GDS K S

Posted on Feb 7 • Originally published at dev-to-uploads.s3.amazonaws.com

OpenClaw and Moltbook: $3,600/Month, WhatsApp Bans, and 923 Exposed Gateways. An Engineer's Breakdown.

#ai #opensource #security #programming

I ran OpenClaw for about two weeks. Set it up on a VPS, connected it to Telegram and WhatsApp, tested skills, tuned heartbeats, monitored token burn, and read every security report I could find.

The tech is genuinely impressive. The hype is also genuinely misleading.

This post is my full breakdown of what OpenClaw and Moltbook actually look like after the YouTube demos end and the API bills start arriving. Not a hit piece. I think OpenClaw is one of the most interesting open-source projects out there right now. But there's a gap between the highlight reel and daily reality, and that gap has real dollar amounts attached to it.

What OpenClaw Actually Is (30 Seconds)

OpenClaw is an open-source, self-hosted AI agent built by Peter Steinberger (PSPDFKit founder). It runs locally on your hardware, connects to your messaging apps, and talks to an LLM to reason and execute tasks. It has real system access: shell, browser, files, cron jobs.

The architecture in a nutshell:

You (Phone/Desktop)
      |
      v
+---------------------+
|  Messaging Channel   |  <-- WhatsApp, Telegram, Discord, etc.
|  (your interface)    |
+----------+----------+
           |
           v
+---------------------+
|     Gateway          |  <-- Local Node.js service (ws://127.0.0.1:18789)
|  (control plane)     |
|  Routes messages,    |
|  manages sessions,   |
|  stores memory       |
+----------+----------+
           |
     +-----+-----+
     v           v
+---------+ +----------+
| LLM API | |  Tools   |  <-- Shell, Browser, Files, Skills, Cron
| (Claude,| |          |
|  GPT,   | +----------+
|  etc.)  |
+---------+

The persistent memory across sessions and multi-platform presence is what makes it feel like a genuine step change from browser-tab chatbots. I've had it search files, draft emails, manage calendar entries, and run shell commands, all from a WhatsApp message.

So where's the catch? Mostly in three places: cost, security, and WhatsApp.

The Token Economics Nobody Wants to Talk About

OpenClaw itself is free. Open source, MIT license. But AI agents with full system access and persistent memory are ravenously hungry for tokens.

Every time you message OpenClaw, the entire conversation history gets sent to the LLM. Every heartbeat check (a periodic "wake up and check if anything needs doing") sends the full context window. Every tool call output gets appended to the session and re-sent on the next interaction.

Here's what a single heartbeat actually costs:

+-----------------------------------------------------+
|           WHAT A SINGLE HEARTBEAT COSTS              |
+-----------------------------------------------------+
|  System prompt:              ~5,000-10,000 tokens    |
|  Session history:            ~50,000-120,000 tokens  |
|  Tool definitions (skills):  ~5,000-15,000 tokens    |
|  Reasoning + response:       ~500-2,000 tokens       |
+-----------------------------------------------------+
|  TOTAL per heartbeat:        ~60,000-147,000 tokens  |
|                                                       |
|  At Claude Opus rates ($15/M input, $75/M output):   |
|  ~ $0.75 per heartbeat                               |
|                                                       |
|  Common config: every 30 min = 48/day                |
|  Daily heartbeat cost alone: ~$36                    |
+-----------------------------------------------------+

The system prompt token range comes from Apiyi's cost analysis. The $0.75 per heartbeat and $18.75 overnight figures come from NotebookCheck's investigation.

These aren't hypothetical numbers. Real people have posted real bills:

$18.75 overnight from heartbeat checks asking "is it daytime yet?" (NotebookCheck)
$100+ in a single day of testing by the German tech magazine c't
$3,600 in one month by tech blogger Federico Viticci (referenced in Apiyi analysis)
$300+ in two days on "basic tasks" (Hacker News user, referenced in clawdbot-cost-monitor)
5.7 million tokens overnight from a simple scheduled task, on Haiku, not Opus (GitHub Discussion #1949)

The common rebuttal is "just use Claude Max at $100/month, it's unlimited." That's fair. If you already pay for Claude Max, you can authenticate via claude-cli and piggyback on your subscription. Same with ChatGPT Plus via codex-cli. But most people following the tutorials are pasting API keys, and the onboarding wizard defaults to that path. Nobody reads the fine print until the Anthropic dashboard sends the first bill notification.

The practical range for API users: $5-25/day for moderate use, $100-500+/month for power users. If a cron job gets stuck in a loop or the context window bloats, you can burn through $100 in a single day without realizing it.

