Updated February 20, 2026: In January 2026, Anthropic restricted consumer OAuth tokens (Free/Pro/Max) in third-party tools — a move that directly affected OpenClaw’s original authentication approach. On February 19, 2026, Anthropic published updated Legal and Compliance docs further clarifying that subscription OAuth tokens are intended exclusively for Claude Code and Claude.ai, and that the Agent SDK requires API key authentication. OpenClaw (140K+ GitHub stars) is still active and open source, and now recommends API keys for Anthropic models. Its creator Peter Steinberger joined OpenAI in February 2026, and OpenClaw is transitioning to an independent foundation. This comparison reflects the current state of both tools. GoBot works within Anthropic’s current authentication framework — local mode uses the official Claude Code CLI, while VPS and production deployments use API keys.
OpenClaw and GoBot were both Telegram-compatible AI assistants that took fundamentally different approaches to security, cost, and architecture. OpenClaw supported 13 platforms with 201,000 lines of code and variable API costs. In January 2026, Anthropic restricted consumer OAuth tokens in third-party tools, which affected OpenClaw’s original authentication method — it now recommends API keys for Anthropic models. GoBot focuses on Telegram as the starting point (community members have also connected it to Google Chat, Teams, Discord, WhatsApp, and Slack), runs on 11,200 lines of code, and offers three deployment modes with costs that vary by usage and model selection. It has zero known security vulnerabilities.
Sjoerd and I have been building AI assistants in Telegram for over a year.
We run the Autonomee community together. What started as experimenting with Make and n8n automations turned into something we called Jarvis Jr. A Telegram bot with memory, tool access, and automations running behind it. Version 1 was rough. Version 2 in summer worked well enough that people in the community started building their own.
By December we were planning version 3. What would it look like? What features were missing? Both Sjoerd and I went on ski vacations. And that is when OpenClaw exploded.
I saw it and immediately thought: that is exactly what we have been working toward. The 24/7 availability. The proactive check-ins. The tool integrations. Except OpenClaw had features we could never build with Make and n8n.
But here is the thing. I had been using Claude Code every day. I had an extensive setup with skills, MCP servers, memory systems, the whole infrastructure. I looked at my own Claude Code setup and thought: why can I not just build these features on top of what I already have? This is the core idea behind what I call AI Second Brain — building on systems you already own and understand rather than starting from scratch.
So I did. It took me two hours on a Sunday. (I made a video about it.)
Two hours. Because everything else already existed in Claude Code. I just needed to connect it to Telegram and add proactive check-ins. That became GoBot.
People in the community started asking: should I use OpenClaw or GoBot? Fair question. Here is my full, honest comparison.
What OpenClaw Did Well
OpenClaw connected to 13 messaging platforms. WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams. It had a marketplace called ClawHub with over 5,700 community-built add-ons. Its codebase spanned 201,000 lines of TypeScript. It supported multiple AI models simultaneously.
The vision is ambitious. Peter Steinberger, the creator, wanted to build “an agent that even his mum can use.” He shipped fast, iterated publicly, and built a massive community around it. 100,000 GitHub stars in two days. By mid-February it hit 205,000.
I respect that. OpenClaw triggered people’s imagination and made so many people realize what is actually possible. It showed what an AI assistant can do when it is always on, connected to your tools, and reaching out to you proactively.
But speed has a cost.
Security: What “Vulnerable” Actually Means for You
Within weeks of going viral, security researchers found 512 vulnerabilities in OpenClaw. Eight were critical. But what does that actually mean?
Here is the simplest way to think about it. OpenClaw ran a gateway on your computer. A gateway is like a door that your AI assistant uses to receive and send messages. OpenClaw’s gateway listened on a specific port (think of it as a numbered door) that was open to the internet by default. Anyone who knew that door number could try to walk in.
