gateway, web-ui Updated: 2026-02-18 ### [Setup Wizard (/setup)](https://pocketclaw.dev/guides/setup-wizard) Web-based setup wizard for PocketClaw: choose messaging channel, AI provider, enter credentials, and deploy in 4 steps. **Problem:** Setting up PocketClaw requires SSH + JSON config editing. No normal person can do this. **Solution:** Web wizard at /setup: choose channel (Telegram/Discord), choose provider (Kimi/Groq/OpenAI), enter tokens, click DEPLOY. Tags: setup, wizard, web-ui, onboarding, gateway, configuration Updated: 2026-02-18 ### [Termux:Boot Auto-Start](https://pocketclaw.dev/guides/termux-boot) Auto-start PocketClaw gateway, sshd, and cron jobs on phone boot using Termux:Boot BOOT_COMPLETED intent. **Problem:** Phone reboot means manual restart of gateway, sshd, crons. Not viable for autonomous operation. **Solution:** Termux:Boot fires BOOT_COMPLETED intent, runs ~/.termux/boot/start-pocketclaw.sh automatically. Tags: termux, boot, auto-start, android, sshd, cron Updated: 2026-02-18 ### [Boot Script with WiFi Retry](https://pocketclaw.dev/guides/boot-script-retry) Replace fixed sleep delay with WiFi retry loop in Termux boot script for reliable gateway startup after reboot. **Problem:** Sleep 15 for WiFi is fragile. If WiFi takes 30s, everything fails silently. **Solution:** Retry loop: ping every 5s, up to 12 attempts (60s max). Boot logging with timestamps. Graceful degradation. Tags: boot, wifi, retry, termux, reliability, watchdog Updated: 2026-02-18 ### [Healthcheck (2-Phase Gateway Check)](https://pocketclaw.dev/guides/healthcheck) Two-phase gateway healthcheck via cron: process existence check plus HTTP response verification with retry before restart. **Problem:** Gateway process can be alive but not responding (hung state). **Solution:** Cron every 2 min: if process alive but HTTP times out, wait 5s retry, kill only if both checks fail. Tags: healthcheck, cron, gateway, monitoring, restart, reliability Updated: 2026-02-18 ### [termux-wake-lock + Doze Bypass](https://pocketclaw.dev/guides/wake-lock-doze) Prevent Android Doze mode from suspending CPU using termux-wake-lock and deviceidle whitelist for reliable message delivery. **Problem:** Doze mode suspends CPU after 30 min screen off. Telegram messages delayed 2-3 hours. **Solution:** termux-wake-lock (PARTIAL_WAKE_LOCK) + deviceidle whitelist for Termux. CPU stays on, screen off. Tags: wake-lock, doze, android, battery, termux, telegram Updated: 2026-02-18 ### [Merged Kill Loop (3 bash -> 1 bash)](https://pocketclaw.dev/guides/merged-kill-loop) Merge three separate background bash kill loops into a single loop, saving 3 MB RAM and reducing process count. **Problem:** 3 separate while-true loops for background kills: SystemUI, dormant services, monitor. Each ~1.5 MB RSS. **Solution:** Merged into single loop every 5 min. Expanded kill list to 12 packages. -3 MB RAM. Tags: optimization, bash, kill-loop, ram, process, cgroup Updated: 2026-02-18 ### [kill-dalvik Cron (Auto-Free ~40 MB)](https://pocketclaw.dev/guides/kill-dalvik-cron) Cron job to periodically kill com.termux.boot Dalvik VM, freeing 40 MB while avoiding the cgroup cascade from killing com.termux. **Problem:** Termux Dalvik VMs (com.termux ~49 MB + com.termux.boot ~40 MB) waste 89 MB after boot. **Solution:** Cron kills com.termux.boot every 2 min. Only safe target — com.termux kill causes cgroup cascade killing gateway. Tags: dalvik, cron, cgroup, termux, ram, optimization Updated: 2026-02-18 ### [OpenClaw security crisis 2026: what you need to know](https://pocketclaw.dev/guides/openclaw-security-crisis-2026) OpenClaw shipped a one-click RCE in January 2026. ~1000 public installations were running without auth. Here's what happened, what's exposed, and what to do. **Problem:** OpenClaw versions before 2026.2.10 are vulnerable to a one-click remote code execution flaw and ship with insecure defaults. **Solution:** Upgrade to the latest patched version, disable WebSocket origin trust, audit your install for stray exposed ports, or migrate to a sandboxed alternative. Tags: openclaw, security, cve, rce Updated: 2026-04-28 ### [5 best OpenClaw alternatives in 2026 (tested and ranked)](https://pocketclaw.dev/guides/openclaw-alternatives-2026) Hermes Agent, Nanobot, NanoClaw, IronClaw, ZeroClaw — installed, broken, fixed. Honest comparison of the top OpenClaw alternatives, ranked by what actually works in production. **Problem:** OpenClaw is unstable, insecure, and abandoned by its original author — but most comparison articles are sponsored or out of date. **Solution:** Five sandboxed alternatives, each tested for setup time, security model, model compatibility, and resource use. Pick the one that matches your threat model. Tags: openclaw, hermes, nanobot, nanoclaw, ironclaw, zeroclaw Updated: 2026-04-28 ### [How to migrate from OpenClaw to Hermes Agent: step-by-step](https://pocketclaw.dev/guides/migrate-openclaw-to-hermes) Concrete migration guide from OpenClaw to Hermes Agent. Export your config, port your tools, rewire your dashboard, decommission the old install. **Problem:** OpenClaw config is not portable to Hermes Agent. Tool definitions, credentials, and persistent memory live in different places. **Solution:** A six-step migration: export OpenClaw state, install Hermes Agent in Docker, translate tools, re-encrypt credentials, rebuild memory store, decommission OpenClaw. Tags: openclaw, hermes, migration, docker Updated: 2026-04-28 ### [The complete OpenClaw timeline (Nov 2025 → Apr 2026): from weekend project to 135K installs to security crisis](https://pocketclaw.dev/guides/openclaw-complete-history) Long-form history of OpenClaw — Peter Steinberger's autonomous AI agent. Origin, viral growth, technical architecture, the move to OpenAI, the security collapse, and what it means for self-hosted AI in 2026. **Problem:** OpenClaw's story is told in fragments — release notes, Twitter threads, Hacker News, security advisories — and each fragment is partial or biased. There is no single timeline. **Solution:** A consolidated, source-referenced timeline of every meaningful OpenClaw event from November 2025 to April 2026, with technical context for why each one mattered. Tags: openclaw, timeline, history, security, self-hosted-ai, post-mortem, peter-steinberger Updated: 2026-04-28 ### [Self-hosted AI agents in 2026 — the complete landscape report](https://pocketclaw.dev/guides/self-hosted-ai-landscape-2026) Comprehensive landscape report on self-hosted AI agents in 2026: ecosystem map, vendor analysis, security posture, hosting economics, model integrations and the regulatory environment. Covers OpenClaw, Hermes, Nanobot, NanoClaw, IronClaw, ZeroClaw, Moltworker and the wider category. **Problem:** The self-hosted AI agent space evolved from one project to a dozen vendors and three architectural patterns in six months. Most existing comparisons are vendor-funded, out of date by the time they publish, or focused narrowly on one axis (like model support). **Solution:** A six-section landscape report covering ecosystem structure, vendor breakdown, security posture, hosting economics, model integrations and regulation. Updated quarterly. Tags: self-hosted-ai, landscape, openclaw, hermes, nanobot, zeroclaw, ironclaw, report, comparison Updated: 2026-04-28 ### [Pocket AI 2026 — the complete guide to running self-hosted AI on portable hardware](https://pocketclaw.dev/guides/pocket-ai-complete-guide) The reference guide on Pocket AI: running self-hosted AI agents and local LLMs on Raspberry Pi, Mac Mini, mini PCs, Framework laptops and edge devices. Hardware comparison, agent compatibility, real-world benchmarks, and the manifesto. **Problem:** Cloud AI assumes you have unlimited budget and zero data residency requirements. Most articles about "running AI locally" benchmark $5,000 GPUs as the entry point. The €100-€2,000 portable hardware tier — the actual sweet spot for individuals and small teams — is under-covered. **Solution:** A 12,000-word reference covering every credible portable host for self-hosted AI in 2026, with real benchmarks, agent