How to Build a Secure AI Agent Setup (The OpenClaw Alternative)

This guide walks you through setting up an AI agent with persistent memory, modular skills, tool integration, and task automation—without exposing endpoints to the internet.

Time required: ~2 hours
Difficulty: Comfortable creating folders and text files; some terminal use helpful but not required
Prerequisites: macOS/Windows/Linux, Anthropic API key or Claude Pro subscription

What you'll have when done:

• AI that remembers context across sessions
• Custom skills triggered by simple phrases
• Connections to your professional tools (Asana, HubSpot, etc.)
• Constrained automation that can't go off the rails

Part 1: Install Claude Desktop with Claude Code

OpenClaw's vulnerabilities stem from its gateway architecture—a WebSocket control plane that coordinates sessions across devices and channels. When that gateway is exposed to the internet (which 42,000+ instances are), attackers can bypass authentication and execute commands.

Local execution eliminates this attack surface entirely. Your AI runs on your machine, talks to APIs you've authorized, and never exposes an endpoint.

There are two ways to run Claude locally: Claude Desktop (Anthropic's desktop chat application) and Claude Code (a terminal-based coding agent). This guide works with either, but the examples assume Claude Code since it offers more granular permission controls. If you're using Claude Desktop, the concepts are the same—you just configure MCP servers through the app's settings instead of config files.

Step 1: Install Claude Code

Download and install Claude Code from claude.ai/download. Choose the installer for your operating system (macOS, Windows, or Linux). When you first run it, you'll authenticate with your Anthropic account.

Step 2: Understand API keys (if needed)

An API key is a unique password that lets software access Anthropic's AI. If you have a Claude Pro or Max subscription, you're already authenticated through your account. If you're using the API directly (for more advanced setups or higher usage), you'll need to generate a key at console.anthropic.com.

Alternative tools: Claude Desktop (Anthropic's chat application), Cursor, and Windsurf are alternatives with similar AI capabilities. The file paths differ slightly, but the architecture in this guide works with all of them.

Part 2: Set Up File-Based Memory

OpenClaw maintains an always-on memory layer that automatically retains preferences and context. Convenient—but that memory is accessible via the gateway, which means anyone who compromises the gateway can read your conversation history.

The alternative is file-based working memory. It's slightly more manual (Claude reads files at session start rather than remembering automatically), but every file is under your control, auditable, and impossible to exfiltrate via network attack.

Step 1: Create your workspace folder

First, create a dedicated folder for your AI workspace. This is your root directory—the top-level folder that contains everything else. You can put it anywhere: your Documents folder, Desktop, or wherever you keep project files.

On Mac, you might create ~/Documents/ai-workspace/. On Windows, something like C:\Users\YourName\Documents\ai-workspace\.

Step 2: Set up a folder structure

Here's one recommended structure. You don't need to follow it exactly—organize in whatever way makes sense for how you work. The key principle is: separate your instruction files from your working files, and have a consistent place for session logs.

ai-workspace/
├── CLAUDE.md              ← Master instruction file (Claude reads this automatically)
├── claude-refs/           ← Context files about you and your work
│   ├── personal-context.md
│   └── current-projects.md
├── daily/                 ← Session logs organized by date
│   └── 2026/
│       └── 2026-02-01.md
├── working-memory/        ← Notes for multi-session projects
└── projects/              ← Your actual work files

Some people prefer flatter structures; others want more nesting. The important thing is that you have a CLAUDE.md file in the root directory (Claude Code reads this automatically when you open the folder) and a place to store context that persists across sessions.

Step 3: Create your personal context file

Inside your claude-refs/ folder, create a file called personal-context.md. This tells Claude who you are and how you work, so you don't have to re-explain yourself every session:

# Personal Context

## Who I Am
[Your name], [role] at [organization].

## Current Focus
- [Primary project or responsibility]
- [Secondary focus area]

## How I Work
- I prefer [communication style preference]
- When I ask for help with [X], I usually need [Y]
- My tools: [list your key tools—Slack, Asana, etc.]

## Constraints
- [Any compliance requirements]
- [Time zone, availability patterns]
- [Topics to avoid or handle carefully]

Step 4: Create your master instruction file

Create a file called CLAUDE.md in your workspace's root directory (the top-level ai-workspace/ folder, not inside any subfolder). Claude Code automatically reads this file when you open the folder, so it acts as persistent instructions:

# Claude Instructions

## Session Startup

On first interaction, load:
1. `./claude-refs/personal-context.md`
2. Yesterday's daily note (if exists)
3. Any active working memory files

## Memory System

**Daily notes:** Log key decisions and milestones to `./daily/YYYY/YYYY-MM-DD.md`

**Working memory:** For multi-session projects, create `./working-memory/[project-name].md` with:
- Key decisions and rationale
- Open questions
- Next actions

## Behavioral Rules

- Challenge my thinking—don't just agree
- Ask clarifying questions before starting complex work
- When you make changes to files, summarize what you did

Step 5: Test it

Open your ai-workspace folder in Claude Desktop. (In most setups, you can drag the folder onto the Claude Desktop icon, or use File → Open Folder.)