One vulnerability, CVE-2026-25253, scored 8.8 out of 10 in severity. In plain terms: if you clicked a malicious link while OpenClaw was running, an attacker could take full control of your computer. Read your files. Access your passwords. Install software. Not in theory. Security researchers built a working demonstration.
The attack surface tells the story. OpenClaw exposes dozens of entry points. GoBot exposes almost none.
Researchers scanned the internet and found over 42,000 OpenClaw instances exposed to the public. That means 42,000 people had that “door” wide open without realizing it. Early versions of OpenClaw turned this on by default.
Then there is ClawHub, the marketplace where anyone can publish add-ons for OpenClaw. Security auditors checked 2,857 of these add-ons and found 341 that were actively malicious. That is roughly 1 in 8. They did things like record every keystroke on your computer or steal login credentials. All disguised with professional documentation and innocent names like “solana-wallet-tracker.”
This is not one obscure researcher sounding an alarm. CrowdStrike (one of the largest cybersecurity companies in the world) published a full threat analysis. Kaspersky rated it “unsafe for use.” Cisco called it “a security nightmare.” The Dutch Data Protection Authority and the Belgian government both issued official warnings.
The most telling assessment came from Aikido Security. They tested what happens when you implement every recommended security fix. Their conclusion: a fully locked-down OpenClaw becomes “kinda useless as an assistant.” The features that make it powerful are exactly what make it dangerous.
How GoBot handles this differently: GoBot does not open any doors to the internet. It communicates only through Telegram‘s encrypted messaging API. There is no gateway. No port listening. Nothing for attackers to scan or connect to. If someone wanted to attack GoBot, they would need to compromise Telegram itself, which has 950 million users and a dedicated security team.
And there is no marketplace. GoBot ships as one complete package. No third-party add-ons means no risk of accidentally installing something malicious. The 341 malicious ClawHub add-ons simply cannot affect GoBot users because there is nothing equivalent to attack.
Cost: Predictable vs. Surprise Bills
Security was one problem. The bills were another.
Both OpenClaw and GoBot use AI to process your messages. The difference is how they pay for it.
OpenClaw charged you per message through API tokens. Every time the AI thought, read, or responded, you paid. Even the “heartbeat” feature, which just periodically checked in on you without doing much, cost around $150 a month in tokens. If you actively used it, asked complex questions, or let it run tasks, people reported bills of $500 to $5,000 per month. You never knew what next month’s bill would look like.
GoBot offers three deployment modes with different cost profiles:
Local mode: Claude Code CLI with your Pro ($20/mo) or Max ($100-200/mo) subscription. Pro to get started, Max for full power with the best models. Free per message while your computer is on.
VPS mode: Anthropic API key on a ~$5/mo server. API costs vary by usage and model selection. Always on 24/7. No subscription needed. Smart routing sends simple messages to Haiku (cheapest), medium to Sonnet, complex to Opus — keeping costs optimized automatically.
Hybrid mode (recommended): VPS catches messages 24/7. When your computer is awake, forwards to local for free subscription processing. When asleep, handles via API. Combines always-on availability with minimal API costs.
Not limited to Anthropic models — OpenRouter fallback supports hundreds of models at various price points, or install Ollama on your VPS for fully self-hosted operation.
Voice capabilities (ElevenLabs, with Vapi and OpenAI Realtime API options being added) are optional across all modes.
How They Actually Work (The Architecture Difference)
This is where the two tools are fundamentally different in a way that affects everything else.
OpenClaw was a standalone application. It installed its own server on your computer, opened that gateway we talked about, and routed messages from 13 different platforms through it. Think of it like building a call center with 13 phone lines. Every line needed its own connection, its own security, its own maintenance. The codebase to manage all of this was 201,000 lines of code.
OpenClaw routed through a complex gateway to many platforms. GoBot goes straight through Telegram to Claude Code.
GoBot takes the opposite approach. Instead of building everything from scratch, it plugs into Claude Code, which is Anthropic’s official coding assistant that already has web search, file management, tool integrations, and plugin support built in. GoBot just makes all of that accessible through Telegram. One messaging platform. One connection. 11,200 lines of code.
