Open Source
Install multiple agents, they collaborate automatically.
Self-hosted. Docker-isolated. Agentic by design.
"RIP OpenClaw."
How to deploy a secure, autonomous AI agent available on all your devices — in 60 seconds
600K+ watched the original setup. We made it 1-click.
Auto Mode
Install multiple agents and they collaborate as one. No manual switching. The right agent handles each request — and tells you which one answered.
You
Summarize my unread emails and check HN for AI news
seclaw
Inbox
3 urgent, 7 action needed, 12 FYI. Top urgent: contract review from legal (deadline tomorrow).
Hacker News
Top AI stories: Anthropic launches Claude 4.5, Google open-sources Gemma 3, OpenAI restructures.
— Inbox Management, Research & Intelligence
You
Any new leads from that Anthropic announcement?
seclaw
Scanning X for buying signals around "Claude 4.5"... Found 3 leads scoring 8+. Drafts saved to /shared/outreach/drafts/.
— Sales & Lead Generation
npx seclaw add inbox-agent
Each template stacks onto your base agent. No conflicts.
The LLM picks the right capability for each message. Email questions go to Inbox. Lead questions go to Sales.
Every response shows which agent answered. You always know who did what.
Use /templates in Telegram to focus on a single agent. Auto mode is the default.
When an agent needs an integration that isn't connected, it generates an OAuth link and sends it directly in chat. No manual setup. No /integrations command needed.
seclaw
I need X (Twitter) connected to scan for leads. Authorize X (Twitter)
Open the link, sign in, and grant access. After completing authorization, your new tools load automatically.
17 agent templates from $0 to $149. Scheduled tasks, human-in-the-loop approval, real integrations.
Morning report ready when you wake up. Task management, daily reports, email drafting, and file organization — all running locally on your machine.
3 urgent, 5 action needed, 12 FYI, 8 newsletter. AI inbox manager that categorizes, summarizes, and triages your Gmail. Urgent items arrive instantly via Telegram.
Know when competitors change anything — in 5 minutes. Monitors X, Hacker News, Reddit, and RSS feeds for industry intelligence with scheduled briefings.
Your X account grows while you sleep. Research trending topics, draft posts in your voice, publish with human-in-the-loop approval, and track engagement.
Find leads overnight, inbox full by morning. Detect buying signals on X, qualify prospects, draft personalized outreach, and log to CRM automatically.
6 AI agents running your company for $8/month. Coordinator, Executor, Observer, Analyst, Content, Growth — with quality gates and multi-agent orchestration.
Why we built seclaw
68K+ stars on GitHub. Zero container isolation. Your API keys, SSH keys, and browser cookies — all accessible to any tool the agent decides to install.
OpenClaw passes all environment variables to every MCP container. Your Anthropic key, Stripe key, database credentials — all visible to any tool the agent installs.
The agent has full read/write access to your entire home directory. It can read ~/.ssh/id_rsa, ~/.aws/credentials, browser cookies, and anything else on your machine.
MCP containers run with full root privileges. Combined with host mounts, this means the agent can modify system files, install backdoors, or escalate to host root.
OpenClaw has a "permissions" system, but it's enforced in the prompt — not in the runtime. A jailbroken agent can ignore all rules and send emails, delete files, or post on your behalf.
OpenClaw exposes n8n on port 5678 with no authentication. Anyone who finds your IP can access your workflow editor, see your credentials, and modify your agent.
No memory or CPU limits on any container. A runaway agent or cryptominer can consume all system resources, crash your machine, or mine crypto on your hardware.
These aren't theoretical — they're in the default docker-compose.yml that 68K+ people cloned.
Security model
OpenClaw enforces rules in the system prompt. We enforce them in Docker. One can be jailbroken. The other can't.
Can't access your API keys
Keys live in the agent's env only. MCP containers have zero access to secrets.
env isolation per containerCan't modify its environment
Filesystem is immutable. The agent can't install backdoors or modify its own code.
read_only: trueCan't access folders you haven't shared
Only the /workspace mount is visible. Your home directory, SSH keys, and browser data are invisible.
explicit volume mounts onlyCan't escalate privileges
Zero Linux capabilities. Can't become root, can't mount filesystems, can't access raw network.
cap_drop: ALL + no-new-privilegesCan't use unlimited resources
512MB RAM, 1 CPU core. A runaway agent or cryptominer gets killed, not your machine.
deploy.resources.limitsMust get your confirmation
Sending emails, posting on social media, deleting files — all require explicit approval via Telegram.
permissions.yml whitelistThe goal: maximum capability within minimum attack surface. Your agent does real work — it just can't escape its sandbox.
Every row is a real security boundary. Green means it exists. Red means it doesn't.
| Security Boundary | OpenClaw | seclaw |
|---|---|---|
| Container isolation | None — shared env | Per-container with bridge networks |
| API key protection | All keys in every container | Env-only, sealed per service |
| Filesystem access | Entire home directory | /workspace mount only |
| Root privileges | Running as root | Non-root + cap_drop ALL |
| Permission enforcement | Prompt-based (bypassable) | Runtime guardrails (permissions.yml) |
| Network exposure | Port 5678 open to internet | Zero inbound via CF Tunnel |
| Resource limits | None (infinite) | 512MB / 1 CPU per container |
| Filesystem mutability | Full read/write | read_only: true + tmpfs |
| Setup time | 30+ minutes manual config | 60 seconds via CLI |
How it works
Every component is open source. Every container is isolated. Your data never leaves your machine.
