Spent a week going through the personal agent ecosystem – OpenClaw, ZeroClaw, PicoClaw, the whole *Claw family. Channel testing, security audit, the whole thing.
If you want a personal assistant that messages you reminders, triages your inbox, schedules things, posts updates – these frameworks are actually good at that. OpenClaw connects to 50+ channels out of the box, the setup is real, it works. For that, a $7 VPS and an afternoon gets you something useful.
The marketplace side made me more nervous than I expected. Malicious extensions reported in OpenClaw’s skill store, a critical RCE patched earlier this year, tens of thousands of publicly indexed instances found by scanners. People are running this on machines with their API keys, their git credentials, their chat history.
It also breaks down when you expect the same setup to do real development work – trace a refactor across 20 files, maintain context across sessions, run a linter, write a fix that matches project conventions. That’s not the same problem. They’re routing layers with an LLM attached, not development partners.
The setup that actually works for me: deep work in a real dev environment with the full repo and session context, quick async stuff through a thin webhook I wrote myself, maybe 300 lines. No shared marketplace, no framework I don’t control. The one thing you have to solve yourself is memory between sessions – summarize conversations, feed them forward. Not hard, but not free either.
At the end of the week I’d found more security issues than useful dev capabilities. One agent that does everything looks clean on paper. In practice, you get a little bit of everything and nothing deep enough to trust.