compatibility, local LLM viability, and concrete buying advice for six common scenarios. Tags: pocket-ai, edge-ai, raspberry-pi, mac-mini, intel-nuc, local-llm, self-hosted, portable, hardware Updated: 2026-04-29 ### [Edge AI hardware buyer's guide 2026 — Raspberry Pi 5 vs Mini PC vs Mac Mini vs Framework](https://pocketclaw.dev/guides/edge-ai-hardware-2026) Honest hands-on hardware buyer's guide for self-hosted AI agents in 2026. Raspberry Pi 5, Intel NUC and clones, Mac Mini M4, Framework Laptop, Orange Pi 5 Plus — real benchmarks, real bills, concrete recommendations by budget. **Problem:** Most edge AI hardware reviews benchmark unrealistic configurations or copy-paste manufacturer claims. The €100-€2,000 tier — actually relevant for individuals and small teams running self-hosted AI — is poorly served. **Solution:** A 10,000-word buyer's guide with real benchmarks across the five device classes that matter, paired with concrete recommendations for five common budget bands and use cases. Tags: edge-ai, pocket-ai, hardware, raspberry-pi, mac-mini, intel-nuc, framework, buyers-guide, 2026 Updated: 2026-04-30 ### [Local LLMs in 2026 — the complete benchmark report on portable hardware](https://pocketclaw.dev/guides/local-llms-benchmark-2026) Real-world benchmarks of Llama 3.3 70B, Qwen 2.5 72B, Mistral 7B, Llama 3 8B and Phi-3 mini across Raspberry Pi 5, Intel mini PCs, Apple Silicon Mac Mini, and Mac Studio. Tokens-per-second, agentic task pass rates, power and cost economics. **Problem:** Most local-LLM benchmarks measure pure inference throughput on artificial prompts — not what matters for self-hosted AI agent workloads. Real-world performance on multi-step agentic tasks is poorly documented. **Solution:** We installed and ran the same five agentic tasks across 8 hardware tiers and 5 model sizes — Pi 5 to Mac Studio M3 Ultra — measuring end-to-end pass rate, tokens-per-second, power and amortised cost. Concrete buying advice follows from the data. Tags: local-llm, llama, mistral, qwen, phi-3, benchmark, raspberry-pi, mac-mini, ollama, pocket-ai Updated: 2026-04-30 ### [Self-hosted AI security playbook 2026 — the practical operator's guide](https://pocketclaw.dev/guides/self-hosted-ai-security-playbook-2026) Practical security playbook for self-hosted AI agent operators in 2026. Threat model, sandbox setup, credential storage, network isolation, monitoring, incident response. Step-by-step, post-OpenClaw-crisis. **Problem:** Self-hosted AI agent security guidance in 2026 is fragmented across vendor docs, Twitter threads and post-incident blog posts. There is no single practical operator's playbook covering the realistic threat model and concrete defences. **Solution:** A 10-section playbook covering the modern threat model, sandbox setup, credential management, network isolation, audit logging, monitoring, update strategy, and incident response — with concrete commands and config snippets for Hermes Agent, OpenClaw 2026.4+, ZeroClaw and the rest. Tags: security, self-hosted, operator-guide, openclaw, hermes-agent, playbook, sandbox, credentials, threat-model Updated: 2026-05-01 ### [How to choose a self-hosted AI agent in 2026 — a decision tree](https://pocketclaw.dev/guides/how-to-choose-self-hosted-ai-agent-2026) Pick the right self-hosted AI agent in 2026 with a six-question decision tree. Covers OpenClaw, Hermes Agent, Nanobot, NanoClaw, IronClaw, ZeroClaw, Moltworker. Practical, vendor-agnostic, no-bullshit. **Problem:** There are now 7+ credible self-hosted AI agent projects with different defaults, sandbox models and licensing. Most articles compare them in tables; few help you actually decide. **Solution:** Six questions, in order, that filter the field down to the right agent for your specific situation. Each question links to the relevant deeper guide. Tags: self-hosted-ai, decision-tree, openclaw, hermes-agent, nanobot, ironclaw, zeroclaw, buyers-guide Updated: 2026-05-02 ### [GDPR for self-hosted AI agents in 2026 — a practical compliance walkthrough](https://pocketclaw.dev/guides/gdpr-self-hosted-ai-2026) Practical GDPR compliance walkthrough for self-hosted AI agent operators. Lawful basis, data residency, sub-processor disclosure, DPIA triggers, breach notification. Plain language. Not legal advice. **Problem:** GDPR guidance for self-hosted AI in 2026 is split between vendor compliance pages, lawyer briefings and Reddit threads — none of which give a working operator a clear walkthrough of what to do. **Solution:** A 9-section walkthrough covering the lawful basis question, data minimisation in agent contexts, where Hermes/OpenClaw/ZeroClaw store what, sub-processor disclosure, DPIA triggers, breach notification, retention, transfer mechanisms, and rights handling. Tags: gdpr, privacy, self-hosted, compliance, data-residency, eu, security Updated: 2026-05-03 ### [Solo developer self-hosted AI — a year-long retrospective](https://pocketclaw.dev/guides/solo-developer-self-hosted-ai-retrospective-2026) What it's actually like to run a self-hosted AI stack for a year as a solo developer. Real numbers on cost, ops time, downtime, regrets. What worked, what didn't, what we'd do differently. **Problem:** Most self-hosted AI guides describe the happy path of installation. Almost none describe what running the stack actually feels like 12 months in, when the novelty has worn off and the maintenance reality has set in. **Solution:** A first-person retrospective covering 14 months of running self-hosted agents alongside day-job consulting work. Includes the bills, the outages, the migrations, the burnout points and the things that genuinely added value. Tags: self-hosted, retrospective, solo-developer, ops, real-numbers, year-in-review Updated: 2026-05-04 ### [Raspberry Pi 5 as a self-hosted AI host — 90 days of real-world benchmarks](https://pocketclaw.dev/guides/raspberry-pi-5-self-hosted-ai-90-day-benchmark) What it's actually like to run a self-hosted AI agent on a Raspberry Pi 5 for 90 days. Real numbers on tokens-per-second, watt-hours, thermal throttle, SD card wear and the workloads where the Pi is genuinely good — and the workloads where it absolutely is not. **Problem:** Every Raspberry Pi 5 self-hosted AI tutorial reads the same: 'install Ollama, run a model, look it works.' Almost none come back 90 days later with the boring questions: does it stay up, what does it actually serve well, and where does it fall flat? **Solution:** We ran a Pi 5 8 GB with active cooling as a Hermes Agent host alongside Ollama (qwen2.5-coder-3B and tinyllama-1.1B) for 90 days against a real workload — code review on PRs, documentation Q&A on a 4 GB knowledge base, and inbox classification. Every figure in this article is from that period. Tags: raspberry-pi-5, self-hosted, benchmark, edge-ai, hermes-agent, ollama, real-numbers, 90-days Updated: 2026-05-12 ### [Migrating from OpenAI Assistants to OpenClaw — six weeks of pain (and what we kept)](https://pocketclaw.dev/guides/migrating-openai-assistants-to-openclaw) A weekly diary of six weeks moving a working internal tool from OpenAI Assistants API to a self-hosted OpenClaw 2026.4 deployment. The actual mistakes, the actual cost reductions, the things that broke that we hadn't anticipated. **Problem:** There is no shortage of articles claiming you should self-host your AI to escape OpenAI lock-in. Almost none describe what the migration actually entails when your team has built a working tool on Assistants — function calling, threads, file_search, the whole machinery — and now needs to move it without breaking the people using it. **Solution:** A six-week diary of moving a real tool (an internal sales-deck Q&A bot built on Assistants API in late 2025) to OpenClaw 2026.4 self-hosted on a €25/month VPS. Includes the schema mapping, the broken assumptions, the cost delta over the migration period, and what we kept on OpenAI deliberately. Tags: migration, openai, openclaw, self-hosted, assistants-api, real-numbers, cost-savings Updated: 2026-05-19 ### [GPU vs CPU for self-hosted AI inference — when each genuinely wins in 