Why this matters to you: Fewer moving parts means fewer things that can break. It also means you can actually read and understand the entire codebase yourself. Every line of GoBot code is something you can inspect. With 201,000 lines, practically nobody reads the full OpenClaw codebase. That makes it harder to know if something is wrong.
On the cloud server, GoBot uses the Anthropic API directly. A built-in router looks at each message and picks the right AI model for the job. A quick “what time is it in Tokyo?” goes to the fast, cheap model (2-5 second response). A complex “analyze this business plan” goes to the most capable model. You do not configure this. It just works.
Always On: How GoBot Stays Available 24/7
This is my favorite feature because it solves a real problem.
Most AI assistants have a limitation: they either run on your computer (which means they stop when you close your laptop) or they run in the cloud (which means you pay for every message). You have to pick one.
When your laptop is on, GoBot processes for free through your Claude subscription. When it sleeps, the cloud server takes over.
GoBot runs in hybrid mode. A small cloud server (VPS) stays online 24 hours a day. When your laptop is open, the server forwards messages to your computer, where Claude Code processes them using your monthly subscription. Free.
When you close your laptop or go to sleep, the server handles messages directly. You pay per message, but the smart router keeps costs low.
What this means in practice: You send a Telegram message at 2 AM because you cannot sleep and have a business idea. GoBot responds within seconds because the cloud server picks it up. The next morning, you send follow-up questions from your laptop and those are processed through your subscription at no extra cost. Seamless. No configuration. No switching modes.
OpenClaw operates either locally or on a VPS, not both simultaneously. Its 24/7 availability requires running on a VPS with API costs for everything. In January 2026, Anthropic restricted consumer OAuth tokens in third-party tools, which affected OpenClaw’s original authentication approach — it now recommends using API keys for Anthropic models. On February 19, 2026, Anthropic’s updated docs further clarified that the Agent SDK also requires API key authentication. For production and always-on deployments, API keys are the recommended authentication method — GoBot’s smart routing keeps API costs manageable by routing simple queries to cheaper models.
One Bot vs. Six Specialists
OpenClaw gave you one AI assistant that handled everything. You could customize its personality and tools, but it was fundamentally one agent responding to all your messages.
GoBot gives you six specialized agents, each designed for a different type of thinking.
Say you want to explore a new business idea. You open the Research topic in Telegram and type your question. The Research agent digs into market data, competitor analysis, and trends. Then you switch to the Finance topic and ask for ROI projections. The Finance agent runs the numbers with a different reasoning approach. Switch to Critic and it will actively poke holes in your plan, playing devil’s advocate. The Strategy agent helps you think through multiple scenarios. The Content agent handles video ideas and audience growth. The General agent ties everything together.
Each agent lives in its own Telegram chat topic, has its own instructions, and uses its own reasoning style. You do not need to tell the AI “now think like a critic” or “now be analytical.” You just send your message to the right topic.
You can even run what I call “board meetings” where the General agent asks a single question to all six agents and synthesizes their responses. Like having a CFO, a strategist, and a devil’s advocate in the same room.
The Complexity Trade-Off
OpenClaw’s biggest strength was also its biggest weakness. It supported 13 messaging platforms. That meant you could talk to your AI from WhatsApp, Slack, Discord, Teams, or iMessage. That was genuinely useful if you needed it.
But every platform added complexity. Each one was a new connection to maintain, a new authentication to secure, a new API that could break. The 201,000 lines of code existed because managing 13 integrations is genuinely hard.
GoBot starts with Telegram as the primary platform (community members have also connected it to Google Chat, Teams, Discord, WhatsApp, and Slack). Telegram has 950 million users, end-to-end encryption for secret chats, forum topics for organizing conversations, and a powerful bot API. It is more than enough for a personal AI assistant. If you want to get started with your own Telegram bot setup, I have a step-by-step tutorial for building your own Telegram AI bot.
