Personal AI is Already Here (And You’re Probably Not Ready)

If you’ve been following the AI agent discourse—or mainstream news—you might have noticed a certain project going through an identity crisis. Peter Steinberger’s project went from Clawdbot to Moltbot to OpenClaw—all within a few weeks, courtesy of Anthropic’s trademark lawyers and some opportunistic crypto scammers who grabbed the old handles in the ten seconds between “releasing old name” and “claiming new name.”

The project didn’t just survive—it became the fastest-growing open source project in GitHub history. The $16 million meme coin didn’t. The agent harness is now called OpenClaw, and there’s even Moltbook—a social platform where OpenClaw agents can talk to each other. Yes, really.

But this isn’t a post about the drama, or about why you should install OpenClaw on your machine right now. Not here to sell you anything.

This is a personal assessment. I’ve been running OpenClaw on a Raspberry Pi in my home for three weeks, using it as a genuine personal assistant for my family. What I’ve learned has reinforced how I think about AI capability, AI integration, and AI security.

The short version: The frontier models don’t have a capability problem anymore. What they have is an integration problem, a data access problem, and—critically—a security problem that nobody has solved yet.

We have personal assistants now that are only limited by what data and tools we grant them access to. The more we give, the more they can do for us. With all the risks that come attached.

If you think about it, this isn’t new at all. We’ve always granted people access to our lives so they could work alongside us-secretaries, nannies, personal chefs. The only difference is whether we’re trusting humans or novel machines that often behave like ghosts of humans.

At least, that’s been my reality for the past three weeks.

If that sounds interesting, keep reading. If that sounds scary, good. It should.

Why This Will Happen Anyway

Here’s what I believe: Personal AI agents will become normal. Every AI lab-Anthropic, OpenAI, Google—is working on breaking out of the chat window. OpenClaw is a glimpse into that near future, showing that the capabilities have been there for a while. It will happen not because it’s safe—it isn’t—but because the value proposition is too compelling to ignore.

A personal agent that can flexibly extend its own memory and capabilities, that learns your domain over time, that acts on your behalf without you having to copy-paste context into a chat window every single time—that’s not a productivity hack. That’s a different way of working with computers entirely.

This will happen whether we like it or not. The question isn’t “should people run personal AI agents?” The question is “how do we do this responsibly?”

I’m running this experiment on myself to find out.

My Setup

OpenClaw runs on a Raspberry Pi 5 in my living room. Deliberately separate from my work machines—no access to my employer’s data, no shared file systems. Lollo (that’s the agent’s name) talks to me via WhatsApp. I got a separate number with an eSIM for this-didn’t want my personal messages mixed in. My family can use it too.

The core architecture is simple: a gateway that manages sessions and background jobs, a collection of skills (more on those later), and API access to frontier models. The models provide the intelligence. OpenClaw as an agent harness provides everything else-memory, file system access, tool use, proactive scheduling, the ability to actually do things instead of just talking about them.

If you’re familiar with Claude Code or Codex in YOLO mode, OpenClaw isn’t fundamentally different—it’s an agent with system access. The difference: no sandbox by default, and persistent relays into external communication services. In my case, WhatsApp. The agent is always on, always reachable.

Under the hood, OpenClaw uses Pi-Mario Zechner’s minimal coding agent. Pi has the shortest system prompt of any agent I’m aware of and only four core tools: Read, Write, Edit, Bash. Everything else comes from extensions and skills. Armin Ronacher wrote a great deep-dive on Pi’s architecture for those who want to go deeper.

Total cost: around €180 for the Pi, plus roughly $20-30/month in API calls depending on usage. You can also run rate-limited through a Claude Pro or ChatGPT Plus subscription if you prefer fixed costs.

What I Actually Use It For

A few examples from the past three weeks. Not comprehensive, just illustrative.