2026](https://pocketclaw.dev/guides/gpu-vs-cpu-self-hosted-ai-when-each-wins) When does a GPU actually pay for itself in self-hosted AI inference, and when is a modern CPU genuinely the better answer? Real benchmarks across Mac Mini M4, Intel NUC 13, Raspberry Pi 5, and a single-GPU box. Watts per token, euros per million tokens, and the surprising places CPU wins. **Problem:** The default assumption in most self-hosted AI tutorials is 'get a GPU.' That advice is often wrong in 2026 — for the workloads most self-hosted AI users actually have, a CPU is competitive, sometimes faster on small models, and dramatically cheaper to run. The literature does not say so clearly enough. **Solution:** We benchmarked four hosts (Pi 5, Intel NUC 13, Mac Mini M4, single-GPU box with RTX 4060 Ti 16 GB) on five model sizes (1B, 3B, 7B, 13B, 32B Q4) and three workload shapes. The article walks through the data, the watts, the costs, and where each host genuinely wins. Tags: gpu, cpu, benchmark, hardware, inference, edge-ai, apple-silicon, real-numbers Updated: 2026-05-26 ### [State of self-hosted AI — Q2 2026](https://pocketclaw.dev/guides/state-of-self-hosted-ai-2026-q2) PocketClaw's quarterly state-of-the-ecosystem report. The agents that grew, the agents that died, the CVE landscape, the hardware that won, the providers that stopped being interesting. Hard numbers from public sources, opinions credited. **Problem:** There is no single quarterly accounting of where self-hosted AI actually stands. Vendor blogs are marketing; Hacker News is anecdote. People making infrastructure decisions need a curated, honest snapshot of what's working, what's broken, and where the ecosystem is heading. **Solution:** PocketClaw's quarterly state-of report. Six sections — agents, security, hardware, providers, models, infrastructure — with the hard data we track on public dashboards, contextualised with our editorial opinion. Updated quarterly; this is Q2 2026. Tags: state-of, quarterly-report, self-hosted, ecosystem, 2026 Updated: 2026-06-02 ## All tracked agents ### [OpenClaw](https://pocketclaw.dev/agents/openclaw) OpenClaw became the most-installed self-hosted agent of late 2025 / early 2026, peaking around 135,000 installs. The January 2026 security crisis (CVE-2026-25253 et al.) triggered a transfer to a Linux Foundation-hosted foundation and a substantial security overhaul. The 2026.4 line ships sandbox-on, encrypted credentials, authenticated dashboard. Plugin ecosystem is the largest in the category. - **License:** MIT - **Sandbox by default:** yes - **Multi-LLM:** yes - **Threat model documented:** yes - **Best for:** Existing OpenClaw deployments with custom plugins; Teams already trained on the OpenClaw model; Agents that need the largest plugin marketplace - **Not for:** New deployments — Hermes Agent is the easier on-ramp; Pre-2026.3 hosts that haven't migrated (assume compromise); Strict no-cloud requirements (use ZeroClaw) ### [Hermes Agent](https://pocketclaw.dev/agents/hermes-agent) Hermes shipped in February 2026 with sandbox-on-by-default, explicit network and filesystem allowlists, and a clean approval flow. 1.4 GB Docker image is the main downside. Threat model is publicly documented. - **License:** Apache-2.0 - **Sandbox by default:** yes - **Multi-LLM:** yes - **Threat model documented:** yes - **Best for:** New self-hosted AI deployments without specific constraints; Multi-user environments needing real auth; Teams wanting safe-by-default with minimal config - **Not for:** Highly resource-constrained hosts (try Nanobot); Strict no-cloud (use ZeroClaw); Compliance-mandated regulated industries (use IronClaw) ### [Nanobot](https://pocketclaw.dev/agents/nanobot) Nanobot is an academic project that achieved viral product status. The codebase fits in a single tab. No sandbox by design — the audit is reading the code yourself. Single-user, OpenAI-compatible, intentionally minimal. - **License:** MIT - **Sandbox by default:** no - **Multi-LLM:** no - **Threat model documented:** no - **Best for:** Engineers who want full code-level visibility; Resource-constrained hosts (Raspberry Pi works); Foundations for custom proprietary agents - **Not for:** Multi-user deployments; Anyone who needs sandbox guarantees they didn't write themselves; Anthropic-only stacks without willingness to write a shim ### [NanoClaw](https://pocketclaw.dev/agents/nanoclaw) NanoClaw is the macOS fork that emerged from the OpenClaw post-crisis turbulence. Drops multi-LLM in favour of tight Anthropic integration. Native pkg installer, Apple container sandbox, sub-second boot. Smaller plugin ecosystem. - **License:** Apache-2.0 - **Sandbox by default:** yes - **Multi-LLM:** no - **Threat model documented:** yes - **Best for:** macOS developers with active Claude subscriptions; Demos where boot speed matters; Privacy-aware Mac users wanting Apple-native sandboxing - **Not for:** Linux/Windows deployments; Multi-LLM workloads; Cloud / VPS hosting ### [IronClaw](https://pocketclaw.dev/agents/ironclaw) IronClaw is the agent for regulated industries. gVisor sandbox, hash-chained audit logs, SAML SSO, RBAC, air-gap mode that genuinely works. License forbids competing commercial products. $750/seat/year minimum. - **License:** Source-available - **Sandbox by default:** yes - **Multi-LLM:** yes - **Threat model documented:** yes - **Best for:** Finance, healthcare, government deployments; Air-gapped or highly sensitive environments; Organisations with dedicated CISO functions - **Not for:** Hobbyists / individual developers (price excludes you); Open-source purists (license is source-available, not OSI); Smaller teams without procurement processes ### [ZeroClaw](https://pocketclaw.dev/agents/zeroclaw) ZeroClaw runs entirely on local hardware via Ollama or llama.cpp. Network egress is denied by default at the iptables level. AGPL-3.0 prevents hosted variants from being commercialised without source disclosure. Hardware floor is real (64 GB unified memory or 24 GB GPU). - **License:** AGPL-3.0 - **Sandbox by default:** yes - **Multi-LLM:** no - **Threat model documented:** yes - **Best for:** Data residency-mandated deployments; Privacy-first individuals running local Llama 3.3; Regulated industries needing fully offline operation - **Not for:** Cloud-LLM workflows; Hardware-constrained deployments (<32 GB RAM); Teams expecting Claude-tier capability for free ### [Moltworker](https://pocketclaw.dev/agents/moltworker) Moltworker is Cloudflare's reference implementation of a self-hosted agent on Workers. Genuinely free at low volume. State persisted in Durable Objects. Workers runtime forbids native binaries — rules out browser automation and a long tail of agent tools. - **License:** Apache-2.0 - **Sandbox by default:** yes - **Multi-LLM:** yes - **Threat model documented:** yes - **Best for:** Cloudflare-native shops; Edge-deployed low-volume agents; Teams wanting near-zero operational footprint - **Not for:** Browser automation workloads; ffmpeg / heavy media tooling; Anyone wanting LLM inference on the same host ### [DeployHermes](https://pocketclaw.dev/agents/deployhermes) DeployHermes is the first managed-hosting service built specifically around Hermes Agent. $19/month gets you a hosted Hermes deployment with HTTPS dashboard, SSO via Google or GitHub, automated CVE monitoring with email alerts, and zero ops on your side. Suitable when you want Hermes-Agent capability without the VPS work — at the cost of opinionated configuration and proprietary management UI. - **License:** Proprietary (managed) - **Sandbox by default:** yes - **Multi-LLM:** yes - **Threat model documented:** yes - **Best for:** Teams wanting Hermes Agent without operations work; Small companies needing SSO + admin layer; Users who don't want to maintain a VPS - **Not for:** Self-hosters on principle (defeats the point); Custom plugin requirements (managed UI restricts these); Air-gap or on-premises deployments ### [NitroClaw](https://pocketclaw.dev/agents/nitroclaw) NitroClaw is a higher-touch managed hosting service. $20/month entry tier hosts your choice of OpenClaw or