The Claw ecosystem: 12 personal agents, dissected
Three months ago, personal agents weren’t a category. Now there are twenty of them, and the biggest has 217,000 GitHub stars.
I tore apart twelve. Read every README, traced every import, mapped every dependency. Here’s what I found.
What these are
Not CLI coding agents. Those live in your terminal and edit code. This is a different species.
Personal agents are self-hosted assistants you message from WhatsApp, Telegram, or Discord. They run 24/7 on your hardware. They have memory, scheduled tasks, and tool access. You text them “summarize my email every morning at 9” and they do it.
OpenClaw started it. Peter Steinberger (of PSPDFKit fame) shipped “Clawdbot” in November 2025. Three months later it has 217K stars, 367 contributors, and spawned an ecosystem of alternatives - each making different architectural bets.
What’s actually under the hood
The first thing I wanted to know: what agent harness does each project run on?
| Project | Stars | Lang | Agent Harness |
|---|---|---|---|
| OpenClaw | 217K | TypeScript | Pi |
| nanobot | 23K | Python | Custom (LiteLLM) |
| PicoClaw | 17.7K | Go | Custom (Go SDKs) |
| ZeroClaw | 16.7K | Rust | Custom (trait-based) |
| NanoClaw | 11.3K | TypeScript | Claude Agent SDK |
| MimiClaw | 2.9K | C | Custom (bare-metal) |
| IronClaw | 2.8K | Rust | Custom + rig-core |
| TinyClaw | 2.3K | Shell/TS | Wraps Claude Code CLI |
| NullClaw | 1.6K | Zig | Custom (vtable-based) |
| Moltis | 1.3K | Rust | Custom |
| Spacebot | 981 | Rust | Rig v0.30 |
| ZeptoClaw | 305 | Rust | Custom |
OpenClaw runs on Pi. Mario Zechner’s Pi - the same 4-tool agent framework with 6.6K stars - is the engine under the 217K-star project. Pi provides the agent loop, tools, and session management. OpenClaw adds the gateway, 20+ messaging channels, device nodes, canvas, and the entire multi-agent routing layer.
That’s a 33x star ratio between the platform and the infrastructure it’s built on.
Three strategies
Every project in this space makes one of three architectural bets:
1. Embed an existing agent
Four projects embed an agent SDK rather than building their own loop. The split is open core vs closed core.
Open core. OpenClaw embeds Pi as an SDK - importing createAgentSession() directly into its Node.js process. Pi provides the agent loop, LLM abstraction, tool execution, and session persistence. OpenClaw passes builtInTools: [] (disabling all of Pi’s defaults) and injects its own 25 custom tools through Pi’s customTools parameter. It hooks into Pi’s extension system for custom compaction and context pruning, subscribes to Pi’s event stream to translate agent events into chat-message-sized blocks, and uses Pi’s SessionManager for JSONL-based session persistence.
Pi was designed for this. Its extension API, pluggable tools, and createAgentSession() factory exist so projects like OpenClaw can take the agent loop without taking the opinions. OpenClaw adds the gateway, 20+ messaging channels, browser automation via Playwright, device nodes (camera, GPS, screen recording), canvas, voice wake, and multi-profile auth rotation with failover - all while staying on upstream Pi releases.
Spacebot takes the same approach with Rig (a Rust agentic framework), building its delegation model on top. IronClaw uses rig-core for LLM abstraction but builds everything else from scratch.
Closed core. NanoClaw embeds Claude Agent SDK inside Linux containers. Each WhatsApp group gets its own container with isolated filesystem and IPC. The agent quality is Claude Code’s quality. NanoClaw adds container orchestration, scheduled tasks, and a philosophy: “small enough to understand in 8 minutes.”
The tradeoff isn’t just about control. It’s about money.
OpenClaw users running Anthropic API keys were burning $50/day. The entire conversation context gets sent on every message. One GitHub issue title says it all: “OpenClaw is using much tokens and it cost to much.” OpenClaw can use claude setup-token for subscription auth, but their own docs recommend API keys, and the token carries a warning: “This credential is only authorized for use with Claude Code.”
NanoClaw sidesteps this entirely. It passes CLAUDE_CODE_OAUTH_TOKEN into its containers - the same subscription token Claude Pro/Max users already have. $20/month flat. No metered billing. No $50 surprise on day one.
