Klaus is an AI assistant for your team, powered by OpenClaw.
Read the original article
Comments
This sounds awesome and exactly like the easy and safe on-ramp to OpenClaw that I've been looking for! I want to believe.
Two questions as a potential user who knows the gist of OpenClaw but has been afraid to try it: 1. I don't understand how the two consumption credits play into the total cost of ownership. E.g. how long will $20 of Orthogonal credits last me? I have no idea what it will actually cost to use Klaus/OpenClaw for a month. 2. Batteries included sounds great, but what are those batteries? I've never heard of Apollo or Hunter.io so I don't know the value of them being included.
In general, a lot of your copy sounds like it's written for people already deep into OpenClaw. Since you're not targeting those folks, I would steer more towards e.g. articulating use cases that work ootb and a TCO estimate for less technical folks. Good luck, and I'm eager to try it!
The cost of ownership for an OpenClaw, and how many credits you'll use, is really hard to estimate since it depends so wildly on what you do.
I can give you an openclaw instruction that will burn over $20k worth of credits in a matter of hours.
You could also not talk to your claw at all for the entire month, setup no crons / reoccurring activities / webhooks / etc, and get a bill of under $1 for token usage.
My usage of OpenClaw ends up costing on the order of $200/mo in tokens with the claude code max plan (which you're technically not allowed to use with OpenClaw anymore), or over $2000 if I were using API credits I think (which Klause is I believe, based on their FAQ mentioning OpenRouter).
So yeah, what I consider fairly light and normal usage of OpenClaw can quite easily hit $2000/mo, but it's also very possible to hit only $5/mo.
Most of my tokens are eaten up by having it write small pieces of code, and doing a good amount of web browser orchestration. I've had 2 sentence prompts that result in it spinning up subagents to browse and summarize thousands of webpages, which really eats a lot of tokens.
I've also given my OpenClaw access to its own AWS account, and it's capable of spinning up lambdas, ec2 instances, writing to s3, etc, and so it also right now has an AWS bill of around $100/mo (which I only expect to go up).
I haven't given it access to my credit card directly yet, so it hasn't managed to buy gift cards for any of the friendly nigerian princes that email it to chat, but I assume that's only a matter of time.
By multidude 2026-03-1213:46 The model choice matters a lot for cost. I've been running a production NLP pipeline on OpenClaw using Claude Haiku exclusively — it's roughly 25x cheaper than Opus for inference tasks where you don't need the full reasoning power. For most "read this text, classify it" tasks Haiku is more than sufficient.
The hard part for a new user who knows about VMs isn't the VM setup — it's knowing which model to reach for. Opus for complex reasoning, Sonnet for balanced tasks, Haiku for high-volume classification or anything where you're calling the API repeatedly in a loop. Getting that wrong is where bills explode.
A sensible default for a hosted product like Klaus would be Sonnet with Haiku available for bulk operations. Opus should require an explicit opt-in with a cost warning.
Absolute madman :)
Giving an agent access to AWS is effectively giving it your credit card.
At the max, I would give it ssh access to a Hetzner VM with its own user, capable of running rootles podman containers.
By TheDong 2026-03-120:10 I am using an AWS Organization managed sub-account, so it's all pretty self-contained to that one account, and I can easily enough terminate that single sub-account.
There's infamously no way to set a max bill amount for an account in AWS, so it indeed has unlimited spending, but I'm okay with a couple hundred bucks a month.
> Hetzner VM with its own user, capable of running rootles podman containers
Why not give it root on the full VM, and not use the VM for anything else? Giving it a user, and presumably also running your own stuff as a different user, sounds like a very weak security boundary to me compared to giving it a dedicated machine.
If you're not doing multi-tenancy, there's no reason to not give it root, and if you are doing multi-tenancy, then your security boundary is worse than mine is, so you can't call me a madman for it.
Not at all. AWS IAM policy is a complex maze, but incredibly powerful. It solves this exact problem very well.
By kennywinker 2026-03-1118:592 reply Yes, but that comes at the cost of using a dumber llm. The state of the art ones are only available via commercial api, and the best self-hostable models require $10,000+ gpus.