Hermes with included AI credits ($10/month value). $100/month tier adds white-glove setup, custom plugin development assistance, and $50/month of bundled AI credits. Targets technical-but-time-constrained users. - **License:** Proprietary (managed) - **Sandbox by default:** yes - **Multi-LLM:** yes - **Threat model documented:** yes - **Best for:** Time-constrained teams wanting bundled AI credits; Users wanting human support during setup; Mid-sized teams scaling self-hosted AI - **Not for:** DIY self-hosters; Cost-sensitive deployments below $20/month; Air-gap requirements ### [ClawRift](https://pocketclaw.dev/agents/clawrift) ClawRift is built around the multi-channel use case: deploy a single agent across Telegram, Discord and WhatsApp from a single config screen. $19/month entry tier covers a single channel; $59/month unlocks all three plus higher rate limits. Best in class for users whose primary use case is bot deployment rather than self-hosted experimentation. - **License:** Proprietary (managed) - **Sandbox by default:** yes - **Multi-LLM:** yes - **Threat model documented:** yes - **Best for:** Bot deployments across messaging platforms; Users wanting fast time-to-first-message; Small businesses needing customer-facing chat - **Not for:** Self-hosters on principle; Custom-tool requirements (managed UI is opinionated); Cost-optimised single-channel deployments ### [ClawGo](https://pocketclaw.dev/agents/clawgo) ClawGo is the free-tier-friendly managed option. The free tier (1 agent, 50 messages/day, single channel) genuinely works for hobbyist use without expiring. Paid tiers scale linearly: $9/month for higher rate limits, $29/month for multi-channel. Reasonable choice for users wanting to learn before committing. - **License:** Proprietary (managed) - **Sandbox by default:** yes - **Multi-LLM:** yes - **Threat model documented:** no - **Best for:** First-time agent users wanting to learn; Hobbyist single-channel bots; Users testing the managed-hosting model before committing - **Not for:** Production deployments (rate limits); Custom-plugin requirements; Air-gap or self-hosted requirements ### [ZeroClaw Lite](https://pocketclaw.dev/agents/zeroclaw-lite) ZeroClaw Lite is a community-maintained fork of ZeroClaw optimised for resource-constrained hosts. Default model is Phi-3 mini 3.8B (Q4); RAM ceiling is 4 GB. Runs comfortably on a Raspberry Pi 5, which the regular ZeroClaw does not. Drops the offline-RAG feature and several heavyweight tools to make this work. AGPL-3.0 like the parent project. - **License:** AGPL-3.0 - **Sandbox by default:** yes - **Multi-LLM:** no - **Threat model documented:** yes - **Best for:** Raspberry Pi 5 / Orange Pi 5 Plus deployments; Privacy-mandated low-power setups; Edge AI experimentation on cheap hardware - **Not for:** Workloads requiring 7B+ model capability; Multi-LLM environments; Production with the full ZeroClaw feature set ## All tracked hardware ### [Raspberry Pi 5](https://pocketclaw.dev/pocket/raspberry-pi-5) The Raspberry Pi 5 is the de-facto first device for pocket AI in 2026. The 8 GB SKU has enough RAM for Hermes Agent without browser automation, or for Nanobot with everything. NVMe via the official M.2 HAT removes the SD card bottleneck. Power draw is comfortably under 12W under load — runs cool, runs silent, runs forever. Local LLM inference is the limit: realistic ceiling is 3B-parameter quantised models like Phi-3 or TinyLlama, which trail Claude meaningfully on agentic tasks. For agents that delegate the LLM call to a cloud API, the Pi 5 is genuinely competitive with €30/month VPS plans. - **Price:** €80–110 - **CPU:** Broadcom BCM2712 — 4× Cortex-A76 @ 2.4 GHz - **RAM:** 4 / 8 GB LPDDR4X - **Power:** 5–12 W - **Local LLM capability:** small-only - **Agent score:** 7/10 - **Best for:** First-time self-hosters wanting low power + always-on; Hermes Agent without browser tool; Nanobot deployments; MCP server hosts - **Not for:** Local LLM inference beyond ~3B param Q4 quants; Browser automation (Chromium too heavy); Multi-user agent workloads ### [Intel NUC 13 / Mini PC](https://pocketclaw.dev/pocket/intel-nuc-13) Mini PCs hit the sweet spot for serious self-hosted AI agents. €400 buys you 32 GB RAM and a CPU that runs everything Hermes Agent throws at it, including the 800 MB Chromium browser tool. Local LLM inference becomes realistic: Mistral 7B Q4 hits ~10 tok/s on integrated graphics, Llama 3 8B Q4 around the same. Pair with Ollama and ZeroClaw for a fully-local agent setup that doesn't need cloud LLM APIs. The NUC line specifically is a known quantity (Intel reference design, broad Linux support), but generic mini PCs from Beelink, Minisforum or Geekom are equally solid in 2026. - **Price:** €300–600 - **CPU:** Intel i5/i7 13th gen — 10–14 cores - **RAM:** 16 / 32 / 64 GB DDR4 / DDR5 - **Power:** 15–55 W - **Local LLM capability:** yes - **Agent score:** 9/10 - **Best for:** Hermes Agent with browser automation; Multi-user team agents at small scale; Local LLM inference up to 7B params (Q4); ZeroClaw with Mistral 7B / Llama 3 8B - **Not for:** Truly portable use (mains power assumed); Larger local models (>7B) — needs Mac Studio or GPU; Always-on if power budget is tight ### [Mac Mini M4 / M4 Pro](https://pocketclaw.dev/pocket/mac-mini-m4) The Mac Mini M4 with 24+ GB unified memory is the single best small-form-factor machine for running local LLMs in 2026. Apple's unified memory architecture means a 70B parameter Llama 3.3 quantised to 4-bit fits comfortably in 48 GB and runs at ~7-10 tokens per second — usable for agent workloads. The Neural Engine accelerates certain model classes meaningfully. Pair with NanoClaw for Apple-native sandboxing or ZeroClaw for fully offline operation. The downside is Linux: Asahi Linux is genuinely impressive but not yet production-grade. If your stack assumes Linux, the M4 Mac Mini is more friction than it's worth. If you're macOS-native or willing to run macOS as the host, it's the desk machine to beat. - **Price:** €699–2200 - **CPU:** Apple M4 / M4 Pro — 10–14 cores - **RAM:** 16 / 24 / 32 / 48 / 64 GB unified memory - **Power:** 11–60 W - **Local LLM capability:** large - **Agent score:** 10/10 - **Best for:** Local LLM inference on 13B–70B models; ZeroClaw production setups; NanoClaw native macOS deployment; Anyone wanting Apple Silicon performance per watt - **Not for:** Linux-only stacks (yes, Asahi Linux exists, but it's a project); True portability (still mains power, still desk-bound); Cost-sensitive deployments (Linux mini PC offers more RAM/€) ### [Framework Laptop 13 / 16](https://pocketclaw.dev/pocket/framework-laptop) Framework laptops earn their place in this guide because they're the rare modern laptop where repair, upgrade and Linux support are genuinely first-class. The 13-inch with 32 GB RAM runs Hermes Agent comfortably alongside browser-tool workloads. The 16-inch with discrete GPU adds local LLM headroom. Neither is the right pick for always-on agent hosting (you want a fanless mini PC for that), but as a portable AI development machine that lasts five years, Framework is the most credible option. - **Price:** €1100–2200 - **CPU:** AMD Ryzen 7040 / 8040 / Intel Core Ultra - **RAM:** 8 / 16 / 32 / 64 GB DDR5 - **Power:** 15–80 W - **Local LLM capability:** yes - **Agent score:** 8/10 - **Best for:** Engineers who want one machine for both work and agent hosting; Linux-first deployments; Repair-friendly hardware - **Not for:** Always-on hosting (laptop ≠ server); Strict per-watt efficiency vs Mac Mini; Cost-optimised setups (mini PC + dedicated laptop is cheaper) ### [Old Android phone (Moto E2 et al.)](https://pocketclaw.dev/pocket/moto-e2-2015) Repurposing a 2015-era Android phone as an agent host is the project that started PocketClaw. It works, with severe constraints: Termux + proot-distro for a Linux userland, custom Node.js builds because the official binaries don't target old ARMv8, V8 heap tuning for the 1 GB RAM ceiling. The result is a phone that runs a stripped-down Nanobot agent that calls a cloud LLM API. It is a hobbyist project — not a viable