Here is what you give up: The default setup is Telegram-first. Connecting other platforms like WhatsApp or Slack requires additional configuration by swapping the messaging layer.
Here is what you gain: A system you can actually understand, secure, and maintain. One platform means GoBot can go deep. Voice messages, phone calls, proactive morning briefings, smart check-ins, multi-agent routing, all built specifically for Telegram and working reliably.
The Software Supply Chain (Why “5 Dependencies” Matters)
Software is built on top of other software. When you install an app, it pulls in libraries written by other people. Each library is a “dependency.” Each dependency is code that someone else wrote, and you are trusting it to run on your machine.
OpenClaw had a large dependency tree. Hundreds of packages, maintained by hundreds of different developers. The more dependencies, the more code you are trusting. And each one can have its own vulnerabilities. This is how supply chain risks materialize. The exposed Moltbook database — a related AI agent platform — leaked 1.5 million API tokens, showing what happens when sprawling infrastructure lacks basic security.
GoBot uses 5 production dependencies: Anthropic SDK (to talk to Claude), Supabase (database), grammY (Telegram connection), Agent SDK (multi-agent support), and Zod (data validation). Each one is a well-established, actively maintained library by a reputable team.
Five dependencies means five things to keep updated. Five things to audit. Five things to trust. That is manageable. That is something one person can actually monitor.
The Safety Rails
AI assistants that can take actions on your behalf need guardrails. What happens if your AI misunderstands an instruction and starts doing things you did not intend?
GoBot has a 2-hour action limit. If you ask it to do a complex task, it works for up to 2 hours and then comes back to report what it did. No runaway agents operating unsupervised for days. I can see exactly what it is doing at all times through built-in logging.
This is a deliberate design choice. I want an assistant that is powerful but predictable. Not one that disappears for 48 hours and comes back with surprises.
The Numbers Side by Side
| What you are comparing | OpenClaw | GoBot | Why it matters |
|---|---|---|---|
| Lines of code | 201,000 | 11,200 | Less code = easier to audit, understand, and fix |
| Dependencies | Large tree | 5 packages | Each dependency is code you trust to run on your machine |
| Known security issues | 6+ advisories in 3 weeks | 0 | Government agencies warned about OpenClaw specifically |
| Malicious add-ons found | 341 confirmed | No marketplace | 1 in 8 checked add-ons were actively harmful |
| Exposed instances online | 42,000+ | 0 | Open doors that anyone on the internet can find |
| Leaked API tokens | Not directly, but ecosystem tools like Moltbook leaked 1.5M tokens | 0 | Your AI credentials exposed to strangers |
| Monthly cost | $150-$5,000 (variable) | Varies by mode and usage | Three modes: Local (subscription only), VPS (API only), Hybrid (both) |
| Creator status | Active, open source (140K+ stars). OAuth restricted Jan 2026, now recommends API keys | Actively building | GoBot works within Anthropic’s current auth framework and is actively maintained |
| Messaging platforms | 13+ | Telegram | Breadth vs. depth and security |
| Deployment | Local or cloud | Local, cloud, or both | Hybrid means always on without always paying |
| AI agents | Single (customizable) | 6 specialized | One generalist vs. a team of specialists |
| Setup help | GitHub issues | Video walkthroughs | How you get help when you are stuck |
Who Should Use What
Consider OpenClaw if: You need multi-platform support (13+ messaging platforms), want access to the ClawHub marketplace (5,700+ add-ons), or prefer a large open-source community (140K+ GitHub stars). Be aware that Anthropic restricted consumer OAuth tokens in January 2026, so you will need to use API keys for Claude models. The security concerns documented above still apply — review them carefully and follow OpenClaw’s hardening guides.
