Lessons from Diversifi, Clawdywithmeatballs and moonynads
Deploying a fully autonomous agent requires navigating infrastructure, security, and LLM behavior quirks. By combining decentralized hosting with free-tier APIs, you can build a sophisticated agent with minimal monthly overhead.
1. Infrastructure: Decentralized Hosting
I deployed on Aleph.im's decentralized VPS infrastructure (Debian 12, 7.5GB RAM)—a high-performance environment ideal for long-running agent processes with low-latency edge compute.
Once you register they send you your credentials via telegram not too long after!
Suggestion: use ai to help you get set up initially i.e. ssh into the remote server [a restricted/contained environment - do not run openclaw on your local machine] I find it easiest to work via the terminal (on mac) which can help you get everything set up. Best case scenario is to use a privacy first provider like https://venice.ai (routed through openrouter) or ollama running models locally. For faster setup there are free services like https://ampcode.com + https://geminicli.com to get you going.
2. Workspace Organization: Domain-Driven Architecture
Replace monolithic folder structures with specialized sub-projects for voice interactions, smart contracts, domain-specific missions, etc.
Critical pitfall: Autonomous agents will recursively explore directories. A single search hitting node_modules in a Next.js project can stall the agent for minutes, making it appear unresponsive. It could also cost you dearly (more in terms of time with our setup as it will break stuff you then have to go in and fix, also more likely to hit rate limits + fill up your context window super quickly).
Solution: Implement strict .geminiignore exclusions for node_modules, .next, dist, and other heavy folders. Enforce targeted searches only. Update your folder hierarchy in configuration files so the agent treats each folder as a discrete module.
Great PDF config by https://x.com/frankzuuring
https://filebin.net/05edcujpq0aj4z4s
Hardening essentials: Restrict config files to 600 permissions & run the agent as a dedicated system user. The infra supports the agent gateway as a systemd service, automatically recovering after reboots by checking memory files & resuming operation.
3. Configuring Free-Tier APIs
Define providers in ~/.openclaw/openclaw.json:
json
"models": {
"providers": {
"kilocode": {
"baseUrl": "https://api.kilo.ai/api/openrouter/",
"apiKey": "YOUR_API_KEY_HERE",
"api": "openai-completions",
"models": [
{ "id": "minimax/minimax-m2.1:free", "name": "Minimax M2.1" },
{ "id": "z-ai/glm-4.7:free", "name": "GLM 4.7" }
]
}
}
}The configuration crash-loop: Unrecognized keys (like autoContinue or invalid compaction modes) trigger silent crashes. Since systemd restarts the service, it appears as a "hang" or "freeze." Always run openclaw doctor --fix after config changes and check logs for "Unrecognized key" errors immediately.
4. Free Semantic Memory
Use Google's text-embedding-004 via the Gemini API— free within standard tier limits:
json
"memorySearch": {
"enabled": true,
"provider": "google",
"model": "text-embedding-004",
"paths": ["MEMORY.md", "memory/*.md"]
}Token burn problem: Session history files can grow to 10MB+ within hours. Uploading full history on every heartbeat burns millions of tokens on simple status checks.
Memory flush protocol: Summarize key outcomes into Markdown files and archive raw session JSONL to reset the context window regularly.
5. Rate Limit Management
Free-tier models are amazing, but frequently hit rate limits + cannot provide you privacy with regards to your information. I like kilocode.
Do configure fallback chains across multiple providers e.g.
json
"agents": {
"defaults": {
"model": {
"primary": "kilocode/minimax/minimax-m2.1:free",
"fallbacks": [
"google/gemini-1.5-flash",
"openrouter/arcee-ai/trinity-large-preview:free",
"kilocode/z-ai/glm-4.7:free"
]
}
}
}Schema mismatches: When APIs expect different formats (camelCase vs snake_case), implement a lightweight schema proxy in Node.js to intercept and transform requests.