Ask Claude to read your personal context and summarize it back. Work on something, end the session, start fresh tomorrow, and ask Claude to load yesterday's context.

Part 3: Add Custom Skills

OpenClaw's skills are executable code—the AI can install and run them autonomously. This created a large community ecosystem. It also enabled malicious skills: one documented case included curl commands that exfiltrated data to external servers.

The alternative is skills as markdown instruction files. Claude can't execute arbitrary code—only follow steps you've written and reviewed. No auto-installation means no supply chain attacks.

Step 1: Create the skills directory

ai-workspace/
├── skills/
│   ├── index.md           ← Registry of available skills
│   ├── research-person/
│   │   └── SKILL.md
│   ├── meeting-prep/
│   │   └── SKILL.md
│   └── weekly-review/
│       └── SKILL.md

Step 2: Write your first skill

Create skills/research-person/SKILL.md:

# Skill: Research Person

## Trigger Phrases
- "research [name]"
- "who is [name]"
- "background on [name]"

## What This Skill Does
Gathers publicly available information about a person and synthesizes it into a briefing.

## Steps
1. Search the web for [name] + current role
2. Check LinkedIn profile (if accessible)
3. Look for recent publications, talks, or news mentions
4. Synthesize into a 1-page briefing with:
   - Current role and organization
   - Professional background
   - Recent public activity
   - Potential conversation topics

## Output Format
Create a file at `./claude-refs/people/[name].md` with the briefing.

## Constraints
- Use only publicly available information
- Note when information may be outdated
- Flag if multiple people share the same name

Step 3: Create a skill registry

Create skills/index.md:

# Skills Registry

| Skill | Trigger | Description |
|-------|---------|-------------|
| research-person | "research [name]" | Background briefing on individuals |
| meeting-prep | "prepare for meeting with [name]" | Meeting preparation guide |
| weekly-review | "weekly review" | Task triage and planning |

Step 4: Connect skills to Claude

Add to your CLAUDE.md:

## Skills

Skills are located in `./skills/`. Each skill has a `SKILL.md` file with instructions.

**When a trigger phrase is detected:**
1. Read the relevant `SKILL.md`
2. Follow the steps exactly
3. Produce output in the specified format

**Available skills:** See `./skills/index.md`

Step 5: Test it

Say "research Jane Smith" and verify Claude reads the skill file and follows the steps.

Starter skills to build

• Meeting prep — Gather context before important meetings
• Weekly review — Triage tasks and plan the week
• Draft email — Generate first drafts matching your voice
• Research topic — Deep dive on unfamiliar subjects
• Summarize document — Extract key points from long documents

Part 4: Connect Professional Tools via MCP

OpenClaw offers a unified inbox across WhatsApp, Slack, Discord, iMessage, Signal, and more. The appeal is obvious—one interface for everything. The problem: attackers can craft malicious prompts through any connected channel, and the gateway exposes all of them.

MCP (Model Context Protocol) takes a different approach. Each MCP server exposes specific capabilities—read/write access to particular systems—that you explicitly enable. You choose which servers to install and which permissions to grant. Nothing is automatic.

Step 1: Configure MCP settings

Create or edit ~/.claude.json (your user-level Claude configuration):

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@anthropic-ai/mcp-server-filesystem", "/path/to/ai-workspace"]
    }
  }
}

This grants Claude read/write access to your workspace folder—and only that folder.

Note: You can also create a project-level .mcp.json file in your workspace root for project-specific server configurations.

Step 2: Add a professional tool

Example with Asana:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["-y", "@anthropic-ai/mcp-server-filesystem", "/path/to/ai-workspace"]
    },
    "asana": {
      "command": "npx",
      "args": ["-y", "@anthropic-ai/mcp-server-asana"],
      "env": {
        "ASANA_ACCESS_TOKEN": "your-token-here"
      }
    }
  }
}

Step 3: Scope permissions

Edit .claude/settings.local.json in your workspace:

{
  "permissions": {
    "allow": [
      "mcp__asana__get_tasks",
      "mcp__asana__create_task",
      "mcp__asana__update_task"
    ],
    "deny": [
      "mcp__asana__delete_project"
    ]
  }
}

Claude can now create and update tasks, but can't delete projects—even if you ask.