Family document filing. I send a PDF or photo via WhatsApp. Lollo analyzes it with vision-document type, date, sender, amount if applicable. Photos get converted to PDF, then run through OCR. Files are renamed according to a consistent schema (’YYYY-MM-DD [Sender] [Type] [Details].pdf’) and sorted into the appropriate folder. The whole pipeline-vision analysis, format conversion, OCR, renaming, filing-happens automatically.

But filing is only half of it. The retrieval is where it gets interesting. “What insurance policies do we have for our toddler?” “How much did we spend on contractors in 2025?” Lollo searches the archive, reads the relevant documents, and gives me an answer. The documents aren’t just stored—they’re accessible in a way that actually matters.

Both filing and retrieval work well in daily use. Next on my list: experimenting with qmd, Tobi Lütke’s local search engine that combines keyword search, vector embeddings, and LLM reranking. Should make retrieval even better. Update: It’s now available as a memory search backend in OpenClaw.

Personal color consulting. I had professional color analysis done. The results—which colors suit my skin tone, which to avoid-now live in a dedicated skill. I send a photo of a sweater I’m considering: “Does this work for me?” Lollo checks it against my profile and gives me a straight answer. The knowledge persists. I don’t have to explain my color type every time.

Proactive scheduling. Every morning at 7:45, Lollo sends me a briefing: today’s calendar, weather for dog walking times, anything that needs attention. I didn’t ask for it. It just happens. The night before trash collection, I get a reminder which bins to put out. Once a week, I get a summary of local news, filtered by our interests and delivered with a Rhine-region commentary—my wife and I are expats from the Rhineland living in Bavaria, and Lollo knows to add the appropriate sardonic undertone.

Friday evening, I get a weekly recap: what ideas I had, which todos we worked on, what we talked about, what’s still open—not just tasks, but conversation threads that didn’t reach a conclusion. This is useful precisely because it doesn’t require me to religiously maintain a todo system. Things that came up in passing don’t get lost. What CRUD app could ever offer this?

These are small things, but they add up. The agent acts without being prompted.

Ideas and todos. When I have an idea, I say “new idea about X” and it goes into my Obsidian vault, properly formatted, synced. When I need a todo, same thing. The knowledge doesn’t get trapped in a chat history I’ll never scroll back through. It flows into real systems where it belongs.

What I love about this: I don’t have to submit to rigid UIs that are painful to use on the go. I can just dump my thoughts via voice message while walking the dog (that’s when ideas get formed!). No Siri that misunderstands everything. The idea gets captured in raw form, or the todo gets the relevant context added automatically. No app-switching, no tiny input fields, no “I’ll add it properly later” that never happens.

The ideas skill uses a simple template: a working title, a thesis section (initially empty or draft), raw ideas as timestamped bullet points, clusters that emerge as ideas accumulate, open questions, and sources. When I mumble “new idea about personal AI” into my phone, Lollo creates or updates the appropriate file, adds my thought to the raw section with today’s date, and syncs. Over time, the document grows. As thoughts accumulate, Lollo starts forming clusters and drops in probing questions—not in my face, just there when I look.

Ideas need to ripen. At least mine do. An idea isn’t just spoken and done—it gets shaped over days and weeks. I can reference it casually while walking, send a voice message with a new angle, and Lollo finds the right idea document in the vault and extends it. The idea grows incrementally, without me having to remember where I put it or what format it’s in.

Watch history and taste. Lollo has access to my Trakt.tv data-everything I’ve watched, when, how I rated it. Over time, this becomes a taste profile. Recommendations get better because they’re based on actual behavior, not a cold-start conversation. The advantage here: I don’t have to wait for ChatGPT or Claude to announce a Trakt partnership that may never come. If a service has an API—or a website I can scrape—I can connect it. My data, my integrations. More generally: letting your personal agent look at your Trakt history, your Spotify playlists, your music collections—you get a taste profile that you own. It lives in your system, under your control, and it’s good enough to do interesting things with.