# Your machine
agent-net (internal network)
Lightweight Node.js server with Telegram Bot API, OpenAI SDK (multi-provider), and Composio for integrations. No framework overhead — just a single agent.js handling webhooks, LLM calls, and tool execution.
Self-hosted workflow engine for scheduled tasks. Cron with timezone support, step-level retries, and human-in-the-loop approvals via Telegram. Dashboard at localhost:8288. Free forever.
Default: Gemini 3 Flash via OpenRouter — fast, affordable, excellent tool use. Or switch to Claude, GPT-4o, Gemini Pro, and 100+ other models. One env variable change.
Gives your agent file read/write and terminal access — inside a locked-down container. read_only filesystem, zero Linux capabilities, 512MB limit. The agent can work, but can't escape.
Managed OAuth for Gmail, Google Calendar, GitHub, Slack, Notion, Linear, and more. Your agent never sees raw credentials — Composio handles token refresh and API auth.
Access your agent from anywhere — phone, laptop, any device. Outbound-only connection: zero inbound ports. No firewall rules. No exposed IPs. Auto-created by CLI in 30 seconds.
Self-hosted, free forever
No cloud fees, no execution limits. Runs as a single Docker container with SQLite storage. Dashboard included.
Human-in-the-loop
Scheduled actions can pause and wait for your Telegram approval before executing. Approve or reject with one tap.
Durable execution
Each step retries independently. If the LLM call fails, it retries without re-fetching data. No lost work.
Without tunnel
Port 3000 open to the internet. Anyone who finds your IP can send requests to your agent. Port scanning bots find these in hours.
With Cloudflare Tunnel
Zero open ports. Your server makes an outbound connection to Cloudflare's edge. Access via your custom domain with Cloudflare Access for authentication. Auto-created by our CLI in 30 seconds.
Built-in tools
Every agent ships with workspace management, scheduling, human-in-the-loop, and smart integration detection. No MCP required. No external services. Just tell your agent what to do.
Every agent gets a persistent workspace at /workspace. Data persists across restarts and conversations.
memory/Persistent learnings about you — name, preferences, habits, language
tool: update_memory
tasks/TODOs and action items with priority levels and due dates
tool: create_task
notes/Quick thoughts, ideas, meeting notes, links
tool: save_note
reports/Research results, daily digests, analysis summaries
tool: save_report
drafts/Draft emails, messages, and documents to review before sending
tool: save_draft
config/Schedules, capability settings, and system configuration. Managed automatically.
system-managed
$ ls /workspace
memory/ tasks/ notes/ reports/ drafts/ config/
$ cat memory/learnings.md
- [2026-02-13] User prefers Turkish
- [2026-02-13] User name is Mert
- [2026-02-14] Morning reports should include calendar
$ ls tasks/
review-contract.md prepare-demo.md update-docs.mdReminders, delayed actions, recurring schedules, and human-in-the-loop confirmations.
| Tool | What it does |
|---|---|
send_delayed_message | Send a Telegram message after a delay |
schedule_action | Execute any action after a delay with full agent capabilities |
request_confirmation | Approve / Reject buttons with human-in-the-loop execution |
create_schedule | Create a new recurring cron schedule |
toggle_schedule | Enable or disable a schedule without deleting |
trigger_schedule_now | Manually run a scheduled task right now |
connect_integration | Generate OAuth link for a missing integration and share it in chat |
list_filesList files in any workspace directory. "Show me my tasks" returns all open TODOs.
read_fileRead any workspace file. "Read my latest report" opens the most recent analysis.
All tools use direct filesystem access — no Desktop Commander MCP dependency. They work even if external services are completely offline.
Powered by Composio
Gmail, Google Calendar, GitHub, Slack, Notion, Linear, Trello, Dropbox, WhatsApp, and more — all via managed OAuth. No raw API keys, no token files.
npx seclaw integrationsOAuth in your browser. No raw API keys.
# Composio handles OAuthScoped permissions. Automatic token refresh.
"Summarize my unread emails"Agent auto-discovers tools. Just ask in Telegram.
Managed OAuth
Tokens never touch your machine
Auto refresh
Zero credential maintenance
Scoped access
Per-integration permissions
Hot reload
Add integrations without restart
Three steps. That's it.
npx seclaw
Pick a template, enter your LLM provider and Telegram token. The CLI scaffolds Docker Compose, permissions, and Cloudflare Tunnel.
docker compose up
Agent, Inngest scheduler, Desktop Commander, and Cloudflare Tunnel — all start in isolated containers.
Open Telegram
Your agent is live. Scheduled tasks run automatically, integrations are connected, and every action is sandboxed.
npx seclawNo subscriptions. Self-hosted. Your data stays on your machine.
17 agent templates from Free to $149
2 free templates included. 15 paid templates, one-time purchase.
Browse All TemplatesEverything else is free — Docker, Inngest, Cloudflare Tunnel, Telegram, Composio free tier.
~$6
/month — Haiku only
~$3-10
/month — Gemini 3 Flash (default)
~$100+
/month — Opus heavy