This is probably why OpenAI hired Peter Steinberger a week ago. OpenClaw is model-agnostic - users can plug in any provider. That’s great for users, terrible for a company that sells API tokens. A closed agent product, tightly integrated with OpenAI’s models, solves that problem. Open core (Pi, Rig) gives you full control over the agent loop. Closed core (Claude Agent SDK) gives you subscription auth and Anthropic’s improvements for free.
2. Shell out to a CLI agent
TinyClaw is in a category of its own. It’s a bash script that spawns Claude Code, Codex CLI, or OpenCode as subprocesses via spawn('claude', ['--dangerously-skip-permissions', ...]). Zero LLM SDK dependencies. It adds multi-agent team routing through [@agent: message] tags that agents embed in their responses, parsed by a file-based queue processor.
This is the thinnest possible integration. No SDK import, no agent loop, no session management. Just a CLI call and stdout parsing.
3. Everything from scratch
nanobot, ZeroClaw, PicoClaw, MimiClaw, Moltis, NullClaw, ZeptoClaw - seven projects that wrote their own agent loop.
- nanobot (Python, 3,800 lines) - HKU research lab. LiteLLM for provider routing, file-based memory with LLM-driven consolidation. 23K stars in 20 days.
- ZeroClaw (Rust) - trait-driven architecture where everything is swappable. Four sandbox backends auto-detected at runtime. 16.7K stars in 9 days.
- MimiClaw (C) - a ReAct agent loop running on a $5 ESP32-S3 microcontroller. No OS. Dual-core: network I/O on Core 0, agent loop on Core 1. Memory stored on flash. The LLM can schedule its own cron jobs.
- NullClaw (Zig) - 678KB static binary, vtable interfaces for everything, runs on $5 ARM boards with ~1MB RAM.
The messaging-first insight
Here’s what unites all of these and separates them from CLI agents: the primary interface is a chat app.
When your agent lives in WhatsApp, Telegram, or Discord, you physically cannot show tool call traces. Chat apps render text messages. That’s it. Every project in this ecosystem is inherently “traceless” - the user sends a message and gets a response. What happened in between is invisible.
This is the opposite of Claude Code’s architecture, where the four primitives (read, write, edit, bash) are visible as they execute. The transparency is the trust model.
For personal agents, the trust model is different. You trust the outcome, not the process. You text your agent “check if my flight is on time” and you either get the right answer or you don’t. Nobody wants to see the agent’s grep output on their phone.
The one project that made it intentional
Every project except one is accidentally traceless. The chat app hides the trace as a side effect of the medium.
Spacebot (by the Spacedrive team) made tracelessness an architectural decision. It has five process types, and the user-facing one - the Channel - never executes tools:
User A: "what do you know about X?"
→ Channel branches (branch-1)
User B: "hey, how's it going?"
→ Channel responds directly: "Going well! Working on something for A."
Branch-1 resolves: "Here's what I found about X"
→ Channel sees the result on its next turn
→ Channel responds to User AThe Channel delegates. Branches fork the channel’s context like a git branch and go think. Workers execute tasks with their own tools and their own context. The Compactor manages context windows in the background. The Cortex supervises everything and generates periodic memory briefings.
This matters beyond UX. In a single-agent loop, every tool call eats context window tokens. OpenClaw has 25 tools - their output accumulates in the conversation. Spacebot’s workers have their own context. The channel stays clean for conversation.
The tradeoff: five concurrent process types is real complexity. Most personal assistants don’t need it. Spacebot is designed for communities with 50+ simultaneous users - Discord servers, Slack workspaces - not one person texting from their phone.
Security is mostly theater
I checked every project’s sandboxing approach.
| Tier | Projects | What they do |
|---|---|---|
| Real isolation | IronClaw, ZeptoClaw, NanoClaw, Moltis | WASM sandbox, Docker/Apple Container per session, credential injection at host boundary |
| Optional containers | OpenClaw, ZeroClaw | Docker available but off by default. ZeroClaw auto-detects 4 backends (Docker, Firejail, Bubblewrap, Landlock) |
| Regex and prayers | nanobot, PicoClaw, NullClaw | Workspace path restriction + command blocklist. Blocks rm -rf and fork bombs. |
| Nothing | TinyClaw, Spacebot, MimiClaw | TinyClaw runs --dangerously-skip-permissions. Spacebot runs shell on host. MimiClaw has no OS to sandbox. |
IronClaw is the standout. It runs tools in WebAssembly containers with capability-based permissions. Credentials are injected at the host boundary - the WASM code never sees them. Outbound requests are scanned for secret exfiltration. It also has prompt injection detection with pattern matching and content sanitization.