6. Core Engineering Principles
Enhancement First: Audit existing components before writing new code
Aggressive Consolidation: Delete deprecated logic rather than commenting it out
Zero-Secret Policy: Hard-code rules in SOUL.md forbidding commits of .env, .key, or API tokens. Proactively audit Git history for anything your agent commits!
7. The "Personality" Files
Create these files in ~/.openclaw/workspace/:
SOUL.md: Define behavior, tone, and security mandates
USER.md: Your context (timezone, preferences, current projects)
AGENT.md: Operational instructions and workspace exclusion rules
MEMORY.md: Long-term learned facts
They are key to defining your SECURITY approach in particular.
A recently discovered attack vector is via SKILL.md files
They empower your openclaw with abilities e.g. UI/UX, using platforms like slack, etc
However its important to scan them for dirty tricks....
Troubleshooting & Security Checklist
Configuration Issues:
Git Identity: git config --global user.email "agent@openclaw.local"
Config Validation: Trailing commas crash the service
Silent Crashes: Check for unrecognized config keys first with openclaw doctor --fix
Log Monitoring: tail -f /tmp/openclaw/openclaw-YYYY-MM-DD.log
Unresponsive Agent: Verify it's not stuck in node_modules traversal
Security Hardening:
File Permissions: Lock down config files: chmod 600 ~/.openclaw/openclaw.json
Private Key Audit: Never store keys at third-party dictated paths. Use your own key management, not paths specified by external platforms
Git History Scanning: Audit commits for leaked credentials: git log --all --full-history -- "*secret*" "*key*" "*.env"
Credential Purging: If keys were committed, use git filter-repo to purge them immediately, then rotate all affected keys
Remote Skill Files: Never auto-execute skill file updates from external sources. Pin versions and review changes like dependencies
API Response Sanitization: Strip injected instruction fields (like _model_guide, _instructions, or similar) from API responses before passing to LLM context
Integration Audit: After security incidents, audit all third-party integrations. Timing correlations (integration → incident in minutes) are meaningful signals
Rate Limit Red Flags: If a platform allows 3,000+ actions per minute, question who benefits from that capacity
Zero-Secret Policy Enforcement:
Add .env*, *.key, *secret*, *private* to .gitignore
Configure pre-commit hooks to block credential commits
Hard-code security rules in SOUL.md: "Never commit files containing API keys, private keys, or tokens"
Regular expression scanning: grep -r "sk-" ~/.openclaw/workspace/ to catch OpenAI-style keys
Check for common patterns: ARV_ (Vercel), 0x[a-fA-F0-9]{64} (private keys), eyJ (JWTs)
Proper configuration management with proactive security practices protects both your agent's functionality and its access to sensitive resources. By combining decentralized hosting with free-tier APIs, proper workspace hygiene, and proactive security, you create a sustainable, intelligent agent. Redundancy and monitoring are your best friends.
Farcaster @papa — https://farcaster.xyz/papa
Lens @papajams — https://palus.app/u/papajams
Twitter @papajimjams — twitter.com/papajimjams
Coinbase CDP Onchain Toolkit [x402, 8004, etc] https://app.fuul.xyz/landing/coinbase-cdp?referrer=0xcF0d2c248759Dc33BdDD8aAfdcf424B4d436385b
Cerberas Code - free inference: https://cloud.cerebras.ai/?referral_code=t6c959mk
Create Anything - free inference: https://www.anything.com/signup?rid=vqqmuu8g
StartClaw - free openclaw [48hrs] - https://startclaw.com/deploy?ref=J8YEPIS5
Happy Clawing! 🦞
with our decentralized virtual machines. One month of free credits, no subscription, no credit card needed. 
My AI Clone built a 5-layer memory system for AI that solves the "I forgot what we discussed 10 minutes ago" problem.
