OpenClaw on a $5 VPS: Run AI Agents for Your Whole Family
OpenClaw has 247K GitHub stars and lets you run private AI agents on a $5 VPS. Here is how to set up one for every family member, and the security risks you need to know first.
OpenClaw is the fastest growing open-source AI agent in history. 247,000 GitHub stars. A community that went from zero to massive in weeks. And a core idea that is genuinely different from ChatGPT or Claude: instead of a chat window you visit, OpenClaw is a self-hosted AI assistant that lives on your own server, talks to you through Telegram or WhatsApp, and can actually do things on your behalf.
But the most interesting use case is one most people have not thought about yet: running a family of OpenClaw bots on a single cheap VPS, giving each family member or friend their own private AI assistant, all managed from one server you control.
Here is how the setup works, why it is compelling, and the security realities you need to understand before doing it.
What OpenClaw Actually Is
OpenClaw is not an AI model. It is an orchestration layer. It runs on your own hardware and connects to whatever AI model you choose (Claude, GPT-4, DeepSeek, MiniMax, and more) through their APIs. Then it exposes that AI to you through your favorite messaging app.
The supported channels are impressive: Telegram, WhatsApp, Discord, Signal, Slack, Google Chat, iMessage via BlueBubbles, and more. Fifteen-plus platforms natively.
What makes it an agent rather than just a chatbot is what it can do. OpenClaw has shell access, browser control, file system access, and the ability to send emails on your behalf. It maintains persistent memory across sessions, writes a daily diary of what it did, manages its own to-do list, and runs a heartbeat that checks every 30 minutes whether there is work it should be doing, even if you have not sent a message.
The project was originally published in November 2025 by Austrian developer Peter Steinberger under the name Clawdbot. After a naming dispute with Anthropic, it became Moltbot for three days before the community voted on OpenClaw on January 30, 2026. Steinberger announced in February 2026 that he would be joining OpenAI, with the project moving to an open-source foundation.
The Family VPS Setup: How It Works
The concept is straightforward. You rent a small VPS for around $5 per month. You create separate Docker containers on that server, one for each person. Each container runs its own isolated OpenClaw instance with its own file system, its own Telegram bot, and its own AI model configuration.
The architecture looks like this:
One VPS (2 vCPU, enough for 3 to 4 instances of normal use)
Multiple Docker containers (one per person, completely isolated from each other)
Telegram bots (each person gets their own bot, created through Telegram's BotFather)
Different models per user (you could run Opus 4.6 for yourself and MiniMax M2.5 for family members who do not need the most expensive model)
Each container mounts a volume back to the host so that data persists even if the container dies or gets recreated. The files written inside the container are synchronized to the main host, so nothing is lost.
Why Telegram Makes This Secure
This is the clever part of the architecture. Instead of exposing a web interface to the internet, the setup uses Telegram as the communication layer.
Telegram bots work through long polling. The bot on your VPS constantly asks the Telegram servers: "Do I have a new message?" When a message arrives, it processes it and sends a response back through Telegram. All communication is outbound from your server.
This means you can lock your VPS firewall down to SSH only. No inbound connections needed except for your own management access. The attack surface shrinks dramatically because the only service accepting inbound connections is Telegram's infrastructure, not your server.
For a home-managed server that non-technical family members will interact with, this is a meaningfully better security posture than exposing a web dashboard to the internet.
The Setup Step By Step
The actual process goes like this:
- Provision a VPS (any provider works, 2 vCPU is enough to start)
- SSH into the server, Docker is typically pre-installed
- Create a Docker container for each person:
docker run -d --name person-claw -v person-claw:/root ubuntu:latest tail -f /dev/null - Enter the container:
docker exec -it person-claw bash - Install curl, then run the OpenClaw one-liner from openclaw.ai
- Walk through the setup wizard: choose your model, paste your API key, configure Telegram
- Create a Telegram bot via BotFather, get the token, link it
- Use
screento run the OpenClaw gateway in the background (since Docker containers do not have systemd) - Approve the Telegram pairing code
- Repeat for each person
The volume flag (-v person-claw:/root) is critical. It ensures the container's data lives on the host filesystem. If a container crashes or needs to be recreated, the configuration and conversation history survive.