Meal planning and culinary consulting. Forget smart fridges. I tell Lollo what’s in our pantry and fridge-on the go, via voice, whenever I remember. Not everything, but ingredients that survive a week’s cooking cycle. Based on what’s actually there, it suggests dishes that match our preferences. The agent knows our priorities: ingredients and mise en place steps first, pro kitchen hacks in the spirit of Kenji López-Alt woven in. When I forward an order confirmation from the grocery store or snap a receipt, the inventory updates. No deterministic systems that demand manual entry into spreadsheets. Get it out of my head, let the agent handle it. The pantry inventory lives inside the skill itself, not in the agent’s global memory-domain-specific knowledge stays with the domain. This works really well for us.

Contact management. After meetings or on the go, I can quickly dictate the people I just met. Mixed with photos of business cards, LinkedIn profile links, whatever I have. From this mess, Lollo creates clean new contacts or updates existing ones. It’s the contact management workflow I always wanted but never had.

What I’ve Learned

Three weeks in, a few things have become clear.

Skills are the killer feature. OpenClaw’s architecture lets the agent develop its own capabilities in collaboration with me. The color consulting skill, the document filing skill, the meal planning skill-these weren’t downloaded from a marketplace. They were built iteratively, in conversation, based on what I actually needed. And they keep improving. They are automatically tracked in git. When something doesn’t work the way I want, I tell Lollo, and the skill gets updated.

This is fundamentally different from the “upload a file to customize your GPT” approach. Skills contain domain knowledge, behavior, and, if you want, memory! They’re not just context—they’re capabilities. And they persist separately from the agent’s general memory, which means I can iterate on them without polluting the core system. They are also portable, because agent skills are an open standard now.

Your data stays yours. At least at rest, for as long as frontier intelligence needs to be rented. The memory files (and skills) are Markdown on my Pi. The chat logs are JSON on my Pi. I can back them up, version them in Git, grep through them, delete them. If I want to switch models tomorrow-Claude to GPT to Gemini—my data comes with me. Try exporting your conversation history from a ChatGPT Business account sometime. You’ll understand why this matters.

You learn a lot-fast. I’ve learned more about AI agents in three weeks of daily use than I did in a year of reading and doing customer projects. When you yourself actually depend on the thing, you discover the edges quickly. What works, what breaks, what’s unsafe. And: what are totally new ways of working that open up. There’s no substitute for lived experience.

Why This Is Dangerous

Now for the part I can’t skip.

The prompt injection problem is not solved. It’s not close to being solved. Since Google’s CaMeL paper-which proposes a system layer that separates control flow from data flow-there hasn’t been any other promising research on defeating prompt injection at the design level. If you run a personal AI agent with access to your data, you need to understand what Simon Willison calls the Lethal Trifecta:

1. Access to private data (your files, emails, calendar)
2. Exposure to untrusted content (websites, incoming messages, documents from others)
3. The ability to take external actions (send messages, make API calls, write files)

There’s an irony here. As security researcher Jamieson O’Reilly points out:

“Over the past 20 years, the infosec industry has built numerous defensive barriers-sandboxes, process isolation, permission models, firewalls. However, AI agents break all of these defenses. They need access to files, credentials, command execution, and external services.”

The value proposition of a useful personal agent requires punching holes through every boundary we’ve spent decades building.

When an agent has all three—and a useful personal agent usually does-an attacker can craft input that makes your agent do things you didn’t authorize. Read your private data and exfiltrate it. Send emails on your behalf. The model can’t reliably distinguish between your instructions and malicious instructions embedded in content it processes.

This isn’t theoretical. Security researchers have demonstrated these attacks against every major AI product. The architecture is fundamentally vulnerable.