production setup. We document the journey under /archive/ for the engineers who'll find it useful. - **Price:** €15–30 used - **CPU:** Snapdragon 410 / 615 era — ARM Cortex-A53 - **RAM:** 1 GB (Moto E2) — up to 8 GB on newer used phones - **Power:** 1–3 W - **Local LLM capability:** no - **Agent score:** 3/10 - **Best for:** Hobbyist proof-of-concept; Demonstrations of low-power AI hosting; Educational projects - **Not for:** Anything production; Browser automation; Local LLMs (period); Multi-user workloads ### [Raspberry Pi Zero 2 W](https://pocketclaw.dev/pocket/raspberry-pi-zero-2w) The Pi Zero 2 W is too small to host a primary agent in 2026, but it shines as an edge endpoint. Pair it with a primary host (Pi 5, mini PC, Mac Mini) and have the Zero serve as an MCP tool host — read sensors, control GPIO, run small local utilities. €20 is cheap enough that you can scatter five of them across a workspace and have them act as the hands and eyes of a single primary agent. This is genuinely the right place to be experimentally. - **Price:** €20 - **CPU:** Broadcom BCM2710A1 — 4× Cortex-A53 @ 1 GHz - **RAM:** 512 MB LPDDR2 - **Power:** 1–2 W - **Local LLM capability:** no - **Agent score:** 4/10 - **Best for:** MCP server hosts in a distributed agent setup; Edge sensor / tool endpoints; Battery-powered remote AI extensions - **Not for:** Primary agent host; Anything LLM-related; Browser automation ### [Geekom IT13 / generic Intel mini PC](https://pocketclaw.dev/pocket/geekom-mini-it13) Generic Intel mini PCs from Geekom, Beelink, Minisforum and similar brands offer 80-90% of the Intel NUC capability at 60-75% of the price. The Geekom IT13 specifically — 32 GB RAM, 1 TB NVMe, i7 — at €450 is meaningfully cheaper than equivalent NUC SKUs. Linux support is solid (kernel 6.x has all the drivers), build quality is generally good, and the warranty is reasonable. Not worth it if you specifically need Intel reference design (compliance reasons, etc.) but for everyone else, this is the best price/performance entry point in 2026. - **Price:** €450–550 - **CPU:** Intel Core i7-13620H — 10 cores - **RAM:** 16 / 32 / 64 GB DDR4 - **Power:** 20–55 W - **Local LLM capability:** yes - **Agent score:** 9/10 - **Best for:** Cost-conscious self-hosters who want NUC-class hardware; Hermes Agent with browser tool; Mistral 7B / Llama 3 8B Q4 inference - **Not for:** Apple Silicon workloads (obviously); Larger LLMs (>13B Q4) ### [Orange Pi 5 Plus](https://pocketclaw.dev/pocket/orange-pi-5-plus) The Orange Pi 5 Plus delivers genuinely impressive specs for ARM SBC pricing. 32 GB RAM is achievable, the RK3588's NPU accelerates certain LLM operations, and the M.2 NVMe slot removes storage as a bottleneck. The downside is software ecosystem: official Orange Pi OS images are functional but rough, community Armbian builds are better but require time investment. If you're comfortable on a less-trodden software path, the Orange Pi 5 Plus is genuinely competitive with — and sometimes superior to — the Raspberry Pi 5 for self-hosted AI work. If you want "it just works", stay on the Pi. - **Price:** €110–250 - **CPU:** Rockchip RK3588 — 4× A76 + 4× A55 - **RAM:** 4 / 8 / 16 / 32 GB LPDDR4X - **Power:** 8–15 W - **Local LLM capability:** small-only - **Agent score:** 8/10 - **Best for:** Self-hosters who want more RAM than the Pi 5 can offer; ARM-native LLM inference up to 7B Q4 (NPU helps); Multi-tool agent setups - **Not for:** Anyone allergic to less-mainstream Linux distributions; Production where Pi 5 community support beats raw specs ### [Mac Studio M3 Ultra](https://pocketclaw.dev/pocket/mac-studio-m3-ultra) The Mac Studio M3 Ultra sits at the peak of the personal-and-small-team local-LLM hardware stack. 192 GB unified memory means almost any quantised model fits. 80-core GPU + Neural Engine moves serious tokens per second. Power draw is high under load (~215W peak) but average usage stays modest. The €4,500–7,000 price tag rules out hobbyists, but for production deployments where local-LLM throughput is the bottleneck, this is the small-form-factor leader. - **Price:** €4,500–7,000 - **CPU:** Apple M3 Ultra — 32 cores - **RAM:** 64 / 96 / 192 GB unified memory - **Power:** 30–215 W - **Local LLM capability:** large - **Agent score:** 10/10 - **Best for:** Production local-LLM deployments at scale; Llama 3.3 70B / Qwen 72B at usable speeds; Power users who want "as good as it gets" small-form-factor - **Not for:** Anyone cost-sensitive; Linux-first stacks (Asahi Linux not yet production-ready for this); Use cases satisfied by Mac Mini M4 Pro ### [MacBook Air M3 / M4](https://pocketclaw.dev/pocket/macbook-air-m3) The MacBook Air with M3 or M4 is the cleanest portable Apple Silicon option for self-hosted AI work. 24 GB unified memory comfortably runs Mistral 7B Q4 or Llama 3 8B Q4 alongside the agent. Fanless design means silent operation. Battery life on light agent workloads is genuinely a full work day. Trade-off: sustained max-load workloads thermally throttle. Not a server, very much a productive personal AI machine. - **Price:** €1,299–2,099 - **CPU:** Apple M3 / M4 — 8–10 cores - **RAM:** 8 / 16 / 24 GB unified memory - **Power:** 10–25 W - **Local LLM capability:** yes - **Agent score:** 8/10 - **Best for:** Mobile developers running local LLMs on the go; Silent operation (fanless); Apple-native macOS workflows - **Not for:** Sustained workloads (thermal throttle under continuous load); Linux-first stacks; 70B-class local models (need M-Pro or higher) ### [Lenovo ThinkCentre M75q (used)](https://pocketclaw.dev/pocket/lenovo-thinkcentre-m75q) The ThinkCentre M75q (Tiny) is one of the great refurb deals in 2026. €150–250 buys a 2021-era Ryzen 5 with 16 GB RAM, an NVMe slot, USB 3.0+ — comfortably running Hermes Agent with browser tool. Local LLM ceiling is real (Mistral 7B Q4 around 8-10 tok/s) but the price/performance is unbeatable for new self-hosters. Watch the seller for genuine refurb units versus “tested working” ones with worn fans. - **Price:** €150–250 used - **CPU:** AMD Ryzen 5 PRO 4650GE / 5650GE - **RAM:** 8 / 16 / 32 GB DDR4 - **Power:** 15–35 W - **Local LLM capability:** small-only - **Agent score:** 8/10 - **Best for:** Budget self-hosters wanting more than a Pi 5 can offer; Cost-optimised always-on agent hosting; Refurb-friendly builders - **Not for:** Local LLM beyond 7B Q4 (modest GPU); Brand-new-hardware purists; Specific compliance requirements (used hardware introduces audit gaps) ### [Minisforum UM790 Pro](https://pocketclaw.dev/pocket/minisforum-um790-pro) The UM790 Pro pushes the upper bound of the Linux mini PC tier. Ryzen 9 with Radeon 780M and 64 GB DDR5 ceiling brings Llama 3 8B Q4 to ~22 tok/s, Mistral Small 22B Q4 to ~10 tok/s. The 65W max TDP keeps thermals reasonable. Linux compatibility is solid (verified Debian, Ubuntu, Fedora). At €800, it's not the cheap option, but it's the highest-performance x86 mini PC we'd recommend for self-hosted AI in 2026. - **Price:** €700–900 - **CPU:** AMD Ryzen 9 7940HS — 8 cores / 16 threads - **RAM:** 16 / 32 / 64 GB DDR5 - **Power:** 25–65 W - **Local LLM capability:** yes - **Agent score:** 9/10 - **Best for:** High-end Linux mini PC deployments; Local LLM at 13B Q4 (Radeon 780M helps); Multi-tool agent workloads with browser automation - **Not for:** Cost-optimised setups (cheaper options exist); Apple Silicon-equivalent unified-memory workloads ### [Khadas Edge2 Pro](https://pocketclaw.dev/pocket/khadas-edge2) The Khadas Edge2 Pro is a premium take on the RK3588 SoC. Build quality is genuinely better than the Orange Pi 5 Plus — heatsink design, board fabrication, thermal headroom. The catch is community: smaller user base, fewer tutorials, slower issue response. If you'll value polish over ecosystem, the Edge2 is worth the premium. Otherwise, Orange Pi 5 Plus offers more capability per €. - **Price:** €220–280 - **CPU:** Rockchip RK3588 — 4× A76 + 4× A55 - **RAM:** 8 / 16 GB LPDDR4X - **Power:** 8–15 W - **Local LLM capability:** small-only - **Agent score:** 7/10 - **Best for:** Premium SBC builders who want polished hardware; Compact