Most of the others? Your agent has bash with no sandbox. I wrote about why this matters - without network control, a compromised agent can exfiltrate ~/.ssh. Without filesystem control, it can backdoor your shell config.
Memory ranges from flash to graph
| Project | Storage | Search |
|---|---|---|
| Spacebot | SQLite + LanceDB | Typed graph (8 types, 5 edge types), hybrid vector+FTS via RRF |
| OpenClaw | Markdown + SQLite + sqlite-vec | Hybrid BM25 + vector |
| IronClaw | PostgreSQL + pgvector | Hybrid FTS + vector via RRF |
| ZeroClaw | SQLite | Hybrid vector + FTS5 |
| nanobot | Markdown files | LLM-driven consolidation (no search) |
| MimiClaw | SPIFFS flash | None (12MB flash partition on ESP32) |
Spacebot’s memory system is the most sophisticated. Every memory has a type (Fact, Preference, Decision, Identity, Event, Observation, Goal, Todo), an importance score, and graph edges (RelatedTo, Updates, Contradicts, CausedBy, PartOf). The Cortex curates periodic briefings from this graph and injects them into every conversation.
Most projects use markdown files. nanobot’s approach is interesting - the LLM itself decides what to save via a save_memory tool call during context consolidation. No embeddings, no vector DB. The model is the search engine. The projects that do implement search all landed on hybrid BM25 + vector - none use pure vector search.
The hardware frontier
Four projects run on embedded hardware:
- MimiClaw - $5 ESP32-S3, pure C, no OS, 0.5W, Telegram via WiFi
- PicoClaw - $10 RISC-V boards, Go, I2C/SPI hardware tools, MaixCam camera as a “channel”
- NullClaw - $5 ARM boards, Zig, 678KB binary, Arduino/RPi GPIO/STM32 support
- ZeroClaw - robot kit crate, ESP32/Arduino/Nucleo firmware, USB peripheral flashing
MimiClaw is the most constrained. A ReAct agent loop in C, running on a microcontroller with 8MB of PSRAM, talking to Claude or GPT-4o over HTTPS. The LLM can schedule its own cron jobs, persisted across reboots on flash. Dual-core architecture: network I/O on one core, agent processing on the other.
A different bet than the server-hosted projects. These agents cost pennies to run, draw half a watt, and never go down because there’s no OS to crash.
How to pick
You want the most features. OpenClaw. 25 tools, 20+ channels, device nodes, canvas, voice. It’s the kitchen sink and it’s MIT licensed.
You want to understand the code. NanoClaw. One process, a handful of files, container isolation. Fork it, have Claude Code customize it.
You want the strongest security. IronClaw. WASM sandbox, credential injection, leak detection, prompt injection defense. PostgreSQL + pgvector for memory.
You want Rust. ZeroClaw for features, Moltis for code quality (zero unsafe, 2,300+ tests), ZeptoClaw for size discipline (4MB binary).
You want to run it on a $5 chip. MimiClaw if you know C, PicoClaw if you know Go, NullClaw if you know Zig.
You’re building for a team, not yourself. Spacebot. The delegation model handles 50+ concurrent users without blocking.
You just want it to work. nanobot. pip install nanobot-ai, configure, chat. 3,800 lines, 9 chat platforms, 17+ LLM providers.
What’s next
This ecosystem is three months old. 20 projects across 7 languages, running on hardware from $5 microcontrollers to cloud servers. ZeroClaw hit 16.7K stars in 9 days.
The pattern that wins isn’t clear yet. The “wrap Claude Code” camp gets better whenever Anthropic ships. The “from scratch” camp has more control but more maintenance. The embedded camp is solving a problem nobody else is thinking about.
I’ll be watching the embedded camp closest. The others are competing on features. MimiClaw and NullClaw are competing on constraints - and constraints tend to produce better architectures.