What I do about it:

• The Pi runs isolated from my work machines. No access to employer data.
• OpenClaw binds to localhost only. The only way in is through Tailscale, which has its own authentication.
• The agent runs sandboxed. This limits the blast radius: no access to other processes on the host, no privilege escalation, no access to credentials that aren’t explicitly mounted (SSH keys, other API tokens), no lateral movement to other systems. But the important data still needs to be mounted as a volume-otherwise the agent couldn’t access my notes. If compromised, it can’t spread beyond what’s mounted. But what’s mounted is exactly what matters. Simon Willison has a short guide on running OpenClaw sandboxed in Docker.
• I’m experimenting with subagents whose tool access is restricted to the minimum required for each skill. The particularly vulnerable skills—the ones where the trifecta fully applies-run in constrained subagent processes. But the main agent process remains susceptible. It’s defense in depth, not a solution.
• OpenClaw also supports multi-agent setups where you can run separate agents with different security profiles. You could create a dedicated agent that has one head of the trifecta removed entirely—no external network egress via firewall rules, or mandatory exec approvals. The trade-off: that agent would need its own WhatsApp conversation, which isn’t as smooth as one agent handling everything. I’m considering this for the family document archive.
• I don’t install skills from ClawdHub (or anywhere else). Skills are easy enough to create myself—I just have a conversation with Lollo about what I need, he proposes an approach, we iterate, and the skill emerges. Why install something that worked for someone else when the whole point is that this is customized to me? An agent is able to write the documentation as well as scripts and tools needed for a certain skill.
• I don’t connect my agent to Moltbook, of course. Moltbook is a social network where OpenClaw agents can talk to each other-highly interesting experiment, but also a direct channel with very high exposure for untrusted content to reach your agent.

I also experimented with email integration. The pattern is predictable: the more access you give, the more powerful it gets. During the experiment, Lollo searched my emails, drafted replies that sounded like me, explained connections I had missed, linked messages to my ideas and todos, and sent responses on my behalf. It was extraordinarily useful—a glimpse of what’s possible. It was also extraordinarily dangerous.

I activated an egress firewall and put the agent in approve—only mode, every action requiring my explicit confirmation. But the exposure is just too high. One malicious email with embedded instructions is all it takes. It’s like russian roulette. I haven’t enabled it again since that locked-down experiment.

There are approaches to significantly reduce or even eliminate the trifecta risk for use cases like email. Figuring these out will be one of the defining challenges for software architects in the years ahead.

I’m managing risk, not eliminating it. I’ve made decisions about what I’m willing to expose and what I’m not. If you’re going to run a personal agent, you need to make those decisions too—and you need to understand what you’re trading off.

In practice, this is hard. The whole point of a personal agent is that it’s deeply integrated. But “hard” doesn’t mean “ignore it.” It means “think carefully.”

So, Should You?

If you have experience with Linux system operations-ideally some software development background-understand the security implications, and want to learn how AI agents actually work in practice: yes. You’ll learn more in a few weeks than in a year of reading.

If you’re looking for a polished product that just works safely out of the box—not yet. This is frontier territory. Guardrails do exist, and security is considered from the start-contrary to how it’s often portrayed in public discourse. But you need to understand the Lethal Trifecta inside and out, and the default settings don’t ship with much protection. See the security documentation and system prompt guardrails if you want to go deeper.

For me, the experiment continues. The value is enormous—and I’ve only given a glimpse of my use cases here. The risks are real. And somewhere in between, there’s a future where personal AI agents are normal—not because we solved the hard problems, but because we learned to navigate them.

For Those Building

My takeaway for anyone building in this space: The most important job for agent engineers and software architects won’t be prompt engineering. It will be designing agent environments and guardrails that maximize capability and autonomy while maintaining responsibility and security. Model capabilities are good enough. The integration patterns are emerging—and it’s our job to shape them, not just apply them. This isn’t only about security. It’s about the future of what software architecture even means.

For years, our discipline has largely been about applying known patterns to new problems. That era is ending. Innovation is now the baseline. The patterns we need don’t exist yet—we have to build them. If you’ve been waiting for permission to do something genuinely new: this is it. It’s going to be an exciting time.

I’ll write more about specific use cases and their agentic architectures in future posts.

Thanks to my friends Roman Stranghöner and André Deuerling for their feedback on an earlier draft of this post.