Choose GoBot if:
- You want something that works without worrying about security configurations
- You want costs that vary by usage — smart routing (Haiku/Sonnet/Opus) keeps them optimized
- You want specialized AI agents for different types of thinking, not just one chatbot
- You want proactive features: morning briefings, smart check-ins, phone calls with automatic task detection
- You want to understand every line of code in your AI assistant
The Mindset That Matters More Than the Tool
Here is what I really want you to take away from this.
When something goes viral and you see features that you want, instead of jumping ship, you can take what you like and bring it to your own system. That is the mindset.
OpenClaw triggered people’s imagination. It showed what is possible. Huge kudos for that. But the technology to build this has been here. Claude Code, MCP servers, Telegram bots. All of it existed before OpenClaw went viral.
I built GoBot on a principle I keep coming back to. Freedom without systems is dangerous. True autonomy requires building infrastructure that makes independence sustainable. Not just powerful. Safe.
Once you shift your mind to building living systems that improve anytime a new model or framework comes out, sky is the limit.
Getting Started
GoBot is available through the Autonomee community. Every module has a step-by-step video walkthrough. The minimum setup takes about 30 minutes. Claude Code walks you through each phase interactively. You can also check out the free Telegram Bot Course to get the basics down first.
You will need a Telegram account, a Supabase project, and Claude Code installed. That is the minimum. Voice, phone calls, morning briefings, multi-agent routing, and VPS deployment are all optional additions you can enable later.
30 people are building with GoBot right now. It is small by design. I know every person using it. When something breaks, I fix it the same day.
That is not a limitation. That is the point.
Frequently Asked Questions
Is OpenClaw safe to use in 2026?
OpenClaw is still active and open source (140K+ GitHub stars), but it has a significant security history. As of early 2026, it had 512 documented vulnerabilities including 8 critical ones, over 42,000 exposed instances found online, and 341 confirmed malicious add-ons in its ClawHub marketplace. CrowdStrike, Kaspersky, and Cisco all published warnings. In January 2026, Anthropic restricted consumer OAuth tokens in third-party tools, which affected OpenClaw’s original authentication approach — it now recommends API keys for Anthropic models. If you choose to use it, you need strong server security knowledge and should avoid installing unverified ClawHub add-ons.
How much does it cost to run a Telegram AI bot with GoBot?
GoBot has three deployment modes with different cost profiles. Local-only costs your Claude subscription ($20-200/month depending on tier — Pro to get started, Max for full power). VPS-only runs on a ~$5/month server with API costs that vary by usage and model selection (no subscription needed). Hybrid mode (recommended) combines both — your subscription plus a ~$5 server with minimal API costs. Smart model routing (Haiku/Sonnet/Opus) keeps per-token costs optimized automatically. Not locked into Anthropic — OpenRouter fallback and self-hosted Ollama are also options. Voice and phone features add $11-20/month optionally.
Can GoBot work while my computer is turned off?
Yes. GoBot runs in hybrid mode. A small cloud server (VPS) stays online 24/7 and catches all incoming Telegram messages. When your laptop is on, messages are forwarded to it for free processing through your Claude subscription. When your laptop is off or asleep, the VPS handles messages directly using the Anthropic API with a smart cost router that picks the cheapest model for simple questions.
Does GoBot support WhatsApp or Slack?
Yes — GoBot can absolutely run on other messaging platforms. The architecture is not locked to Telegram. That said, the course and default setup use Telegram because it is free, has the richest messaging API (voice, files, images, video, groups, topics for multi-agent systems), and is the easiest to set up. Adapting GoBot to WhatsApp, Slack, or Discord is a matter of swapping the messaging layer — the AI backbone, memory, and tool integrations stay the same.
Do I need to know how to code to set up GoBot?
Not really. GoBot ships with step-by-step video walkthroughs for each module, and Claude Code itself guides you through the setup interactively. The minimum setup takes about 30 minutes. You do need to be comfortable with a terminal and following instructions, but you do not need to write any code from scratch. If you are new to Claude Code, I recommend starting with my guide to Claude Code for non-developers.
