DEV Community

Paulo Victor Leite Lima Gomes
Paulo Victor Leite Lima Gomes

Posted on

Openclaw on the cloud, dos and don'ts

#openclaw #hermes #cloud

Running OpenClaw or Hermes in the Cloud (No Mac Mini Required)

If this is your first time setting up an always-on AI agent like OpenClaw or Hermes, you have probably seen people running them on a Mac Mini sitting on their desk. You do not need that. A cheap Linux VPS does the job just as well, costs a few euros a month, and you can rebuild it in minutes if something breaks.

This is a no-fluff, step-by-step guide to get one of them running in the cloud.

First, the myth: "I need to buy a Mac Mini"

You don't. Here is the key thing to understand:

  • The agent (OpenClaw or Hermes) is a lightweight gateway. It reads your messages, decides what to do, and calls tools. This part is cheap to run.
  • The heavy compute is the LLM inference. If you use a cloud model (Claude, GPT, Gemini, DeepSeek via API), that work happens on the provider's servers, not yours.

So a small VPS with 1-2 vCPU and 2-4 GB RAM is plenty when you point the agent at a cloud model. You only need real hardware (a Mac Mini, a GPU box, or DGX-class machines) if you insist on running the model locally for privacy. For most people starting out, cloud model + small VPS is the right call.

Step 1: Pick a cheap cloud provider

You want a basic Linux VPS. Any of these work. Prices are rough and change often, so check before you buy.

Provider Why Rough price
Hetzner Cloud Cheapest decent option, EU-based (good if you are in Poland or the EU) ~€4/mo for 2 vCPU / 4 GB
Contabo Very cheap, generous RAM, German ~€5/mo
Oracle Cloud Free Tier Genuinely free ARM instance (4 cores / 24 GB), but signup is fiddly Free
DigitalOcean / Vultr / Linode Simple, reliable, good docs ~$4-6/mo
AWS Lightsail Has a ready-made OpenClaw blueprint if you want one-click ~$5-7/mo

If you just want the cheapest reliable thing and you are in Europe, start with Hetzner. Pick Ubuntu 24.04 LTS as the OS.

Step 2: Create the server and connect

  1. Create the VPS (Ubuntu 24.04, smallest tier with at least 2 GB RAM).
  2. Add your SSH key during creation. Do not use password login.
  3. SSH in: 
ssh root@YOUR_SERVER_IP
Enter fullscreen mode Exit fullscreen mode
  1. Do the basic hardening before anything else: 
# update
apt update && apt upgrade -y

# create a non-root user
adduser agent
usermod -aG sudo agent

# basic firewall: allow SSH only, deny the rest
ufw allow OpenSSH
ufw enable
Enter fullscreen mode Exit fullscreen mode

Now log back in as agent instead of root. This matters, because these agents can run shell commands. You do not want them running as root.

Step 3a: Install OpenClaw

OpenClaw is open source (MIT, github.com/openclaw/openclaw). It runs as a background daemon and connects to your messaging apps.

  1. Install Node.js (it is a TypeScript/Node project) and then OpenClaw following the install instructions in the repo README. The project ships an install script and runs as a systemd service on Linux.
  2. During setup you will set a gateway auth token. Treat this like a password. Store it in an environment file, not hardcoded in your config.
  3. Add your LLM provider key (for example, an Anthropic or OpenAI key).
  4. Connect a messaging channel. Telegram is the easiest: create a bot with BotFather, copy the token, and paste it into the channel config.
  5. Start the daemon and message your bot. It runs on a heartbeat (every 30 minutes by default), checking its task list and acting when needed.

Step 3b: Install Hermes (the alternative)

Hermes Agent, by Nous Research, is the other popular option. Same idea: a self-hosted agent that lives on your server, remembers things across sessions, and runs scheduled tasks. It is open source (MIT, github.com/NousResearch/hermes-agent) and supports Linux, macOS, and WSL2.

The install is famously simple, a single command that pulls in everything:

curl -fsSL https://hermes-agent.org/install.sh | sh
Enter fullscreen mode Exit fullscreen mode

(Always read an install script before piping it to a shell. This is just the documented one-liner.)

Then:

  1. Configure a model provider with hermes model. It is model-agnostic: Nous Portal, OpenRouter, Anthropic, OpenAI, Gemini, DeepSeek, or a local Ollama endpoint. You need a model with at least 64k context, which most modern hosted models have.
  2. Connect a messaging platform (Telegram, Discord, Slack, Signal, email, or just the CLI).
  3. Start it and talk to it.

OpenClaw vs Hermes, short version: they share the same DNA, self-hosted, messaging-driven, local data, custom skills. Hermes leans more "research lab" (built-in learning loop, skills it writes for itself, training-data tooling). OpenClaw has the larger ecosystem and more ready-made cloud blueprints. For a first setup, either is fine. Pick one and move on.

Step 4: Lock it down (do not skip this)

These agents can read your messages, run code, and call APIs with your keys. That makes them a target. There have been real, documented problems: a high-severity remote exploit, and security researchers finding tens of thousands of agent instances exposed directly to the internet with no login.

Minimum precautions:

  • Never expose the gateway port to the public internet. Keep it behind the firewall and reach it through SSH or a private network.
  • Rotate your auth token and keep it in an env file, never in a committed config.
  • Run as a non-root user, and sandbox tool execution so an unknown sender cannot get a free shell.
  • Do not install random community "skills" without reading them. Malicious skills have been used to ship info-stealers.

A note on shipclaw.io

You will probably run into shipclaw.io, a managed hosting service that promises to deploy OpenClaw or Hermes bots for you in about a minute, no server setup, no API key juggling. On the surface it sounds genuinely useful, and the "I don't want to manage a daemon" pitch is real.

Here is the catch, and why I would not put my tokens there yet. There are several similarly named domains (shipclaw.io, shipclaw.app, shipclaw.org), and the origins trace back to individual social posts rather than a clearly identifiable company. We could not find a verifiable company behind it, on LinkedIn or anywhere else, no clear team, no track record.

That matters more than usual here. The whole point of these agents is that they hold your LLM API tokens and often have shell and tool access. Handing those to a managed service means trusting the operator with the keys to your spending and your data. For an unverified provider, that trust is not earned yet.

So: interesting idea, worth watching, but until there is a real, identifiable company behind it, self-host on your own cheap VPS where you control the keys.

What it actually costs

  • VPS: €4-7/month (or free on Oracle's tier).
  • LLM usage: pay-as-you-go to whichever model provider you choose. A light personal agent is usually a few dollars a month; heavy use is more.
  • Hardware: €0. No Mac Mini, no GPU, nothing to buy.

That is the whole thing. Spin up a small Linux box, install OpenClaw or Hermes, point it at a cloud model, connect Telegram, lock the door, and you have an always-on agent for the price of a coffee per month.

Top comments (0)