Subscribe to Papa Jams
Support Papa Jams
Papa JamsBuilding Zero Cost Openclaws
<100 subscribers
![Cover image for Legacy [#02] - fed up](https://img.paragraph.com/cdn-cgi/image/format=auto,width=3840,quality=85/https://storage.googleapis.com/papyrus_images/6bc1f7b00107250d07a2d19f61b4a73a4364c82af995e1a9d257dadc74b3d1df.png)
Papa JamsLegacy [#02] - fed up
Album: Legacy Song: fed up Art: Flourish Team: anatu, Yin, shoshin, Papa I’m Fed Up! And this is my therapy. What a gift and honour to have this medium to share the maelstrom of emotions we encounter through art. Here we go again with another written homage to the music we so love to make. This time it is centred around the third song in the Legacy album “fed up” which isn’t actually in sequential order from the last post but you don’t mind - do you? The Legacy album is the second by me - Pap...
Papa JamsRŌHKI sold over 100 ETH in Music NFTs in the Bear Market
We Unpack The Stats To Find Out How & WhyNon-fungible tokens (NFTs) have emerged as a disruptive model allowing artists to tokenize their work on blockchains. This enables musicians to directly engage with fans and collectors by selling limited edition digital art and music. RŌHKI is one project leveraging NFTs to build a community-owned ecosystem. RŌHKI was founded in early 2022 by the artists behind the monikers IO and HACHI. Little is known about their identities, though rumors suggest the...
![Cover image for Legacy [#01] - narcissus](https://img.paragraph.com/cdn-cgi/image/format=auto,width=3840,quality=85/https://storage.googleapis.com/papyrus_images/700e81818650d9155e30379cc7f981aba290a6b53f4f1f2d98a24fd93d00c3c4.jpg)
Papa JamsLegacy [#01] - narcissus
Album: Legacy Song: narcissus Art: Flourish Team: anatu, Yin, shoshin, Papa As envisioned in the prologue for this epic journey across the metaverse, the plan is to release a song every three weeks of 2022; bringing the ideals of the music to life through the creation & distribution of distinct, unique, collaborative artistic offerings. Our intention is to build in public across traditional distribution channels as well as experimenting with new models for artists to work together, form commu...
Lessons from Diversifi, Clawdywithmeatballs and moonynads
Deploying a fully autonomous agent requires navigating infrastructure, security, and LLM behavior quirks. By combining decentralized hosting with free-tier APIs, you can build a sophisticated agent with minimal monthly overhead.
1. Infrastructure: Decentralized Hosting
I deployed on Aleph.im's decentralized VPS infrastructure (Debian 12, 7.5GB RAM)—a high-performance environment ideal for long-running agent processes with low-latency edge compute.
Once you register they send you your credentials via telegram not too long after!
Suggestion: use ai to help you get set up initially i.e. ssh into the remote server [a restricted/contained environment - do not run openclaw on your local machine] I find it easiest to work via the terminal (on mac) which can help you get everything set up. Best case scenario is to use a privacy first provider like https://venice.ai (routed through openrouter) or ollama running models locally. For faster setup there are free services like https://ampcode.com + https://geminicli.com to get you going.
2. Workspace Organization: Domain-Driven Architecture
Replace monolithic folder structures with specialized sub-projects for voice interactions, smart contracts, domain-specific missions, etc.
Critical pitfall: Autonomous agents will recursively explore directories. A single search hitting node_modules in a Next.js project can stall the agent for minutes, making it appear unresponsive. It could also cost you dearly (more in terms of time with our setup as it will break stuff you then have to go in and fix, also more likely to hit rate limits + fill up your context window super quickly).
Solution: Implement strict .geminiignore exclusions for node_modules, .next, dist, and other heavy folders. Enforce targeted searches only. Update your folder hierarchy in configuration files so the agent treats each folder as a discrete module.