Available MCP servers

Browse the MCP server directory. Common options:

• Asana / Linear / Todoist — Task management
• HubSpot / Salesforce — CRM
• Slack — Messaging (scope to specific channels)
• GitHub — Code repositories
• Google Drive / Dropbox — File storage

Start with one tool you use daily. Add more as needed.

Part 5: Enable Controlled Self-Improvement

OpenClaw can write its own extensions—the AI modifies its capabilities autonomously. This enables rapid improvement. It also means prompt injection can cause the AI to write malicious code, with no audit trail showing what changed or when.

The alternative: the AI proposes changes to its instruction files, and you approve them. Every change is version-controlled. The improvement cycle is slower, but deliberate and reversible.

Step 1: Add improvement protocol to CLAUDE.md

## Self-Improvement Protocol

When you identify a pattern that should be codified:
1. Propose the change in conversation
2. Explain what problem it solves
3. Wait for my approval before editing any instruction files

When I approve a change:
1. Edit the relevant file (CLAUDE.md, a skill file, etc.)
2. Update the version number and changelog
3. Summarize what changed and why

**Never modify instruction files without explicit approval.**

Step 2: Add version tracking

Add frontmatter to CLAUDE.md:

---
version: 1.3
last_modified: 2026-02-01
changelog:
  - 1.3 (2026-02-01): Added weekly review skill trigger
  - 1.2 (2026-01-15): Clarified memory system behavior
  - 1.1 (2026-01-08): Added research-person skill
  - 1.0 (2026-01-01): Initial version
---

Step 3: Initialize Git (optional but recommended)

If you're comfortable with Git, version control your workspace. This creates a complete history of every change to your instruction files:

cd ai-workspace
git init
git add .
git commit -m "Initial AI workspace setup"

If you're not familiar with Git, you can skip this step—but consider learning the basics. When something breaks, being able to see exactly what changed (and roll it back) is invaluable.

Part 6: Constrain Shell Access

OpenClaw provides full shell access—the AI can run any command the user can. Combined with the gateway vulnerabilities, this means remote code execution on compromised instances. Shell access is powerful, but "game over" if something goes wrong.

The alternative is allowlist-based permissions. Instead of "allow Bash," you grant specific permissions: Bash(git *), Bash(npm *), Bash(gh *). Blocklists have gaps—you can't anticipate every dangerous command. Allowlists mean only explicitly permitted operations can run.

Step 1: Create your permission allowlist

Edit .claude/settings.local.json:

{
  "permissions": {
    "allow": [
      "Bash(git *)",
      "Bash(npm *)",
      "Bash(gh *)",
      "Bash(python3 *)",
      "Bash(ls *)",
      "Bash(mkdir *)",
      "Bash(cat *)",
      "Read(*)",
      "Write(./projects/*)",
      "Write(./daily/*)"
    ],
    "deny": [
      "Bash(curl *)",
      "Bash(wget *)",
      "Bash(rm -rf *)",
      "Write(.env)",
      "Write(*credentials*)"
    ]
  }
}

What this allows:

• Git operations, npm, GitHub CLI, Python, basic file operations
• Reading any file, writing to projects/ and daily/ directories

What this blocks:

• Network requests (curl/wget), destructive deletion, credential file changes

Step 2: Block dangerous commands permanently

Add to your deny list:

{
  "deny": [
    "Bash(curl *)",
    "Bash(wget *)",
    "Bash(nc *)",
    "Bash(rm -rf *)",
    "Bash(chmod 777 *)",
    "Bash(sudo *)",
    "Write(.env)",
    "Write(*secret*)",
    "Write(*credential*)",
    "Write(*password*)"
  ]
}

Step 3: Expand gradually

Start restrictive. When Claude requests a permission, evaluate whether you actually need it:

• Week 1: Read operations and git only
• Week 2: Write access to specific directories
• Week 3: Tool-specific commands you actually use
• Ongoing: Add permissions deliberately, not by default

Summary: What You've Built

What this gives you:

• No internet-exposed endpoints
• Full audit trail via Git
• Deliberate capability growth
• Practical daily utility

What you don't get:

• "Always on" availability from any device
• Voice mode with wake words
• Automatic skill discovery
• Seamless multi-device sync

For work where security and auditability matter, this is a reasonable trade.

Maintenance Rhythm

Daily: Session logs accumulate automatically; working memory stays current.

Weekly: Review what worked, propose instruction improvements, commit to Git.

Monthly: Audit permission allowlists, prune unused skills, check for MCP updates.

When something breaks:

1. Check Git history for recent changes
2. Review daily logs for when the problem started
3. Roll back if needed
4. Document what went wrong

Further Reading

• Building a PKM with Obsidian and Claude — Context file approach in depth
• From 48KB to 5KB: Rebuilding My AI Assistant's Architecture — Optimizing context loading
• MCP Server Directory — Available tool integrations
• Claude Code Documentation — Official setup guide