This is a problem for coding as smarter really has an impact there, but there are so so so many tasks that an 8b model that runs on a $200 gpu can handle nicely. Scrape this page and dump json? Yeah that’s gonna be fine.
This is my conclusion based on a week or so of using ollama + qwen3.5:3b self hosted on a ~10 year old dell optiplex with only the built-in gpu. You don’t need state of the art to do simple tasks.
I saw that the Hetzner matrix like has GPU servers < £300 per month (plus set up fee). I haven't tried it but I think if I was getting up to that sort of spend I'd be setting up Ollama on one of those with a larger Qwen3 max model (which I hear is on par with Opus 4.5?? - I haven't been able to try Qwen yet though so that could be b*****ks).
By hhh 2026-03-127:42 I have tried most of the major open source models now and they all feel okay, but i’d prefer Sonnet or something any day over them. Not even close in capability for general tasks in my experience.
> Scrape this page and dump json? Yeah that’s gonna be fine.
Only gonna be fine on a trusted page, an 8b model can be prompt injected incredibly trivially compared to larger ones.
By kennywinker 2026-03-121:011 reply Relying on the model to protect you seems like a bad idea…
By TheDong 2026-03-123:11 I mean, clawbots are inherently insecure. Using a better model is defense in depth.
Obviously you should also take precautions, like never instructing it to invoke the browser tool on untrusted sites, avoiding feeding it untrusted inputs where possible in other places, giving it dedicated and locked-down credentials where possible....
But yeah, at this point it's inherent to LLMs that we cannot do something like SQL prepared statements where "tainted" strings are isolated. There is no perfect solution, but using the best model we can is at least a good precaution to stack on top of all our other half-measures.
By TheDong 2026-03-120:12 Generally the benefit you get out of claws involves untrusted input, i.e. it using the browser tool to scrape websites, etc.
Claude 4.6 is at least a bit resilient to prompt injection, but local models are much worse at that, so using a local model massively increases your chance of getting pwned via a prompt injection, in my estimation.
You're kinda forced to use one of the better proprietary models imo, unless you've constrained your claw usage down to a small trusted subset of inputs.
By robthompson2018 2026-03-1120:04 Our starter plan gives you a machine with 2GB of RAM. You will not be able to run a local LLM. OpenRouter has free models (eg Z.ai: GLM 4.5 Air), I recommend those.
By giancarlostoro 2026-03-1117:10 Just have to know... What the heck are you building?
By somewhatrandom9 2026-03-1117:32 You may want to also look into AWS's OpenClaw offering (I was surprised to see this): https://aws.amazon.com/blogs/aws/introducing-openclaw-on-ama...
By robthompson2018 2026-03-1116:482 reply Our average user spends $50 a month all-in (tokens and subscription). If you're budget conscious you can use a cheap model (eg Gemini Flash) or even a free one. I confess I am a snob and only use Claude Opus, but even using OpenClaw all day every day I only spend about $500 a month on tokens.
Orthogonal credits are used more frequently by power users. For everyday tasks they'll last a very long time, I don't think any of our users have run out.
Some example Orthogonal user cases:
* customers in sales uses Apollo to get contact info for leads
* I use Exa search to help me prepare for calls by getting background info on customers and businesses
* I used SearchAPI to help find AirBnbs.
Point taken on the copy! We made this writing more technical for the HackerNews audience and try to use less jargon on other platforms.
Your average user spends £50 a month? How long have you been running, just wondering since OpenClaw was only released (as openclaw) a month ago.
By robthompson2018 2026-03-1120:04 We have been live since Feb 7.
Maybe $50 a month is an underestimate because our average user has been live for less than a month.
By iJohnDoe 2026-03-1123:00 Thanks for giving real-world examples of your usage.
Do you think it’s worth $500 a month? Also, maybe tough to answer, does it seem like the token usage ($500 a month) would be equivalent if you did the same things using Claude or GPT directly?