Great PDF config by https://x.com/frankzuuring
https://filebin.net/05edcujpq0aj4z4s
Hardening essentials: Restrict config files to 600 permissions & run the agent as a dedicated system user. The infra supports the agent gateway as a systemd service, automatically recovering after reboots by checking memory files & resuming operation.
3. Configuring Free-Tier APIs
Define providers in ~/.openclaw/openclaw.json:
json
"models": {
"providers": {
"kilocode": {
"baseUrl": "https://api.kilo.ai/api/openrouter/",
"apiKey": "YOUR_API_KEY_HERE",
"api": "openai-completions",
"models": [
{ "id": "minimax/minimax-m2.1:free", "name": "Minimax M2.1" },
{ "id": "z-ai/glm-4.7:free", "name": "GLM 4.7" }
]
}
}
}The configuration crash-loop: Unrecognized keys (like autoContinue or invalid compaction modes) trigger silent crashes. Since systemd restarts the service, it appears as a "hang" or "freeze." Always run openclaw doctor --fix after config changes and check logs for "Unrecognized key" errors immediately.
4. Free Semantic Memory
Use Google's text-embedding-004 via the Gemini API— free within standard tier limits:
json
"memorySearch": {
"enabled": true,
"provider": "google",
"model": "text-embedding-004",
"paths": ["MEMORY.md", "memory/*.md"]
}Token burn problem: Session history files can grow to 10MB+ within hours. Uploading full history on every heartbeat burns millions of tokens on simple status checks.
Memory flush protocol: Summarize key outcomes into Markdown files and archive raw session JSONL to reset the context window regularly.
5. Rate Limit Management
Free-tier models are amazing, but frequently hit rate limits + cannot provide you privacy with regards to your information. I like kilocode.
Do configure fallback chains across multiple providers e.g.
json
"agents": {
"defaults": {
"model": {
"primary": "kilocode/minimax/minimax-m2.1:free",
"fallbacks": [
"google/gemini-1.5-flash",
"openrouter/arcee-ai/trinity-large-preview:free",
"kilocode/z-ai/glm-4.7:free"
]
}
}
}Schema mismatches: When APIs expect different formats (camelCase vs snake_case), implement a lightweight schema proxy in Node.js to intercept and transform requests.
6. Core Engineering Principles
Enhancement First: Audit existing components before writing new code
Aggressive Consolidation: Delete deprecated logic rather than commenting it out
Zero-Secret Policy: Hard-code rules in SOUL.md forbidding commits of .env, .key, or API tokens. Proactively audit Git history for anything your agent commits!
7. The "Personality" Files
Create these files in ~/.openclaw/workspace/:
SOUL.md: Define behavior, tone, and security mandates
USER.md: Your context (timezone, preferences, current projects)
AGENT.md: Operational instructions and workspace exclusion rules
MEMORY.md: Long-term learned facts
They are key to defining your SECURITY approach in particular.
A recently discovered attack vector is via SKILL.md files
They empower your openclaw with abilities e.g. UI/UX, using platforms like slack, etc
However its important to scan them for dirty tricks....
