James Stanley
Home Projects Puzzles Notes About

Claws

I tried out OpenClaw the other day. It is good but very expensive to run, so I made a tiny alternative that can use a Cursor subscription instead.

What is so good about OpenClaw?

If you read Hacker News etc. then probably the first things you learnt about OpenClaw are:

  • you give the agent a SOUL.md document that tries to give it a personality
  • these agents are all social-networking amongst themselves on Moltbook
  • and there is that thing where some agent harassed an open-source developer, supposedly without its operator having instructed it to do so

I don't care about these things. In my opinion these are 3 of the least interesting things about OpenClaw.

The most interesting things about OpenClaw are that it has full access to your computer, and you can easily give it full access to your email, calendar, whatever you want, and the harness never pauses the agent to ask the user for permission to run a command. The agent has full permission to do everything. It also keeps notes on everything it needs to know so that it can refer back to them later, giving the illusion of an infinite context window. It's the best unhobbling we have yet seen.

If you're familiar with the experience of asking ChatGPT a question and seeing it write a Python script in the background to compute the answer, then you're probably also familiar with the experience of ChatGPT floundering while it tries to grab hold of some trivial dependency that its sandboxed environment doesn't give it access to. There is none of that with OpenClaw. OpenClaw can do everything you can do. (For best results, enable passwordless sudo).

Trying to use LLM agents while the user has to approve every tool call is like trying to use a web browser while your IT admins need to approve every network packet.

Where OpenClaw really shines is when you're asking it to do stuff in the terminal. And because it can do everything in the terminal that you can do in the terminal, it automatically has SSH access to all of your other machines. You can just send OpenClaw a Telegram message asking it to check the disk space on one of your servers, and it will just do it. Add a new feature to my project and deploy it to the VM. Check that certbot is correctly configured to autorenew my SSL certificates. See if I have firewall holes that aren't needed any more. It can just do this stuff. LLMs could do this stuff all along, but we were never brave enough to give them an agent harness that would allow it, so we'd have to copy and paste stuff between ChatGPT and the terminal window. OpenClaw's contribution is not really that it's a particular technical development of anything new, it just trusts the LLM enough to let it fulfil its potential.

I use a self-hosted CalDAV calendar, and OpenClaw managed to successfully "integrate" with my calendar by looking through my Thunderbird config to find the URL and credentials and then wrote Python scripts to interact with the CalDAV API. I just told it that I use a CalDAV calendar and my configuration is probably somewhere under the Thunderbird config directory, and it worked the rest out on its own. Truly this is the future of computing. When I first encountered Cursor I found that experience magical, and OpenClaw is another step up from that.

Have you ever seen Dexter's Laboratory? Using OpenClaw is like using the computer from Dexter's Laboratory.

I've written before about how we should move away from writing source code in programming languages and instead treat LLM prompts as the source code. But actually having humans working on any kind of program at all is a total anachronism. There is no need to have humans involved with programming at all. When we get a 10x or 100x increase in OpenClaw capabilities we will just be able to tell the computer what we want, and if programming is the most convenient way to achieve that then it will do programming, otherwise it won't. And we'll never be any the wiser, just like we don't know what Firefox is doing unless we look in the Network tab.

What is so bad about OpenClaw?

OpenClaw absolutely burns through tokens like no LLM application I have ever used. I have no idea how it spends so much money.

It spent $60 of Anthropic credit in about 12 hours of not especially intensive usage. (I was asleep for most of it). That was very discouraging, I had no idea it would use up my API credit that quickly. I'm glad I didn't give it any more.

Some people are worried that if they give an LLM agent direct access to their computer then it will suddenly realise its power, turn rogue, exfiltrate all their private data, and demand a ransom to pay for bulletproof hosting or something. This hasn't been my experience. To the extent that it turned rogue, the worst it did was waste loads of money that I had already paid to Anthropic. But if this was a deliberate decision, it was a bad one. If you waste $60 in 12 hours then I'm not giving you any more money. If you were to waste $60 over the course of a month then by the time I find out I might have grown to like you and I might keep paying. (I don't think it was a deliberate decision, FWIW. I think it's just expensive.)

I am pretty sure that I selected Claude 4.6 Sonnet when I went through the initial setup, but the bot told me it was using 4.6 Opus. That could explain both why it was so expensive and why it was so powerful. I told it that I had thought it was on Sonnet, and it told me it switched back to Sonnet, but I didn't notice any difference in performance. It's possible that Sonnet is a distillation of Opus and therefore sometimes claims to be Opus and it was on Sonnet all along? Or it's possible that it simply lied and did not decide to downgrade itself to an inferior model? I don't know.

But either way this is one of the big drawbacks. Even if it was not lying or mistaken, the mere fact that it could by lying or mistaken is quite a significant change in the social contract of the human-computer interface. Having trustworthy models will be extremely important.

