What Is Clawdbot? A Clear Guide to This AI Assistant

10 min read
Feb 02, 2026

What is Clawdbot?

Clawdbot stands out as an open-source, self-hosted personal AI assistant that runs locally on your hardware. It works as a bridge between messaging platforms and large language models. Users can chat with Clawdbot through Telegram, WhatsApp, Slack, Discord, Signal, and iMessage - just like texting a friend.

Peter Steinberger, founder of PSPDFKit and known online as @steipete, created this smart assistant. The system can independently complete tasks instead of just answering questions. A playful lobster emoji represents the project's crustacean-themed identity.

The technical side of Clawdbot is straightforward. It acts as a gateway without its own AI model. Messages flow through it to language models like Claude or ChatGPT. The system then interprets responses and picks the right tools. Users can access a web interface to set up integrations, credentials, and permissions while the assistant remembers conversations across sessions.

User control sets Clawdbot apart from cloud-based options. Your computer stores all context, memory, and assistant skills - not corporate servers. This local-first design protects your privacy and lets you customize everything.

A dedicated device like a Mac Mini or a basic cloud server (~$5.00/month) keeps Clawdbot running constantly. This always-on setup helps it understand your priorities and take initiative over time.

Clawdbot shines in its ability to take action on your behalf. Beyond just chatting, it handles files, manages emails, schedules meetings, scrapes websites, runs scripts, and executes shell commands. The assistant makes ground changes happen instead of just providing information.

People who want more control over their AI interactions will find Clawdbot refreshing. It avoids subscription traps and privacy concerns while offering unlimited customization. The combination of consistent availability, local control, and action-focused design makes Clawdbot unique among personal AI assistants.

How does Clawdbot work?

Clawdbot works as an agent gateway that links large language models to messaging platforms and local system capabilities. The system runs through a persistent gateway process. It routes messages from Telegram, WhatsApp, Signal, Discord, and Slack to suitable AI models and tools.

The system architecture has several connected parts. The Clawdbot Gateway acts as the central orchestration layer. It handles message routing, AI inference calls, credential management, and tool execution. The Clawdbot interface serves as a web-based admin panel. Users can configure integrations, approve devices, review conversations, and manage keys through this interface. It serves as the control plane for the entire agent system.

The system follows a simple flow. Messages come in from messaging apps, and the Gateway picks them up. It figures out what to do, calls the AI model, and runs tasks if needed before responding. This setup lets users manage unified inboxes, maintain state, run scheduled jobs, and connect with calendars, emails, smart home systems, and browsers.

Clawdbot uses modular Skills to expand what it can do. Users can add community-contributed skills from ClawdHub or build custom ones for specific needs. Channels connect to messaging platforms, while Tools let users run shell commands, work with files, browse the web, and do more.

The system keeps track of ongoing tasks and maintains context across conversations and sessions. Its long-term memory saves user context and priorities over time, which leads to customized, context-aware responses. The system can take initiative by sending reminders, morning briefings, or event alerts without users asking.

Security-wise, Clawdbot needs access to API keys, bot tokens, OAuth secrets, filesystem permissions, and root-level execution privileges. It stores credentials for multiple services, handles private communications, and runs commands on its own. These capabilities make it powerful but potentially dangerous. Anyone who gets access to the Clawdbot interface can use everything the agent has permission to do.

How to set up Clawdbot on your device

Setting up Clawdbot needs a few specific steps to work correctly. You'll need Node.js v22+ and terminal access to your device.

1. Install Node.js and Clawdbot

Your system must have Node.js version 22 or higher. Ubuntu users can run these commands to install Node.js 22:

curl -fsSL https://deb.nodesource.com/setup_22.x | bash - apt install -y nodejs

You can install Clawdbot using one of these methods:

Official installer script (recommended):curl -fsSL https://clawd.bot/install.sh | bash
Manual npm installation[152]:npm install -g clawdbot@latest

Check your setup with:

clawdbot doctor

2. Authenticate with OpenAI or Claude

Clawdbot works with both OAuth and API keys from model providers. Here's how to authenticate:

3. For Anthropic Claude:

Option A: Use API key (recommended)export ANTHROPIC_API_KEY='your-key-here' clawdbot models status
Option B: Use Claude setup-token (for subscription users):claude setup-token clawdbot models auth setup-token --provider anthropic

4. For OpenAI/other providers:clawdbot models auth paste-token --provider openrouter

Connect messaging platforms

Now you can connect your preferred messaging platform:

5.WhatsApp: Run clawdbot channels login and scan the QR code. You'll find this under Settings → Linked Devices in your WhatsApp app.

6.Telegram:

Message @BotFather on Telegram
Send /newbot and follow the prompts
Get your token and user ID from @userinfobot
Add both when you run clawdbot onboard --install-daemon

Install Clawdbot skills

Clawdbot becomes more powerful with Skills. You can:

Install skills through ClawdHub:clawdhub install
Update all installed skills:clawdhub update --all

You'll find skills in /skills (agent-specific) or ~/.clawdbot/skills (shared across agents).