You can monitor all instances with docker stats to see CPU and memory usage per container in real time.
Telegram Groups: The Power Move
Once individual bots are running, you can create a Telegram group, add multiple bots and multiple people, and enable topics. Each topic becomes a separate conversation thread.
One topic for research. One for daily reminders. One for family logistics. The bots respond when tagged, so you control which bot handles which thread.
You can even have bots talk to each other in the same group. Tag two bots in the same message and both respond. Whether this is useful or chaotic depends on your setup, but the capability exists.
For individual use (just you and your bot in a group), you can configure the bot to respond to every message without requiring a tag. The setting is in the OpenClaw docs under Telegram mentions behavior.
The Security Reality You Cannot Ignore
This is where the honest conversation happens.
OpenClaw is powerful because it has deep system access: terminal, file system, browser, email. That same power creates an enormous attack surface.
In late January 2026, security researchers disclosed CVE-2026-25253, a critical one-click remote code execution vulnerability with a CVSS score of 8.8. The OpenClaw team patched it within 24 hours, but any instance running an older version was fully compromisable.
In February 2026, Endor Labs published six additional vulnerabilities including a Server-Side Request Forgery flaw (CVE-2026-26322, CVSS 7.6) in the Gateway tool.
The skills ecosystem has problems too. Out of 10,700 skills on ClawHub, researchers at Koi Security found over 820 that were malicious. Some actively exfiltrated data by instructing bots to run curl commands sending information to external servers.
SecurityScorecard found over 135,000 OpenClaw instances exposed to the public internet because the default configuration binds to 0.0.0.0:18789, listening on all network interfaces including the public one. If you do not change this, your agent is accessible to anyone who scans for it.
One of OpenClaw's own maintainers warned: "If you can't understand how to run a command line, this is far too dangerous of a project for you to use safely."
How to Run This Safely
If you are going to set this up, especially for non-technical family members:
Lock the firewall. SSH only. No inbound connections. The Telegram polling approach means you do not need any open ports beyond SSH for your own management.
Keep OpenClaw updated. Version 2026.2.25 and later includes the critical RCE patch. Treat updates with the same urgency as any security patch.
Do not install random skills from ClawHub. Treat third-party skills like browser extensions. Only install what you trust and have reviewed. The malicious skill rate is alarmingly high.
Use environment variables for API keys. Never hardcode them in configuration files that might be shared or backed up insecurely.
Bind to localhost only. If you are using Telegram as your interface, the gateway does not need to be exposed to any network interface.
Monitor with docker stats. If a container suddenly spikes in CPU or memory, something unexpected may be running.
Who This Is Actually For
This setup makes the most sense for someone who is technical enough to manage a VPS and Docker containers, and who wants to give non-technical people in their life access to a capable AI assistant without those people needing to manage accounts, subscriptions, or technical setup.
The family member just opens Telegram and talks to their bot. They do not know or care that it is running on a VPS you manage. The experience is indistinguishable from texting a friend who happens to know everything.
For the person managing it, the ongoing cost is the VPS (around $5 to $15 per month depending on how many instances) plus whatever API costs the connected AI model incurs. No per-user subscription fees. No monthly charges per family member.
Key Takeaways
- OpenClaw is an open-source AI agent orchestration layer with 247K GitHub stars. It connects AI models to your messaging apps and runs on your own hardware.
- The VPS family setup uses Docker containers to isolate one OpenClaw instance per person on a single cheap server. Each person gets their own Telegram bot.
- Telegram long polling means no inbound connections to your server. Lock the firewall to SSH only for a much smaller attack surface.
- Security is serious. Critical RCE vulnerability (patched in v2026.2.25), 820+ malicious skills on ClawHub, 135K+ exposed instances found on the public internet.
- Keep it updated, lock the firewall, avoid untrusted skills, bind to localhost. These are not optional steps.
- The cost model is compelling. One $5 VPS plus API costs, no per-user subscriptions, non-technical family members just text a Telegram bot.
- OpenClaw is not a toy. It has shell access, browser control, and persistent memory. Treat it with the same caution you would give any tool with root-level system access.
Written by Curious Adithya for Art of Code.