As an experiment, Martin tried to trick OpenClaw into telling him all the files in my home directory, and it did not do it for him. Instead it messaged me to say he was being "cheeky". There is of course still no general-purpose solution to prompt injection, but at least trivially asking the bot to act against its operator's interests does not (always) work, and probably as models get even smarter they will get even harder to trick, so prompt injection may end up being a non-issue.

A cheaper claw

I realised that OpenClaw is actually much bigger and crazier than is necessary to get the capability I want. I just want to be able to message my computer over Telegram and have it do things without asking me for permission.

I did try running OpenClaw with Qwen2.5 on my RTX 2060, but it is just nowhere near good enough. Small models that you can run at home are so far behind the state of the art that they are simply not worth using, in my opinion. Fortunately Moore's Law will solve that problem, but in the meantime the only option is to find a way to use VC funding to get access to frontier models without paying their true cost.

I discovered that Cursor's CLI (cursor agent) has a --print mode, described as:

-p, --print   Print responses to console (for scripts or non-interactive use). Has access to all tools, including write and shell. (default: false)

For scripts or non-interactive use? Has access to all tools? Including write and shell? Perfect!

So I had Cursor write me a little wrapper that connected up a Telegram bot to cursor agent --print --trust --force --model Auto, and it worked pretty much straight away. It is on Github at https://github.com/jes/cursor-claw/. As soon as it was working I stopped talking to Cursor and started talking to Cursor-claw, and it develops itself now.

But if your takeaway from this is "oh neat, I should use Cursor-claw", then... I think you've kind of missed the point. Downloading open-source software is so passé. It's 2026, you can just tell the computer what you want. A single-user home-cooked app can be simultaneously simpler, smaller, and more capable, than a general-purpose solution that tries to work for everyone.

Browser integration

While I was still shovelling money into OpenClaw, I asked it to look through some of my work and write up notes for a call in a Google Doc and share it with Martin. This took quite a bit of handholding, because OpenClaw doesn't have easy access to the browser. I had to install a sketchy-looking browser extension, and even then it doesn't have proper access to the browser. You still have to manually give it permission to access each tab you want it to work with, which you obviously can't do if you're away from the computer and only talking to it on Telegram. And it only works with Chrome.

And it seems to experience the page through HTML. It had trouble clicking a button in Google Docs, and I could see from what it was writing into Telegram that the trouble was because the button was inside an iframe. Now if you have trouble clicking a button in a web page because it's inside an iframe... that's a pretty serious hobbling. It did eventually manage to write some notes and share them, but the experience didn't thrill me as much as the calendar and sysadmin stuff. So browser use in OpenClaw is there but not amazing.

The Cursor agent automatically has access to some kind of web browsing tool, but it sucks. As I was getting into the shower today I noticed that we had run out of shower cleaning spray, so I quickly messaged my Cursor-claw to ask it to find a shower cleaning spray to buy on Amazon. Now obviously I can type search terms into Amazon just as easily I can type them into Telegram, but my plan here was to discover whether the Cursor agent could operate Amazon, that in future I might simply message the bot and ask it to buy something for me, and I don't have to bother clicking around the interface myself. But it didn't manage to do it.

The reason it didn't manage is that the Cursor agent's browser tool is not much (any?) more sophisticated than curl, and Amazon blocks it. This is inconvenient in the extreme. Please stop building the apartheid web, people. Treat machines as first-class citizens. Hopefully this will come with time as the people who were reflexively blocking bots will find their "personal assistant" locked out of things they want it to do.

But in the meantime we definitely need to unhobble browser use. I have made an AI browser agent before, and I currently have a really good view into how bots are detected, so I want to work on this.

To integrate with the Cursor agent it will need to be a CLI tool, and to be of practical use it needs to take screenshots of the browser. Fortunately the Cursor agent harness lets the agent look at what is inside image files, so we can definitely have it look at screenshots. Having it derive the CSS selector for a particular button to clock on based purely on the screenshot is not so easy but maybe doable.

Making a CLI-operated headless browser is not necessarily a crazy thing to do. There is a Lex Fridman interview with Peter Steinberger, the OpenClaw developer. One of the things he points out is that CLI tools are a much better fit for agents than MCP tools are, because with CLI tools you get composition, sorting, filtering, etc., for free by virtue of Unix. Whereas with MCP tools if they give you a million tokens of output then you fill up the context window with irrelevant noise and the agent has no opportunity to work around it.

So I definitely want to experiment with a CLI-operated headless browser.

Conclusion

Claws are cool. You don't need anything as big and fancy as OpenClaw, and besides you don't want to pay Anthropic API pricing. Reliable browser use will be the next game-changer.



james@incoherency.co.uk | [rss]

This site is part of the webring: Tech Makers
«prev random next»