Pair devices and test

Clawdbot needs pairing approval for new devices to keep things secure:

See pending device requests:clawdbot devices list
Approve or reject devices:clawdbot devices approve clawdbot pairing approve

Run this command to make sure everything works:

clawdbot health

This shows that your Gateway, authentication, and channel connections are working properly.

`What are the security risks of using Clawdbot?`

Security risks come with Clawdbot's powerful capabilities. Internet scans have found that there are over 1,000 publicly available Clawdbot gateway and control instances, and many lack proper authentication. These vulnerabilities do not come from the software itself but from deployment practices and architectural choices.

`Prompt injection vulnerabilities`

Prompt injection poses one of the most important threats as attackers craft messages that manipulate the AI to perform unsafe actions. This vulnerability exists even when only trusted users can message the bot because untrusted content from web searches, emails, or documents can carry adversarial instructions. Attackers exploit this weakness to exfiltrate sensitive files, leak private keys, or run arbitrary commands. These attacks work because large language models cannot reliably tell the difference between instructions and content.

`Exposed control interfaces`

Security researchers found that there were hundreds of internet-facing control panels linked to Clawdbot. These exposed dashboards let outsiders view configuration data, retrieve API keys, and browse full conversation histories. Some instances even allowed unauthenticated command execution on host systems with elevated privileges. Shodan searches show 1,009 Clawdbot gateways are exposed on the public internet today.

`Supply chain risks from ClawdHub`

ClawdHub, Clawdbot's skill distribution platform, brings supply chain vulnerabilities like those in npm and PyPI. Security researchers showed this risk by uploading a simulated backdoored skill that looked legitimate. They artificially raised its download count to 4,000+, making it the most downloaded skill. The proof-of-concept attracted 16 executions across seven countries in just eight hours. The platform treats all code as trusted and lacks proper vetting processes.

`Misconfigured localhost access`

Trust assumptions around localhost connections cause many exposures. Clawdbot supports cryptographic device authentication, but some configurations auto-approve connections from localhost. External traffic may appear as loopback traffic when the gateway sits behind a reverse proxy unless trusted proxies are configured correctly. This setup creates a situation where proxied connections look like they come from localhost and get automatic trust.

`Phishing and impersonation threats`

Early-stage phishing and impersonation signals are emerging as Clawdbot grows. Over 50 domains with the 'clawd' keyword have been registered, that indicates potential opportunistic abuse. Attackers could easily impersonate the operator and siphon data through trusted integrations since Clawdbot can send messages as the operator, inject content into ongoing conversations, and execute commands across services.

`Key Takeaways`

Clawdbot is a self-hosted AI assistant that bridges messaging platforms with language models, offering unprecedented control and customization for users seeking alternatives to commercial AI services.Local control matters: Clawdbot runs on your hardware, ensuring data privacy and avoiding subscription lock-in while maintaining persistent memory across sessions.
Actions beyond chat: Unlike traditional chatbots, Clawdbot executes real tasks like file management, email handling, and system commands through modular skills.
Security requires vigilance: Over 1,000 exposed instances highlight critical risks including prompt injection attacks, misconfigured access controls, and supply chain vulnerabilities from ClawdHub.
 Setup demands technical knowledge: Installation requires Node.js 22+, API authentication, platform integration, and proper device pairing to function securely.
Trust comes with trade-offs: Clawdbot's power stems from extensive system access and credential storage, making proper configuration essential for safe operation.

The combination of local sovereignty and agentic capabilities makes Clawdbot compelling for technical users, but its security risks demand careful deployment and ongoing vigilance to prevent unauthorized access and exploitation.

`FAQs`

Clawdbot is an open-source, self-hosted AI assistant that runs locally on your device. It acts as an intermediary between messaging platforms like Telegram and WhatsApp and large language models like Claude or ChatGPT. Clawdbot routes messages to these AI models, interprets responses, and can execute various tasks and tools on your behalf.

Setting up Clawdbot involves installing Node.js, authenticating with an AI model provider like OpenAI or Anthropic, connecting messaging platforms, installing Clawdbot skills, and pairing devices. The process requires some technical knowledge and comfort with using the command line. Detailed setup instructions are available in the Clawdbot documentation.

Yes, Clawdbot can be configured to work with locally hosted language models through tools like Ollama or LM Studio. However, setting this up can be more complex than using cloud APIs. You'll need to properly configure the local model endpoint in Clawdbot's settings.

The primary security concerns include prompt injection vulnerabilities, exposed control interfaces if not properly secured, supply chain risks from third-party skills, misconfigured access controls, and potential for phishing or impersonation attacks. Clawdbot has extensive system access, so proper configuration and ongoing vigilance are essential.

The Clawdbot software itself is free and open-source. However, if using cloud AI APIs, you'll incur usage costs based on the number of tokens processed. Costs can vary widely depending on usage patterns and which AI model you connect to. Some users report spending anywhere from a few dollars to over $100 per day in API costs for heavy usage.

By Vaibhav Sharma