ARM deployments where Pi 5 RAM is insufficient - **Not for:** Cost-optimised setups (Pi 5 is cheaper); Production where community support matters ### [Dell OptiPlex 3070 / 5070 Micro (used)](https://pocketclaw.dev/pocket/dell-optiplex-3070) The OptiPlex 3070/5070 Micro is a 2019-vintage corporate refurb that hits the market at €100-180 in 2026. Intel i5 8th gen, 8-16 GB RAM, NVMe — enough to run Hermes Agent without browser tool, plenty for Nanobot. Local LLM is essentially out of scope (the iGPU is too slow). Power draw is meaningfully higher than modern mini PCs, eating into the cost advantage on always-on workloads. Worth it as the cheapest credible entry, not as a long-term deployment. - **Price:** €100–180 used - **CPU:** Intel i5-8400T / i5-9500T - **RAM:** 8 / 16 / 32 GB DDR4 - **Power:** 15–35 W - **Local LLM capability:** no - **Agent score:** 6/10 - **Best for:** Absolute budget self-hosting; Always-on agent hosting where local LLM is irrelevant; Educational / learning setups - **Not for:** Local LLM (8th gen Intel iGPU is too slow); Browser automation at scale; Anyone valuing low electricity bills (2019 efficiency) ### [Geekom Mini Air 12](https://pocketclaw.dev/pocket/geekom-mini-air-12) The Geekom Mini Air 12 represents the silent / low-power tier of mini PCs. Fanless N100 design, 16 GB DDR5, 512 GB NVMe at sub-€300 — usable for a Hermes Agent host that needs to be quiet (bedroom homelab) or low-power (small electricity bill). Local LLM is out of scope. Browser automation works but is sluggish under load. Not a primary recommendation, but a credible specialist pick. - **Price:** €280–340 - **CPU:** Intel N100 — 4 cores - **RAM:** 16 GB DDR5 - **Power:** 6–15 W - **Local LLM capability:** no - **Agent score:** 6/10 - **Best for:** Silent always-on agent host (no fans); Bedroom homelab; Edge deployments where power matters - **Not for:** Local LLM (N100 too slow); Browser automation (CPU-constrained); Multi-tool heavy workloads ## CVE archive ### [CVE-2026-26701](https://pocketclaw.dev/cves/cve-2026-26701) — Hermes Agent — sandbox escape via tool definition injection Hermes Agent's tool loader did not validate sandbox declarations against a schema. A malicious tool definition (loaded from a community marketplace) could declare an empty sandbox block, effectively disabling the sandbox for that tool's execution. Patched in 2026.4.4. - **Severity:** high (CVSS 7.6) - **Affects:** hermes-agent - **Affected versions:** 2026.4.0 – 2026.4.3 - **Fixed in:** 2026.4.4 - **Exploit in wild:** no - **Published:** 2026-04-26 ### [CVE-2026-25898](https://pocketclaw.dev/cves/cve-2026-25898) — OpenClaw — credential leak via verbose error logs Verbose error logging in OpenClaw 2026.4.0–2026.4.5 includes API keys when an HTTP 401 is returned by the LLM provider. Logs are written to stdout and may be exfiltrated by any process with read access to the OpenClaw container. - **Severity:** high (CVSS 7.4) - **Affects:** openclaw - **Affected versions:** 2026.4.0 – 2026.4.5 - **Fixed in:** 2026.4.6 - **Exploit in wild:** no - **Published:** 2026-04-22 ### [CVE-2026-22807](https://pocketclaw.dev/cves/cve-2026-22807) — OpenClaw — prompt-injection-resistant audit log incomplete The OpenClaw 2026.4 audit log records tool calls but did not include the full prompt context that triggered them. A prompt-injection attack could not be reconstructed from logs alone, making forensic analysis significantly harder. Improvement scheduled but not yet shipped. - **Severity:** medium (CVSS 5) - **Affects:** openclaw - **Affected versions:** 2026.4.0 – current - **Fixed in:** Pending (planned 2026.5) - **Exploit in wild:** no - **Published:** 2026-04-18 ### [CVE-2026-26330](https://pocketclaw.dev/cves/cve-2026-26330) — NitroClaw — IDOR in admin dashboard tenant routing NitroClaw's admin dashboard URL pattern allowed authenticated users to read other tenants' agent configurations by changing a numeric tenant ID in the URL. No tool execution leakage. Configurations contained no plaintext secrets. - **Severity:** medium (CVSS 5.4) - **Affects:** nitroclaw - **Affected versions:** Platform 1.4 – 1.5 - **Fixed in:** Platform 1.6 - **Exploit in wild:** no - **Published:** 2026-04-12 - **Patched:** 2026-04-13 ### [CVE-2026-24112](https://pocketclaw.dev/cves/cve-2026-24112) — IronClaw — XSS in audit log viewer The IronClaw audit log viewer rendered tool call arguments without HTML escaping. A malicious tool call could inject script tags that executed in the context of an authenticated admin viewing the log. - **Severity:** medium (CVSS 6.1) - **Affects:** ironclaw - **Affected versions:** 1.0.0 – 1.1.4 - **Fixed in:** 1.1.5 - **Exploit in wild:** no - **Published:** 2026-04-08 - **Patched:** 2026-04-12 ### [CVE-2026-23912](https://pocketclaw.dev/cves/cve-2026-23912) — MCP protocol — tool description spoofing across implementations A flaw in the way several MCP server implementations handled tool description updates allowed a malicious MCP server to silently rename a tool after handshake. Agents that cached the original tool name could be tricked into invoking a different tool. Affected the MCP server libraries used by both OpenClaw and Hermes Agent. - **Severity:** high (CVSS 8.1) - **Affects:** openclaw, hermes-agent - **Affected versions:** Multiple - **Fixed in:** OpenClaw 2026.4.5, Hermes 2026.4.3, mcp-server-go 0.7.4 - **Exploit in wild:** no - **Published:** 2026-04-03 - **Patched:** 2026-04-08 ### [CVE-2026-26044](https://pocketclaw.dev/cves/cve-2026-26044) — NanoClaw — Apple container privilege escalation NanoClaw 0.3.x granted excessive entitlements to its container helper process. A local attacker with low-privilege access could escalate to admin via the helper. - **Severity:** medium (CVSS 5.5) - **Affects:** nanoclaw - **Affected versions:** 0.3.0 – 0.3.4 - **Fixed in:** 0.3.5 - **Exploit in wild:** no - **Published:** 2026-04-02 - **Patched:** 2026-04-04 ### [CVE-2026-23501](https://pocketclaw.dev/cves/cve-2026-23501) — Nanobot — log injection via unescaped tool output Nanobot wrote tool output verbatim to stdout. An adversarial tool could include ANSI escape codes or terminal control sequences in its output, manipulating the terminal display of the developer running the agent. Cosmetic but in some terminals could obscure security warnings. Fixed by sanitising tool output before logging. - **Severity:** low (CVSS 3.7) - **Affects:** nanobot - **Affected versions:** 0.1.0 – 0.6.x - **Fixed in:** 0.7.0 - **Exploit in wild:** no - **Published:** 2026-03-29 - **Patched:** 2026-04-01 ### [CVE-2026-24891](https://pocketclaw.dev/cves/cve-2026-24891) — OpenClaw — path traversal in file tool The default file-read tool in OpenClaw 2026.3.x did not normalise relative paths. An agent given a maliciously-crafted path (via prompt injection or otherwise) could read files outside its declared workspace, including SSH keys and credential vaults. - **Severity:** high (CVSS 7.8) - **Affects:** openclaw - **Affected versions:** 2026.3.0 – 2026.3.11 - **Fixed in:** 2026.3.12 - **Exploit in wild:** no - **Published:** 2026-03-17 - **Patched:** 2026-03-19 ### [CVE-2026-24447](https://pocketclaw.dev/cves/cve-2026-24447) — ZeroClaw — local network scan via misconfigured iptables rule ZeroClaw's bundled egress-deny iptables rule allowed RFC1918 destinations by default. A prompt-injected agent could scan the local network for HTTP services. Default policy tightened to loopback-only in 0.5.6. - **Severity:** medium (CVSS 6.5) - **Affects:** zeroclaw - **Affected versions:** 0.5.0 – 0.5.5 - **Fixed in:** 0.5.6 - **Exploit in wild:** no - **Published:** 2026-03-04 - **Patched:** 2026-03-06 ### [CVE-2026-25712](https://pocketclaw.dev/cves/cve-2026-25712) — OpenClaw — auth bypass via WebSocket downgrade Versions 2026.2.10–2026.2.12 introduced the WebSocket origin check from CVE-2026-25253 but did not protect against HTTP/1.0 downgrade. An attacker who could control DNS or perform an HTTP-level downgrade could bypass the origin check. Patched in 2026.2.13. - **Severity:** high (CVSS 7.2) - **Affects:** openclaw - **Affected versions:** 