local-ai

OpenClaw + Ollama: Run Your Own Private AI Agent Without Cloud APIs

Ollama's new OpenClaw integration lets you run AI agents locally through WhatsApp, Telegram, or Slack. Here's how it works, what you need, and the security risks nobody mentions.

Ollama announced OpenClaw integration on February 1, making it significantly easier to run private AI agents that process your messages, files, and tasks without sending data to third-party servers. One command - ollama launch openclaw - connects your local models to WhatsApp, Telegram, Slack, Discord, or iMessage.

This matters because agentic AI is exploding, but every major player (ChatGPT’s GPTs, Claude’s computer use, Gemini’s agents) routes through corporate servers. OpenClaw flips that model: your data stays on your hardware.

Here’s how to set it up, what you actually need to run it, and the security risks the tutorials don’t emphasize.

What OpenClaw Actually Does

OpenClaw bridges messaging platforms to AI coding agents running on your machine. You send a message requesting a task through WhatsApp or Telegram, OpenClaw processes it using local Ollama models, then delivers results back through your messaging app.

The practical applications:

  • Email summarization and drafting
  • Document analysis without uploading to cloud services
  • Expense tracking from receipts
  • Research across local document libraries
  • Browser automation for data extraction
  • Workflow automation through natural language

OpenClaw runs entirely on your hardware - Mac, Linux, Windows, or server. No API costs. No internet dependency for inference. No conversations stored on someone else’s servers.

What You Need

OpenClaw requires models with at least 64,000 tokens of context to reliably complete multi-step tasks. That rules out smaller models designed for quick queries.

GPU Requirements

According to ClawTank’s guide, you need enough VRAM to run larger models at acceptable speeds:

Best quality (workstation GPU): Qwen 2.5 72B or Llama 3.3 70B in Q4 quantization. Requires 44-48GB VRAM.

Sweet spot (consumer GPU): Qwen 2.5 32B in Q4 quantization. Requires 20GB VRAM. An RTX 4090 achieves 35-45 tokens/second; an RTX 3090 hits 25-35 tokens/second.

Minimum viable (limited hardware): Llama 3.1 8B or Qwen 2.5 7B. Works with 5-6GB VRAM but agent capabilities suffer.

CPU-only inference is technically possible but impractical - even a Ryzen 9 7950X only manages 12-18 tokens/second, making complex tasks painfully slow.

Ollama’s official blog post suggests several options:

For local operation:

  • qwen3-coder - coding-optimized, good for development tasks
  • glm-4.7 and glm-4.7-flash - general-purpose agents
  • gpt-oss variants (20B and 120B) - open alternatives to proprietary models

If you’re willing to use cloud APIs (which defeats the privacy point):

  • kimi-k2.5 - 1 trillion parameter agentic model
  • minimax-m2.1 - multilingual support

Setup Steps

Installation is straightforward if you already have Ollama running:

# Pull a capable model (Qwen 2.5 32B for most users)
ollama pull qwen2.5:32b

# Launch OpenClaw with Ollama integration
ollama launch openclaw

If you need to configure without launching:

ollama launch openclaw --config

This opens the configuration file at ~/.openclaw/openclaw.json. Key settings:

{
  "provider": {
    "type": "openai-compatible",
    "baseUrl": "http://localhost:11434/v1"
  }
}

OpenClaw auto-reloads configuration when the gateway is already running - no restart needed.

The Security Problem Nobody Emphasizes

Here’s what the enthusiastic tutorials bury in fine print: OpenClaw grants an AI system direct access to your local machine. It can execute shell commands, access files, and automate your browser.

AlphaTechFinance’s security guide calls it “God Mode” - and that’s the problem.

Real Risks

Prompt injection attacks: Malicious inputs through your messaging platforms could manipulate the agent into executing unintended commands. This is the agentic equivalent of SQL injection.

Credential exposure: If you hardcode credentials or store them insecurely, the agent’s file access creates exposure. Banking credentials should never touch this system.

Malicious skills: Third-party plugins from ClawHub may request excessive permissions. A skill requesting shell.execute or fs.read_root for basic functionality is a red flag.

Minimum Security Measures

Don’t run OpenClaw as your main user account. Create a dedicated OS user without access to sensitive directories.

Containerize aggressively: Run the Gateway in Docker with explicit folder mappings. Only mount what the agent actually needs.

Set spending caps: If using cloud fallback, set hard daily limits ($5-10) on API calls to prevent runaway costs from agent loops.

Require approval for destructive commands: Configure OpenClaw to request human authorization before executing delete operations, sudo commands, or external network requests.

Whitelist messaging identifiers: Only allow your personal accounts to interact with the agent. Open access is asking for prompt injection attacks from anyone who can message you.

Log everything: Maintain permanent records of all executed commands. You’ll want an audit trail when something goes wrong.

When OpenClaw Makes Sense

OpenClaw excels at background automation tasks where privacy matters and you’re willing to manage the infrastructure.

Good use cases:

  • Processing sensitive documents (legal, medical, financial) without cloud upload
  • Automated monitoring of local systems with conditional alerts
  • Personal knowledge base queries over documents you don’t want indexed
  • Research workflows where you want citations sourced locally
  • Browser automation for repeated data extraction tasks

Bad use cases:

  • Creative writing (ChatGPT still wins here)
  • Casual chat (overkill for simple queries)
  • Anything requiring cutting-edge model capabilities (local models lag proprietary)
  • Users who can’t or won’t manage local systems

The Tradeoffs

Running your own AI agent means:

You get: Complete data privacy. Zero API costs. No internet dependency. Full control over model selection and behavior.

You give up: Latest model capabilities. Easy setup. Automatic updates. Someone else handling security.

OpenClaw isn’t for everyone. But if you’ve been waiting for AI agents that don’t require trusting cloud providers with your data, Ollama’s February integration made that meaningfully easier.

The catch is taking security seriously. “Local” doesn’t mean “safe” - it means the attack surface is your problem now.

Getting Started

  1. Install Ollama for your platform
  2. Pull a 64k+ context model: ollama pull qwen2.5:32b
  3. Launch OpenClaw: ollama launch openclaw
  4. Configure your messaging platform connection
  5. Test with a simple query before enabling destructive commands

Verify your setup works with openclaw status and openclaw chat before connecting to messaging platforms.

The documentation has improved significantly since the February launch, but expect some rough edges if you’re running unusual hardware or want advanced security configurations.