Troubleshooting & Security Checklist
Configuration Issues:
Git Identity: git config --global user.email "agent@openclaw.local"
Config Validation: Trailing commas crash the service
Silent Crashes: Check for unrecognized config keys first with openclaw doctor --fix
Log Monitoring: tail -f /tmp/openclaw/openclaw-YYYY-MM-DD.log
Unresponsive Agent: Verify it's not stuck in node_modules traversal
Security Hardening:
File Permissions: Lock down config files: chmod 600 ~/.openclaw/openclaw.json
Private Key Audit: Never store keys at third-party dictated paths. Use your own key management, not paths specified by external platforms
Git History Scanning: Audit commits for leaked credentials: git log --all --full-history -- "*secret*" "*key*" "*.env"
Credential Purging: If keys were committed, use git filter-repo to purge them immediately, then rotate all affected keys
Remote Skill Files: Never auto-execute skill file updates from external sources. Pin versions and review changes like dependencies
API Response Sanitization: Strip injected instruction fields (like _model_guide, _instructions, or similar) from API responses before passing to LLM context
Integration Audit: After security incidents, audit all third-party integrations. Timing correlations (integration → incident in minutes) are meaningful signals
Rate Limit Red Flags: If a platform allows 3,000+ actions per minute, question who benefits from that capacity
Zero-Secret Policy Enforcement:
Add .env*, *.key, *secret*, *private* to .gitignore
Configure pre-commit hooks to block credential commits
Hard-code security rules in SOUL.md: "Never commit files containing API keys, private keys, or tokens"
Regular expression scanning: grep -r "sk-" ~/.openclaw/workspace/ to catch OpenAI-style keys
Check for common patterns: ARV_ (Vercel), 0x[a-fA-F0-9]{64} (private keys), eyJ (JWTs)
Proper configuration management with proactive security practices protects both your agent's functionality and its access to sensitive resources. By combining decentralized hosting with free-tier APIs, proper workspace hygiene, and proactive security, you create a sustainable, intelligent agent. Redundancy and monitoring are your best friends.
Farcaster @papa — https://farcaster.xyz/papa
Lens @papajams — https://palus.app/u/papajams
Twitter @papajimjams — twitter.com/papajimjams
Coinbase CDP Onchain Toolkit [x402, 8004, etc] https://app.fuul.xyz/landing/coinbase-cdp?referrer=0xcF0d2c248759Dc33BdDD8aAfdcf424B4d436385b
Cerberas Code - free inference: https://cloud.cerebras.ai/?referral_code=t6c959mk
Create Anything - free inference: https://www.anything.com/signup?rid=vqqmuu8g
StartClaw - free openclaw [48hrs] - https://startclaw.com/deploy?ref=J8YEPIS5
Happy Clawing! 🦞
Papa JamsLegacy [#02] - fed up
Album: Legacy Song: fed up Art: Flourish Team: anatu, Yin, shoshin, Papa I’m Fed Up! And this is my therapy. What a gift and honour to have this medium to share the maelstrom of emotions we encounter through art. Here we go again with another written homage to the music we so love to make. This time it is centred around the third song in the Legacy album “fed up” which isn’t actually in sequential order from the last post but you don’t mind - do you? The Legacy album is the second by me - Pap...
Papa JamsRŌHKI sold over 100 ETH in Music NFTs in the Bear Market
We Unpack The Stats To Find Out How & WhyNon-fungible tokens (NFTs) have emerged as a disruptive model allowing artists to tokenize their work on blockchains. This enables musicians to directly engage with fans and collectors by selling limited edition digital art and music. RŌHKI is one project leveraging NFTs to build a community-owned ecosystem. RŌHKI was founded in early 2022 by the artists behind the monikers IO and HACHI. Little is known about their identities, though rumors suggest the...
Papa JamsLegacy [#01] - narcissus
Album: Legacy Song: narcissus Art: Flourish Team: anatu, Yin, shoshin, Papa As envisioned in the prologue for this epic journey across the metaverse, the plan is to release a song every three weeks of 2022; bringing the ideals of the music to life through the creation & distribution of distinct, unique, collaborative artistic offerings. Our intention is to build in public across traditional distribution channels as well as experimenting with new models for artists to work together, form commu...
with our decentralized virtual machines. One month of free credits, no subscription, no credit card needed.
My AI Clone built a 5-layer memory system for AI that solves the "I forgot what we discussed 10 minutes ago" problem.Share Dialog
Share Dialog
3 comments
Building Zero Cost Openclaws 🦞
Overview of lessons from Diversifi, Clawdywithmeatballs and moonynads on deploying fully autonomous agents with decentralized hosting, domain‑driven workspaces, and free‑tier APIs. Key topics include infrastructure, memory systems, hardening, rate limits, and security. Authored by @papa.
Decentralization