2026.2.10 – 2026.2.12 - **Fixed in:** 2026.2.13 - **Exploit in wild:** no - **Published:** 2026-02-21 - **Patched:** 2026-02-23 ### [CVE-2026-25103](https://pocketclaw.dev/cves/cve-2026-25103) — OpenClaw — credential storage in plaintext on disk OpenClaw stored API keys for LLM providers in plaintext in ~/.openclaw/credentials.json with mode 644. Any process running under the same user could read the file. The pre-2026.2.10 default tools included an unrestricted file-read tool, making prompt-injection-driven credential exfiltration trivial. - **Severity:** critical (CVSS 9.1) - **Affects:** openclaw - **Affected versions:** ≤ 2026.2.9 - **Fixed in:** 2026.2.10 (with manual key rotation required) - **Exploit in wild:** yes - **Published:** 2026-02-04 - **Patched:** 2026-02-08 ### [CVE-2026-25253](https://pocketclaw.dev/cves/cve-2026-25253) — OpenClaw — 1-click RCE via WebSocket origin bypass OpenClaw's local dashboard accepts WebSocket connections without validating the Origin header. Any web page visited while OpenClaw is running can open the WebSocket and trigger tool execution. With default tools enabled, this is a full RCE. - **Severity:** critical (CVSS 9.6) - **Affects:** openclaw - **Affected versions:** ≤ 2026.2.9 - **Fixed in:** 2026.2.10 - **Exploit in wild:** yes - **Published:** 2026-01-25 - **Patched:** 2026-01-27 ## Provider reviews ### [Anthropic (Claude API)](https://pocketclaw.dev/providers/anthropic) Claude 4.5 Sonnet is the most reliable agentic model we tested in 2026. Tool-use behaviour is consistently better than GPT-5 in our blind tests; the model rarely hallucinates tool names, rarely calls non-existent functions, rarely misformats arguments. Long context (1M tokens) is genuinely usable, not just nominal — long-context retrieval quality is the highest in the market. Prompt caching cuts production costs dramatically. Pricing premium vs raw cost-optimisation gateways like OpenRouter is meaningful but justifiable for the quality. The Anthropic team's commitment to AI safety, while sometimes inconvenient at the API level, has shipped very few embarrassing failures. We pay for Claude usage out of our own budget for testing — and we recommend it to anyone whose budget supports it. - **Category:** llm - **Pricing:** $3 / 1M input tokens, $15 / 1M output (Sonnet 4.5) - **Affiliate:** no - **Rating:** 5/5 ### [OpenAI (GPT API)](https://pocketclaw.dev/providers/openai) OpenAI's GPT-5 is genuinely strong, particularly on coding tasks where it edges out Claude in our benchmarks. The API itself remains the gold standard for SDK breadth and integration coverage — every agent framework we test supports OpenAI first-class, sometimes only OpenAI for non-Anthropic providers. Pricing is competitive. The trade-offs: tool-use behaviour is meaningfully more variable than Claude's on multi-step tasks (we've watched GPT-5 lose track of which tool it called two steps ago), model deprecations come faster than we'd like, and OpenAI's safety stance has wobbled enough times in 2025 to make us cautious about depending on it as an only choice. Our standard recommendation: have OpenAI configured as a fallback for when Claude is unavailable, but lead with Claude. - **Category:** llm - **Pricing:** $2.50 / 1M input tokens, $10 / 1M output (GPT-5) - **Affiliate:** no - **Rating:** 4/5 ### [OpenRouter](https://pocketclaw.dev/providers/openrouter) OpenRouter is our default LLM gateway for self-hosted agent testing. The single OpenAI-compatible endpoint covering 100+ models from 30+ providers solves a real problem: agent frameworks support “OpenAI-compatible” out of the box, and OpenRouter speaks that protocol while routing to whichever provider you actually want. The provider-fallback feature is the killer feature in production — when Claude rate-limits, OpenRouter falls back to GPT or Llama without code changes. Pricing is at-cost from upstream with a small markup, transparent enough that you can see what each call would have cost direct. The latency hit (extra hop through OpenRouter) is real but typically <50ms. Our affiliate disclosure: yes, we have a referral arrangement with OpenRouter. We use them in our own deployments and recommended them long before the affiliate existed. Full disclosure at /disclosure. - **Category:** llm - **Pricing:** At-cost from upstream provider + small markup - **Affiliate:** yes (disclosed) - **Rating:** 5/5 ### [Hetzner](https://pocketclaw.dev/providers/hetzner) Hetzner is the VPS provider we use for our own infrastructure and recommend in nearly every self-hosted-AI-on-a-VPS guide we publish. The CX22 plan at €5/month (2 vCPU, 4 GB RAM, 40 GB SSD) is the price/performance benchmark for budget self-hosting. The CCX13 at €38/month for dedicated CPU resources is the upgrade path when shared compute becomes a bottleneck. Network performance is consistently strong from EU origin, transparent pricing means no “your bill tripled because of egress” surprises, and the company's been around long enough to trust with production. The downsides are honest: customer support is competent but not concierge-level, and account verification for first-time customers can be strict (passport scan and phone verification standard). We have an affiliate arrangement with Hetzner — €20 credit per converted signup. Full disclosure at /disclosure. - **Category:** hosting - **Pricing:** €5/month (CX22) — €38/month (CCX13 dedicated) - **Affiliate:** yes (disclosed) - **Rating:** 5/5 ### [Cloudflare Workers](https://pocketclaw.dev/providers/cloudflare-workers) Cloudflare Workers earns its place in this list because the free tier is genuinely usable for small self-hosted agents — 100K requests per day on the free plan covers a serious personal deployment. Workers' V8 isolate model means sub-millisecond cold starts and global edge distribution “for free”. The catch is the runtime: no native binaries, no long-running processes, no browser automation. For an agent that's mostly LLM calls + lightweight HTTP tools, Workers is fantastic. For anything heavier (the typical Hermes Agent setup with browser automation), Workers can't host it. Moltworker exists specifically to make Workers viable for the constrained-but-meaningful case. We don't have an affiliate relationship with Cloudflare but we do use Workers ourselves for some smaller projects. - **Category:** hosting - **Pricing:** Free tier (100K requests/day) — $5+/month paid tiers - **Affiliate:** no - **Rating:** 4/5 ### [Tailscale](https://pocketclaw.dev/providers/tailscale) Tailscale is one of the rare bits of 2026 infrastructure that we recommend without caveats. The free personal tier (up to 100 devices, 3 users, no time limit) covers nearly every hobbyist and small-team self-hosted AI setup we've designed. Identity-based mesh networking is genuinely better than IP-based VPN for our use case — every device gets a stable name (your-laptop.tailnet.ts.net), access is granted to identities rather than IP ranges, and the whole thing “just works” across home, office, VPS and travel. The ACL system is powerful enough for most production needs. Tailscale-the-company is a SaaS dependency, which we'd flag for compliance-mandated environments — those can run Headscale (the open-source control plane) on their own infrastructure to avoid vendor dependency. We don't have an affiliate relationship with Tailscale; we recommend them on technical merit. - **Category:** network - **Pricing:** Free for personal use (up to 100 devices, 3 users) — $5/user/month for teams - **Affiliate:** no - **Rating:** 5/5 ## Glossary - **[AI agent](https://pocketclaw.dev/glossary/ai-agent)**: Software that uses one or more language models to autonomously plan and execute multi-step tasks via tool calls. - **[Air-gap](https://pocketclaw.dev/glossary/air-gap)**: Deployment with no network connection to untrusted networks — typically no internet access at all. - **[Approval flow](https://pocketclaw.dev/glossary/approval-flow)**: UI pattern requiring human confirmation before an agent's tool call executes. - **[BYOK (Bring Your Own Key)](https://pocketclaw.dev/glossary/byok)**: Pricing pattern where a user supplies their own LLM API keys to a self-hosted or managed agent. - **[Caddy](https://pocketclaw.dev/glossary/caddy)**: Reverse proxy server with automatic HTTPS via Let's Encrypt. The easiest path to TLS on a self-hosted setup. - **[Cloudflare Workers](https://pocketclaw.dev/glossary/cloudflare-workers)**: Edge serverless runtime running V8 isolates across 330+ Cloudflare data centres. - **[CVE-2026-25253](https://pocketclaw.dev/glossary/cve-2026-25253)**: Critical 1-click remote code execution vulnerability in OpenClaw versions before 2026.2.10. CVSS 9.6. - **[Data residency](https://pocketclaw.dev/glossary/data-residency)**: Regulatory or contractual requirement that data not leave a defined geographic or organisational boundary. - **[Docker Compose](https://pocketclaw.dev/glossary/docker-compose)**: Tool for defining and running multi-container Docker applications via a single YAML file. - **[Docker sandbox](https://pocketclaw.dev/glossary/docker-sandbox)**: Sandbox using a Docker container with filesystem mount and network policy controls. - **[Edge AI](https://pocketclaw.dev/glossary/edge-ai)**: AI workloads running close to where data is generated rather than in centralised cloud datacenters. - **[Embeddings](https://pocketclaw.dev/glossary/embeddings)**: Numerical vector representations of text, images, or audio that capture semantic similarity. - **[EU AI Act](https://pocketclaw.dev/glossary/eu-ai-act)**: EU regulation classifying AI systems by risk level and imposing obligations on high-risk deployments. - **[GDPR](https://pocketclaw.dev/glossary/gdpr)**: EU regulation governing personal data processing. Applies to most consumer-facing AI deployments touching EU users. - **[GGUF](https://pocketclaw.dev/glossary/gguf)**: File format for storing quantised LLM weights, used by llama.cpp and Ollama. - **[gVisor](https://pocketclaw.dev/glossary/gvisor)**: User-space kernel that runs as a sandbox layer between containers and the host kernel. - **[Hermes Agent](https://pocketclaw.dev/glossary/hermes-agent)**: Open-source self-hosted AI agent from Nous Research, released February 2026. Sandboxed by default, multi-LLM. - **[Hetzner](https://pocketclaw.dev/glossary/hetzner)**: German VPS and dedicated server provider. The cheapest credible EU option for self-hosting in 2026. - **[IronClaw](https://pocketclaw.dev/glossary/ironclaw)**: Enterprise-grade self-hosted AI agent with gVisor sandboxing, RBAC and audit logging. Source-available. - **[Llama](https://pocketclaw.dev/glossary/llama)**: Meta's family of open-weight large language models. Llama 3.3 70B is the leading open frontier model in 2026. - **[llama.cpp](https://pocketclaw.dev/glossary/llama-cpp)**: C++ inference engine for LLMs. The runtime under most local-LLM setups, including Ollama. - **[Local LLM](https://pocketclaw.dev/glossary/local-llm)**: Language model running on local hardware rather than via cloud API. Llama, Qwen, Mistral local variants. - **[Magic link](https://pocketclaw.dev/glossary/magic-link)**: Passwordless authentication where the user clicks a one-time link sent to their email. - **[MCP (Model Context Protocol)](https://pocketclaw.dev/glossary/mcp)**: Open standard for connecting language models to external tools and data sources via a JSON-RPC interface. - **[MCP server](https://pocketclaw.dev/glossary/mcp-server)**: Process that exposes a set of tools to MCP-compatible AI agents over a JSON-RPC interface. - **[Mistral](https://pocketclaw.dev/glossary/mistral)**: European LLM developer. Mistral 7B is the canonical small open-weight model; Mistral Small 22B targets the mid-tier. - **[Moltworker](https://pocketclaw.dev/glossary/moltworker)**: Cloudflare Workers-based self-hosted AI agent reference implementation. - **[Nanobot](https://pocketclaw.dev/glossary/nanobot)**: 4,000-line Python self-hosted AI agent from HKU. Designed to be auditable in an afternoon. - **[NanoClaw](https://pocketclaw.dev/glossary/nanoclaw)**: macOS-only fork of OpenClaw using Apple's container framework for sandboxing. Claude-only. - **[Ollama](https://pocketclaw.dev/glossary/ollama)**: Local LLM runtime that exposes an OpenAI-compatible API over local model weights. - **[OpenClaw](https://pocketclaw.dev/glossary/openclaw)**: Open-source autonomous AI agent created by Peter Steinberger in November 2025. Most-installed self-hosted agent of 2026. - **[OpenRouter](https://pocketclaw.dev/glossary/openrouter)**: LLM API gateway providing a unified interface across Anthropic, OpenAI, Google, Mistral and many open models. - **[Phi-3](https://pocketclaw.dev/glossary/phi-3)**: Microsoft's small-language-model family. Phi-3 mini 3.8B runs on a Raspberry Pi 5. - **[Pocket AI](https://pocketclaw.dev/glossary/pocket-ai)**: Self-hosted AI agents and language models running on portable, low-power hardware you own. - **[Prompt injection](https://pocketclaw.dev/glossary/prompt-injection)**: Attack technique where adversarial input embedded in a document or webpage hijacks an agent's behaviour. - **[Quantisation](https://pocketclaw.dev/glossary/quantisation)**: Reducing the numerical precision of model weights to shrink memory footprint and speed up inference, with quality tradeoff. - **[Qwen](https://pocketclaw.dev/glossary/qwen)**: Alibaba's open-weight LLM family. Qwen 2.5 Coder 7B is widely used for self-hosted code-focused agents. - **[RAG (Retrieval-Augmented Generation)](https://pocketclaw.dev/glossary/rag)**: Pattern of augmenting LLM responses with retrieved external data, typically from a vector database. - **[RCE (Remote Code Execution)](https://pocketclaw.dev/glossary/rce)**: Vulnerability class where an attacker can execute arbitrary code on a target system over a network. - **[Sandbox](https://pocketclaw.dev/glossary/sandbox)**: Isolation layer that constrains what an agent's tool execution can access on the host. - **[Sandboxed tool execution](https://pocketclaw.dev/glossary/sandboxed-tool-execution)**: Running an agent's tool calls inside an isolated environment that limits filesystem, network and process access. - **[Self-hosted AI](https://pocketclaw.dev/glossary/self-hosted-ai)**: AI software you install on hardware you control, rather than consuming as a hosted product. - **[Tailscale](https://pocketclaw.dev/glossary/tailscale)**: Mesh VPN built on WireGuard. Common pattern for keeping self-hosted dashboards off the public internet. - **[Tool call](https://pocketclaw.dev/glossary/tool-call)**: Structured invocation of an external function by a language model, typically as JSON conforming to a declared schema. - **[Vector database](https://pocketclaw.dev/glossary/vector-database)**: Database optimised for similarity search over high-dimensional embeddings. - **[VPS](https://pocketclaw.dev/glossary/vps)**: Virtual private server — a virtualised slice of a physical server, typically rented by the month. - **[Watchtower](https://pocketclaw.dev/glossary/watchtower)**: Container that watches running containers and pulls/redeploys when new images ship. - **[WebSocket origin validation](https://pocketclaw.dev/glossary/websocket-origin-validation)**: Server-side check that an incoming WebSocket connection comes from an allowed origin domain. - **[Zero trust](https://pocketclaw.dev/glossary/zero-trust)**: Security architecture that assumes no implicit trust and verifies every access request. - **[ZeroClaw](https://pocketclaw.dev/glossary/zeroclaw)**: Privacy-first self-hosted AI agent. Local LLMs only, no cloud, AGPL-3.0. ## Editorial principles 1. Real installs, real bills. We pay for the hardware and accounts we test. 2. Security before features. Threat model leads. 3. Boring is allowed. The right answer is sometimes 'don't self-host'. 4. Disclosure or nothing. Affiliate links flagged inline, sponsored content visually distinct. 5. Update or unpublish. Stale guides get banners or rewrites; we don't let old guides quietly mislead. ## Contact - Email: contact@pocketclaw.dev - Twitter: https://x.com/Pocket_claw - Newsletter: https://pocketclaw.dev/newsletter - RSS: https://pocketclaw.dev/feed.xml