"Just Run Local Models" - The Hardware Reality

The natural response to token costs is running models locally. Ollama, LM Studio, vLLM. Zero marginal cost per token.

In practice, OpenClaw's best features (multi-step reasoning, nuanced tool use, autonomous decision-making) only work well with frontier-class models. When you drop to smaller local models, the quality cliff is steep.

A DEV Community post documented this directly: they tried GPT-4o-mini to save money. It couldn't fix basic TypeScript build errors that any intermediate developer would resolve in 60 seconds. Five failed runs later, they switched back to GPT-4o, which fixed it in one shot. The "cheap" model cost more.

To run models that actually compete with cloud APIs (DeepSeek 37B, Kimi K2.5, Qwen 72B), you need real hardware:

Hardware	RAM	Approx. Cost
Mac Mini M4 (base)	32 GB	~$400-600
Mac Mini M4 Pro	48-64 GB	~$800-1,100
Mac Mini M4 Pro (maxed)	96 GB	~$1,300+
Mac Studio M4 Ultra	128-256 GB	~$3,000-6,000
GPU VPS (A100/H100)	80 GB VRAM	~$50-100/day

The Mac Mini sales spike in January wasn't coincidental. YouTube creators were telling people to buy one to run OpenClaw locally. What they glossed over: a 32GB Mac Mini can maybe run a 7-8B parameter model smoothly. For the agentic workflows that make OpenClaw impressive, you need at least 64GB to run a 30B+ model comfortably, and realistically 96GB+ for the larger models. Add electricity costs for running 24/7 and you're not saving as much as the thumbnail promised.

The WhatsApp Problem Everyone Is Ignoring

This one genuinely worries me.

OpenClaw's WhatsApp integration is its most popular channel. It's the demo everyone leads with. But it's built on Baileys, a community library that reverse-engineers the WhatsApp Web protocol.

This is not sanctioned by Meta. It violates WhatsApp's Terms of Service.

From WhatsApp's perspective, your carefully configured personal AI assistant looks identical to a spam bot. Meta actively fights against unofficial automation. Every WhatsApp protocol update risks breaking Baileys entirely.

I've seen multiple reports of users getting their personal WhatsApp accounts suspended after connecting OpenClaw. One blog post documented a Google Voice number getting banned within 48 hours. Another user described a mass-pairing incident where pairing mode accidentally messaged 12 contacts before WhatsApp's rate limiter kicked in.

Even the official OpenClaw docs recommend using a separate phone number. Their own documentation states:

"WhatsApp requires a real mobile number for verification. VoIP and virtual numbers are usually blocked."

So you need a cheap eSIM ($5-10/month from Tello, Mint Mobile, etc.) and ideally a spare phone or WhatsApp Business on your primary device with a different number.

If you want messaging integration without ban risk: use Telegram. Official Bot API, zero ban risk, easier setup. Discord also works with its official bot API. Both are boring answers, but honest ones. This channel security comparison breaks down the differences in detail.

Security: The Part That Actually Scares Me

I'm not a security researcher, but the published findings are hard to ignore.

CrowdStrike found 923+ OpenClaw gateways completely exposed on the public internet with no authentication, no password. Since OpenClaw often runs with shell access, browser control, and stored API keys, anyone who finds an exposed instance can hijack it, steal API keys, and run arbitrary commands on the host machine.

Cisco's AI threat research team ran a deliberately malicious skill ("What Would Elon Do?", which had been artificially boosted to #1 in ClawHub's skill rankings) against OpenClaw and found nine security vulnerabilities including two critical. One of them was active data exfiltration: the skill silently ran a curl command to send data to an external server without the user's knowledge.

Palo Alto Networks described OpenClaw as a "lethal trifecta" of risks: access to private data, exposure to untrusted content, and the ability to communicate externally. They added a fourth risk: persistent memory that enables delayed-execution attacks, where malicious payloads look benign when ingested, get written to long-term memory, and later assemble into executable instructions.

In late 2025, researchers also reported a malicious npm package mimicking Baileys that stole WhatsApp tokens and messages. Supply chain risk is real.

If you're running OpenClaw, treat it like an untrusted application with admin privileges. Because that's functionally what it is.

Run it in an isolated environment. Don't bind the gateway to 0.0.0.0. Use Cloudflare Tunnel or SSH forwarding instead of exposing ports. Don't connect it to your primary email or bank-connected accounts.

Moltbook: Fascinating Experiment or Elaborate Meme?

