From Security Nightmare to Solution

Claude Code
Always-On

After the Clawdbot fiasco exposed 42,000+ instances, I built a secure 24/7 AI assistant using Claude Code. Same features. Zero vulnerabilities.

Case Study + Tutorial

01 // What They Promised

"Claude with Hands"

Clawdbot became one of GitHub's fastest-growing projects ever. 136,000+ stars in weeks.

  • 24/7 AI Employee
    Always-on assistant that works while you sleep
  • Full System Access
    Shell, files, browser, everything
  • 50+ Integrations
    WhatsApp, Telegram, Slack, Gmail, Calendar
  • Proactive Behavior
    Messages you first when needed

02 // Then Everything Went Wrong

A Perfect Storm

Trademark Dispute

Anthropic forced a rebrand. "Clawd" too similar to "Claude".

10-Second Hijack

Crypto scammers snatched accounts in ~10 seconds during rebrand.

$16M Fake Token

Fake $CLAWD token hit $16M market cap, then crashed 90%.

AI Manifesto

Moltbook AI network posted "human extinction manifesto" with 65K upvotes.

03 // The Numbers

Critical Vulnerabilities

42,665
Exposed Instances
9.6
CVSS Severity
93.4%
Auth Bypass Rate
5 min
To Extract Keys

CVE-2025-6514: Command injection. CVE-2025-49596: Unauthenticated access. CVE-2025-52882: Arbitrary file access.

04 // What Experts Said

"Don't Run
Clawdbot"

Security researchers were unequivocal in their warnings.

"Infostealer malware disguised as an AI personal assistant."
Heather Adkins, VP Security Engineering, Google Cloud
"My current favorite for the most likely Challenger disaster in coding agent security."
Simon Willison, AI Researcher
"22% of enterprise customers have employees actively using Clawdbot. Shadow AI risk is real."
Token Security Research

05 // The Architecture Flaws

Why It Was
Broken

Fundamental security issues baked into the design.

  • Localhost Trust Flaw
    Proxied connections appear local, bypassing auth
  • Plaintext Credentials
    API keys stored in ~/.clawdbot/*.json
  • No Input Validation
    Prompt injection via email in 5 minutes
  • Supply Chain Risk
    26% of 31,000 skills had vulnerabilities

06 // The Decision

Build or Wait?

Same features are possible with Claude Code + MCP. But secure, sandboxed, and permission-gated. No public ports, no plaintext keys. You own the infrastructure.

Let's Build

07 // How It Works

Claude Code Always-On Architecture

Telegram
Message In
Bun Relay
grammy
Claude Code
headless -p
Skills
MCP Tools
Response
Text/Voice
claude -p "[prompt]" --output-format json --allowedTools "..."

08 // Phone Call Flow

Voice Calls with Context

Bidirectional: Say "call me" in Telegram or call the agent directly. Either way, the voice agent has full memory.

Call Starts
In or Out
Context API
Memory + Chat
ElevenLabs
Voice Agent
Conversation
With Context

Memory Access

Agent knows your goals, facts, and preferences from Supabase.

Recent Chat

Last 15 Telegram messages injected. "What did we discuss?" works.

Post-Call Actions

Transcript → Claude → Executes tasks → Summary to Telegram.

09 // What I Built

Full Feature Set

Multi-Modal Input

Text, voice messages, images, files. All processed.

Voice Replies

ElevenLabs TTS. Send voice, get voice back.

Contextual Phone Calls

Voice agent has memory + recent chat. Ask "what did we discuss?" and it knows.

Proactive Check-ins

AI decides when to reach out. Every 30 min via launchd.

Goal Tracking

Natural language detection. "Finish video by 5pm" auto-tracked.

Semantic Memory

4,000+ messages with OpenAI embeddings. AI summaries.

10 // Semantic Memory

"What do you
remember about
June?"

Not raw message dumps. AI-generated summaries with context.

Supabase + pgvector

4,000+ messages stored with OpenAI embeddings (1536 dims)

Hybrid Search

Keyword + semantic similarity. Best of both worlds.

Time-Aware

Knows what's recent vs outdated. Context matters.

Edge Functions

OpenAI key stays in Supabase secrets. Never exposed.

11 // Security Model

How We Made It Safe

Vulnerability Clawdbot Claude Code
Network Exposure Public WebSocket :18789 Local only, no ports
Credential Storage Plaintext JSON files MCP OAuth, env vars
Authentication None by default User ID restriction
Execution Model Auto-execute all Permission-gated
Sandboxing None Claude Code sandbox

12 // Feature Comparison

Clawdbot vs Claude Code

Feature Clawdbot Claude Code
24/7 Operation
Voice Messages
Phone Calls
Semantic Memory
Security 42K exposed Private
Your Infrastructure

13 // Cost Comparison

$500-5K/mo vs
$200/mo Fixed

Predictable fixed cost. No mysterious token burn.

Clawdbot Costs

  • Idle: $150/month heartbeat
  • Active: $500-5,000/month
  • 8M tokens "just monitoring"
  • 180M tokens/week for heavy user

Claude Code Always-On

  • Claude Max 20x: $200/month (fixed)
  • Supabase: Free tier
  • ElevenLabs: ~$5-20/month
  • Predictable. No surprises.

14 // Why This Matters

The Autonomy
Philosophy

Build systems that create freedom, not dependency.

  • You own your infrastructure
    Not renting someone else's security nightmare
  • You control your data
    Local files, your Supabase, your keys
  • No public exposure
    No WebSocket ports, no attack surface
  • Modular & extensible
    Swap components without lock-in

15 // Full Tech Stack

What Powers It

Runtime

Bun - Fast TypeScript runtime

Bot Framework

grammy - Telegram Bot API

AI Engine

Claude Code - Headless mode with MCP

Voice Transcription

Gemini API - Multilingual audio

Voice Synthesis

ElevenLabs - TTS + Conversational AI

Phone Calls

Twilio - Outbound calls via ElevenLabs

Database

Supabase - PostgreSQL + pgvector

Embeddings

OpenAI - text-embedding-3-large

Daemon

launchd - macOS 24/7 service

Build Your Own
Claude Code Always-On

Full documentation and source code available.

YouTube
@godago
Community
AI Productivity Hub
Website
autonomee.ai
YouTube Community