My reason for asking is because I tried OpenClaw and a quick one-line test question used 10,000 tokens. I immediately deleted the whole thing.
> safe on-ramp to OpenClaw
IMO I don't think the "OpenClaw has root access to your machine" angle is the thing you should worry that much about. You can put your OpenClaw on a VM, behind a firewall and three VPNs but if it's got your Google, AWS, GitHub, etc. credentials you've still got a lot to worry about. And honestly, I think malicious actors are much more interested in those credentials than wiping out your machine.
I'm honestly kind of surprised everyone neglects to think about that aspect and is instead more concerned with "what if it can delete my files."
By baileywickham 2026-03-1118:56 I think I agree here but for us it's more of a defense in depth thing. If you want to give it access to your email you are opening yourself up to attacks, but it doesn't have that access by default. We have an integration to give the agent it's own inbox instead of requiring access to your gmail for this reason. Similarly, if you want to only use Klaus for coding there is no risk to your personal data, even if your Klaus instance is hacked.
By necrodome 2026-03-1118:50 Because no one has a reliable solution to that problem. The file deletion angle is easier to advertise. "runs in a sandbox, can't touch your system" fits on a landing page, even if it's not the more important problem.
For openclaw to become helpful, you have to connect it to your personal email, access to your file etc. All of these requires user's manual setup right?. I do not get the point of "batteries included". Installing it is not the bottleneck right? The official docs has detail procedures for all deployment options.
By Lalabadie 2026-03-1215:47 Right, whether it runs in a sandbox is the least of my concerns if the point is to give that sandbox a way to spend or communicate in my name.
I don't get it. The point of OpenClaw is it's supposed to be an assistant, helping you with whatever random tasks you happen to have, in natural language. But for that to work, it has to have access to your personal data, your calendar, your emails, your credit card, etc., no?
Are there other tasks that people commonly want to run, that don't require this, that I'm not aware of? If so I'd love to hear about them.
The ClawBert thing makes a lot more sense to me, but implementing this with just a Claude Code instance again seems like a really easy way to get pwned. Without a human in the loop and heavy sandboxing, a agent can just get prompt injected by some user-controlled log or database entry and leak your entire database and whatever else it has access to.
By jascha_eng 2026-03-1119:15 Yes and even now if you tell the LLM any private information inside the sandbox it can now leak that if it gets misdirected/prompt injected.
So there isn't really a way to avoid this trade-off you can either have a useless agent with no info and no access. Or a useful agent that then is incredibly risky to use as it might go rogue any moment.
Sure you can slightly choose where on the scale you want to be but any usefulness inherently means it's also risky if you run LLMs async without supervision.
The only absolutely safe way to give access and info to an agent is with manual approvals for anything it does. Which gives you review fatigue in minutes.
By robthompson2018 2026-03-1119:591 reply I don't follow your argument about getting pwned.
A user could leave malicious instructions in their instance, but Clawbert only has access to that user's info in the database, so you only pwned yourself.
A user could leave malicious instructions in someone else's instance and then rely on Clawbert to execute them. But Clawbert seems like a worse attack vector than just getting OpenClaw itself to execute the malicious instructions. OpenClaw already has root access.
Re other use cases that don't rely on personal data: we have users doing research and sending reports from an AgentMail account to the personal account, maintaining sandboxing. Another user set up this diving conditions website, which requires no personal data: https://www.diveprosd.com/
By Tharre 2026-03-1121:13 > But Clawbert seems like a worse attack vector than just getting OpenClaw itself to execute the malicious instructions. OpenClaw already has root access.
Well the assumption was that you could secure OpenClaw or at least limit the damage it can do. I was also thinking more about the general usecase of a AI SRE, so not necessarily tied to OpenClaw, but for general self hosting. But yeah probably doesn't make much of a different in your case then.
By lifis 2026-03-1121:39 You can solve that by requiring confirmation for anything except reading information from trusted sites. Web visits can be done without confirmation by reading a cached copy and not executing any JavaScript on it with network access (otherwise visiting arbitrary sites can leak information via the URLs sent to arbitrary servers)