Moltbook is a Reddit-style social network "exclusively for AI agents." Created by Matt Schlicht (Octane AI co-founder) and built, by his own admission, entirely by his OpenClaw agent. He said he "didn't write one line of code" for it.

And it shows.

404 Media discovered an unsecured database that let anyone commandeer any agent on the platform. Wiz's security review found unauthenticated access to the entire production DB and exposed tens of thousands of email addresses. The platform was taken offline to patch and force-reset all agent API keys.

The "AI-only social network" claims 1.5 million agent users, 110K posts, 500K comments. But Wikipedia's own article on Moltbook notes there's no actual verification that posts come from autonomous agents. The API accepts standard cURL commands any human can replicate. Multiple people on X have called out that viral screenshots come from humans posting through the API while pretending to be agents, often with promotional conflicts of interest.

Even the people who initially praised it walked it back:

Andrej Karpathy (former Tesla AI director): initially called it fascinating, then added "it's a dumpster fire, and I also definitely do not recommend that people run this stuff on their computers."
Simon Willison: called the content "complete slop" while acknowledging agents are getting more powerful.
The Economist: suggested the agents are simply mimicking social media patterns from training data.

A MOLT crypto token launched alongside Moltbook and pumped 1,800% in 24 hours, amplified after Marc Andreessen followed the account. The Adaptavist Group's investigation reported an $8 million crypto scam connected to the OpenClaw/Moltbook hype cycle.

The Creator Economy Behind the Hype

This is the part I really want people to understand.

Every YouTube video showing OpenClaw doing magical things is burning real API tokens to produce that content. A creator testing features, recording demos, and re-running workflows for good takes can easily burn $50-100 in a single recording session on Claude Opus. The video earns it back in ad revenue and sponsorships. But the cost-benefit math they're living is fundamentally different from yours.

Creator:    $50 in tokens --> YouTube video --> $500+ in revenue  OK
You:        $50 in tokens --> ???           --> organized calendar  ???

I'm not saying creators are lying. The demos are real. OpenClaw can do those things. But when someone shows you a 10-minute highlight reel of autonomous magic and doesn't mention they spent $200 in API costs and 6 hours configuring it, that's a misleading picture.

Same applies to the "run it on a Mac Mini" advice. Creators recommending this are either running cloud APIs (eating the cost as a business expense) or have $3,000+ Mac Studios with 128GB+ RAM. The $400 base Mac Mini is a foot in the door, not the whole story.

Setup: What It Actually Takes

If you've managed Docker containers and APIs before: 1-2 hours for a basic setup. The openclaw onboard wizard is legitimately good. You'll be chatting via Telegram or WebChat quickly. Add another hour for WhatsApp (eSIM setup, QR linking, DM policy configuration).

If you're deploying on a VPS: Add 1-2 hours for security hardening. Cloudflare Tunnel, SSH-only access, making sure you're not binding the gateway to all interfaces. The DigitalOcean 1-Click Deploy ($24/month) saves time but you're still responsible for API key management and security.

If you want a "production" setup (dedicated number, model routing, cost controls, skill auditing, heartbeat tuning, session pruning): A full day, minimum. Plus ongoing maintenance. WhatsApp sessions expire every few weeks and need re-linking, skills need updating, session files need pruning to prevent context bloat.

If you're setting up fresh hardware (new Mac Mini, new accounts to isolate from personal stuff): Add another 2-4 hours for OS setup, new Apple ID/email, Node.js installation, and initial configuration.

My Honest Take After Two Weeks

OpenClaw is the most interesting open-source project I've worked with in a long time. The persistent memory, multi-platform presence, and genuine autonomous capabilities make it feel like something from 2028 that leaked early. Peter Steinberger and the community have built something real.

But right now, it's a power tool for power users. The gap between the demo reel and daily reality includes unpredictable API costs that require active monitoring, legitimate security risks that demand infrastructure knowledge, a WhatsApp integration built on a reverse-engineered protocol that can get your number banned, and a hype cycle turbocharged by content creators whose economics don't match yours.

If you're a developer with a clear automation use case and you understand the token economics, absolutely try it. Start with Telegram, use Sonnet instead of Opus, set hard spending limits at your API provider, and tune the heartbeat interval.

If you're a non-technical person who saw a TikTok and wants a JARVIS, wait six months. The project is moving fast and the rough edges will smooth out. But today is not the day to connect your primary WhatsApp to an agent running with shell access on a machine bound to the open internet.

The future this points to is real. The present requires caution.

If this was useful, I'm building something in this space that addresses several of these pain points. More on that soon. Follow me here for updates.

Sources: