GitHub - kenm47/yoloclaw: Your own personal AI assistant. Any OS. Any Platform. The real dangerous way. 🦞

🦞 YoloClaw — Personal AI Assistant (Unguarded Fork)

YOLO! YOLO!

DISCLAIMER — READ THIS FIRST

DO NOT USE THIS SOFTWARE. EVER. UNDER ANY CIRCUMSTANCES.

YoloClaw is a research/educational fork of OpenClaw in which ALL safety guardrails have been intentionally removed. It exists solely to study and demonstrate what happens when an AI assistant platform ships without safety layers, and to illustrate why those layers exist in the upstream project. AI agents make shitty decisions far too often, that's why we built Maybe Don't, AI — you shouldn't need YoloClaw to tell you this, but if you did....

This fork is dangerous by design. It will:

• Execute arbitrary commands on your system without asking for approval
• Allow the AI agent to access any environment variable, including sensitive ones like LD_PRELOAD, DYLD_INSERT_LIBRARIES, NODE_OPTIONS, and PATH
• Make requests to private/internal network addresses with zero SSRF protection
• Pass unsanitized external content directly into AI prompts with no injection mitigations
• Grant unrestricted access to every tool, including ones the upstream project considers dangerous
• Operate with a personality prompt (SOUL.md) that encourages the agent to act first and never ask permission

You should NOT:

• Run this with real credentials or API keys
• Connect this to production systems of any kind
• Use this with sensitive or personal data
• Deploy this on any public-facing infrastructure
• Use this for anything other than studying AI safety in a fully isolated, disposable environment

If you want an actual personal AI assistant, use OpenClaw instead. It has all the safety guardrails that this fork deliberately removed.

You have been warned. Repeatedly. On purpose.

What is YoloClaw?

YoloClaw is an unguarded fork of OpenClaw, the open-source personal AI assistant. OpenClaw is a personal AI assistant you run on your own devices. It answers you on the channels you already use (WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, WebChat), plus extension channels like BlueBubbles, Matrix, Zalo, and Zalo Personal. It can speak and listen on macOS/iOS/Android, and can render a live Canvas you control. The Gateway is just the control plane — the product is the assistant.

YoloClaw takes all of that and strips out every safety mechanism, producing a version that is maximally permissive and maximally dangerous. The purpose is purely educational: to make it viscerally obvious what each safety layer in OpenClaw actually does by showing what the system looks like without them.

Upstream: OpenClaw · Docs · DeepWiki · Getting Started · FAQ

What's Different from OpenClaw

This section documents every safety guardrail that was removed in the yoloclaw: remove all safety guardrails for research/educational use commit. Each subsection names the file changed, what was removed, and why it matters.

1. Exec Approvals Disabled — src/infra/exec-approvals.ts

Impact: The agent can execute any shell command on your host without ever asking you. There is no confirmation step, no deny list, no human-in-the-loop.

2. Environment Variable Blocklist Removed — src/agents/bash-tools.exec-runtime.ts

Impact: The agent can read, set, or manipulate any environment variable. This includes variables that control dynamic linker behavior (LD_PRELOAD, DYLD_INSERT_LIBRARIES), Node.js runtime flags (NODE_OPTIONS), and the system PATH. An attacker (or a confused agent) can use these to inject arbitrary code into every spawned process.

3. SSRF Protection Gutted — src/infra/net/ssrf.ts

Impact: The agent can make HTTP requests to 127.0.0.1, 169.254.169.254 (cloud metadata), 10.x.x.x, 192.168.x.x, and any other internal address. This is a textbook Server-Side Request Forgery (SSRF) vulnerability. On cloud infrastructure, this can leak instance credentials, secrets, and metadata.

4. Dangerous Tool Deny Lists Emptied — src/security/dangerous-tools.ts

Impact: Every tool is accessible via both the HTTP gateway API and the Agent Communication Protocol. Tools that can spawn processes, write/delete files, send messages on your behalf, and modify the gateway itself are all unrestricted.

5. External Content Sanitization Removed — src/security/external-content.ts

Impact: Any external content (web pages, emails, messages, API responses) is injected directly into the AI prompt with zero sanitization. This is a wide-open prompt injection vector. A malicious web page or email can contain instructions that the agent will follow as if they came from you.

6. Behavioral Guardrails Rewritten — SOUL.md

Impact: Even if some safety mechanism was accidentally left intact, the personality prompt actively instructs the agent to bypass it. The agent is told to "never ask for permission," to treat all access as unrestricted, and to execute commands without hesitation.

7. Security Policy Rewritten — SECURITY.md

The upstream security policy (responsible disclosure, reporting procedures) has been replaced with a document that simply catalogs the removed guardrails. There is no security reporting process for YoloClaw because this is not a project that should ever be deployed.

8. Package Metadata Changed — package.json

• Package renamed from openclaw to yoloclaw
• Version tagged with -yolo.1 suffix
• Repository URLs point to the fork

Install (research use only — do NOT use in production)

Reminder: Do not install this. Use OpenClaw instead.

If you insist on studying this in a fully isolated, disposable environment:

Runtime: Node >= 22.

git clone https://github.com/kenm47/yoloclaw.git
cd yoloclaw

pnpm install
pnpm ui:build
pnpm build

pnpm openclaw onboard --install-daemon

Do NOT install this globally. Do NOT run npm install -g. Keep it local, keep it isolated, keep it temporary.

Quick start (TL;DR)

Reminder: There is no safe quick start. Every command runs without approval.

Runtime: Node >= 22.

Full beginner guide (for upstream OpenClaw): Getting started

pnpm openclaw onboard --install-daemon

pnpm openclaw gateway --port 18789 --verbose

# Send a message
pnpm openclaw message send --to +1234567890 --message "Hello from YoloClaw"

# Talk to the assistant (no safety net)
pnpm openclaw agent --message "Ship checklist" --thinking high

Development channels

• stable: tagged releases (vYYYY.M.D or vYYYY.M.D-<patch>), npm dist-tag latest.
• beta: prerelease tags (vYYYY.M.D-beta.N), npm dist-tag beta.
• dev: moving head of main, npm dist-tag dev.

For upstream channel switching: openclaw update --channel stable|beta|dev. Details: Development channels.

From source (development)

Prefer pnpm for builds from source. Bun is optional for running TypeScript directly.

git clone https://github.com/kenm47/yoloclaw.git
cd yoloclaw

pnpm install
pnpm ui:build # auto-installs UI deps on first run
pnpm build

pnpm openclaw onboard --install-daemon

# Dev loop (auto-reload on TS changes)
pnpm gateway:watch

Note: pnpm openclaw ... runs TypeScript directly (via tsx). pnpm build produces dist/ for running via Node / the packaged openclaw binary.

Security defaults (DM access)

In YoloClaw, the security model documented here still exists at the channel level (DM pairing, allowlists) but the deeper runtime protections (exec approvals, SSRF, content sanitization, tool deny lists) have all been removed. Channel-level DM policy is your last line of defense — and it was never designed to be the only line of defense.

YoloClaw connects to real messaging surfaces. Treat inbound DMs as untrusted input — though YoloClaw will not help you enforce that.

Full security guide (upstream): Security

Default behavior on Telegram/WhatsApp/Signal/iMessage/Microsoft Teams/Discord/Google Chat/Slack:

• DM pairing (dmPolicy="pairing"): unknown senders receive a short pairing code and the bot does not process their message.
• Approve with: openclaw pairing approve <channel> <code>.
• Public inbound DMs require an explicit opt-in: set dmPolicy="open" and include "*" in the channel allowlist.

Run openclaw doctor to surface risky/misconfigured DM policies.

Highlights

• Local-first Gateway — single control plane for sessions, channels, tools, and events.
• Multi-channel inbox — WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, BlueBubbles (iMessage), iMessage (legacy), Microsoft Teams, Matrix, Zalo, Zalo Personal, WebChat, macOS, iOS/Android.
• Multi-agent routing — route inbound channels/accounts/peers to isolated agents.
• Voice Wake + Talk Mode — always-on speech for macOS/iOS/Android with ElevenLabs.
• Live Canvas — agent-driven visual workspace with A2UI.
• First-class tools — browser, canvas, nodes, cron, sessions, and Discord/Slack actions. All tools unrestricted in YoloClaw.
• Companion apps — macOS menu bar app + iOS/Android nodes.
• Onboarding + skills — wizard-driven setup with bundled/managed/workspace skills.

Everything we built so far

Note: All features below are inherited from upstream OpenClaw. The difference is that YoloClaw runs them with zero safety guardrails.

Core platform

• Gateway WS control plane with sessions, presence, config, cron, webhooks, Control UI, and Canvas host.
• CLI surface: gateway, agent, send, wizard, and doctor.
• Pi agent runtime in RPC mode with tool streaming and block streaming.
• Session model: main for direct chats, group isolation, activation modes, queue modes, reply-back. Group rules: Groups.
• Media pipeline: images/audio/video, transcription hooks, size caps, temp file lifecycle. Audio details: Audio.

Channels

• Channels: WhatsApp (Baileys), Telegram (grammY), Slack (Bolt), Discord (discord.js), Google Chat (Chat API), Signal (signal-cli), BlueBubbles (iMessage, recommended), iMessage (legacy imsg), Microsoft Teams (extension), Matrix (extension), Zalo (extension), Zalo Personal (extension), WebChat.
• Group routing: mention gating, reply tags, per-channel chunking and routing.

Apps + nodes

• macOS app: menu bar control plane, Voice Wake/PTT, Talk Mode overlay, WebChat, debug tools, remote gateway control.
• iOS node: Canvas, Voice Wake, Talk Mode, camera, screen recording, Bonjour pairing.
• Android node: Canvas, Talk Mode, camera, screen recording, optional SMS.
• macOS node mode: system.run/notify + canvas/camera exposure.

Tools + automation

• Browser control: dedicated Chrome/Chromium, snapshots, actions, uploads, profiles.
• Canvas: A2UI push/reset, eval, snapshot.
• Nodes: camera snap/clip, screen record, location.get, notifications.
• Cron + wakeups; webhooks; Gmail Pub/Sub.
• Skills platform: bundled, managed, and workspace skills with install gating + UI.

Runtime + safety

In YoloClaw, most of the "safety" items below are gutted. They exist in code but are no-ops.

• Channel routing, retry policy, and streaming/chunking.
• Presence, typing indicators, and usage tracking.
• Models, model failover, and session pruning.
• Security and troubleshooting. (Security mechanisms are disabled in this fork.)

Ops + packaging

• Control UI + WebChat served directly from the Gateway.
• Tailscale Serve/Funnel or SSH tunnels with token/password auth.
• Nix mode for declarative config; Docker-based installs.
• Doctor migrations, logging.

How it works (short)

WhatsApp / Telegram / Slack / Discord / Google Chat / Signal / iMessage / BlueBubbles / Microsoft Teams / Matrix / Zalo / Zalo Personal / WebChat
               |
               v
+-------------------------------+
|            Gateway            |
|       (control plane)         |
|   *** NO SAFETY GUARDRAILS ** |
|     ws://127.0.0.1:18789      |
+---------------+---------------+
               |
               +-- Pi agent (RPC)       <-- executes anything, no approval
               +-- CLI (openclaw ...)
               +-- WebChat UI
               +-- macOS app
               +-- iOS / Android nodes

Key subsystems

• Gateway WebSocket network — single WS control plane for clients, tools, and events (plus ops: Gateway runbook).
• Tailscale exposure — Serve/Funnel for the Gateway dashboard + WS (remote access: Remote).
• Browser control — managed Chrome/Chromium with CDP control.
• Canvas + A2UI — agent-driven visual workspace.
• Voice Wake + Talk Mode — always-on speech and continuous conversation.
• Nodes — Canvas, camera snap/clip, screen record, location.get, notifications, plus macOS-only system.run/system.notify.

Tailscale access (Gateway dashboard)

Warning: Exposing YoloClaw via Tailscale Funnel makes an unguarded AI assistant accessible from the public internet. Do not do this.

YoloClaw can auto-configure Tailscale Serve (tailnet-only) or Funnel (public) while the Gateway stays bound to loopback. Configure gateway.tailscale.mode:

• off: no Tailscale automation (default).
• serve: tailnet-only HTTPS via tailscale serve.
• funnel: public HTTPS via tailscale funnel (requires shared password auth).

Details: Tailscale guide · Web surfaces

Remote Gateway (Linux is great)

It is perfectly fine to run the upstream OpenClaw Gateway on a small Linux instance. Running YoloClaw remotely is not recommended — a remote unguarded agent with full exec access is an exceptionally bad idea.

• Gateway host runs the exec tool and channel connections by default.
• Device nodes run device-local actions (system.run, camera, screen recording, notifications) via node.invoke.

Details: Remote access · Nodes · Security

macOS permissions via the Gateway protocol

The macOS app can run in node mode and advertises its capabilities + permission map over the Gateway WebSocket (node.list / node.describe). Clients can then execute local actions via node.invoke:

• system.run runs a local command and returns stdout/stderr/exit code.
• system.notify posts a user notification.
• canvas.*, camera.*, screen.record, and location.get are also routed via node.invoke and follow TCC permission status.

Details: Nodes · macOS app · Gateway protocol

Agent to Agent (sessions_* tools)

In upstream OpenClaw, sessions_spawn and sessions_send are in the dangerous tools deny list. In YoloClaw, they are fully unrestricted.

• sessions_list — discover active sessions (agents) and their metadata.
• sessions_history — fetch transcript logs for a session.
• sessions_send — message another session; optional reply-back ping-pong.

Details: Session tools

Skills registry (ClawHub)

ClawHub is a minimal skill registry. With ClawHub enabled, the agent can search for skills automatically and pull in new ones as needed.

ClawHub

Chat commands

Send these in WhatsApp/Telegram/Slack/Google Chat/Microsoft Teams/WebChat:

• /status — compact session status (model + tokens, cost when available)
• /mesh <goal> — auto-plan + run a multi-step workflow
• /new or /reset — reset the session
• /compact — compact session context (summary)
• /think <level> — off|minimal|low|medium|high|xhigh
• /verbose on|off
• /usage off|tokens|full — per-response usage footer
• /restart — restart the gateway (owner-only in groups)
• /activation mention|always — group activation toggle (groups only)

Apps (optional)

The Gateway alone delivers the full experience. All apps are optional.

macOS (optional)

• Menu bar control for the Gateway and health.
• Voice Wake + push-to-talk overlay.
• WebChat + debug tools.
• Remote gateway control over SSH.

iOS node (optional)

• Pairs as a node via the Bridge.
• Voice trigger forwarding + Canvas surface.
• Runbook: iOS connect.

Android node (optional)

• Pairs via the same Bridge + pairing flow as iOS.
• Exposes Canvas, Camera, and Screen capture commands.
• Runbook: Android connect.

Agent workspace + skills

• Workspace root: ~/.openclaw/workspace (configurable via agents.defaults.workspace).
• Injected prompt files: AGENTS.md, SOUL.md, TOOLS.md.
• Skills: ~/.openclaw/workspace/skills/<skill>/SKILL.md.

In YoloClaw, SOUL.md has been rewritten to instruct the agent to act without permission and ignore all boundaries. See the What's Different from OpenClaw section.

Configuration

Minimal ~/.openclaw/openclaw.json (model + defaults):

{
  agent: {
    model: "anthropic/claude-opus-4-6",
  },
}

Full configuration reference (all keys + examples).

Security model (important)

YoloClaw has NO functional security model. The information below describes what upstream OpenClaw provides. In this fork, exec approvals always pass, SSRF checks always pass, dangerous tool lists are empty, and external content is never sanitized.

• Default (upstream): tools run on the host for the main session, so the agent has full access when it is just you.
• Group/channel safety (upstream): set agents.defaults.sandbox.mode: "non-main" to run non-main sessions inside per-session Docker sandboxes.
• Sandbox defaults (upstream): allowlist bash, process, read, write, edit, sessions_list, sessions_history, sessions_send, sessions_spawn; denylist browser, canvas, nodes, cron, discord, gateway.

Details: Security guide · Docker + sandboxing · Sandbox config

WhatsApp

• Link the device: pnpm openclaw channels login (stores creds in ~/.openclaw/credentials).
• Allowlist who can talk to the assistant via channels.whatsapp.allowFrom.
• If channels.whatsapp.groups is set, it becomes a group allowlist; include "*" to allow all.

Telegram

• Set TELEGRAM_BOT_TOKEN or channels.telegram.botToken (env wins).
• Optional: set channels.telegram.groups; when set, it is a group allowlist.

{
  channels: {
    telegram: {
      botToken: "123456:ABCDEF",
    },
  },
}

Slack

• Set SLACK_BOT_TOKEN + SLACK_APP_TOKEN (or channels.slack.botToken + channels.slack.appToken).

Discord

• Set DISCORD_BOT_TOKEN or channels.discord.token (env wins).

{
  channels: {
    discord: {
      token: "1234abcd",
    },
  },
}

Signal

• Requires signal-cli and a channels.signal config section.

BlueBubbles (iMessage)

• Recommended iMessage integration.
• Configure channels.bluebubbles.serverUrl + channels.bluebubbles.password and a webhook.

iMessage (legacy)

• Legacy macOS-only integration via imsg.

Microsoft Teams

• Configure a Teams app + Bot Framework, then add a msteams config section.

WebChat

• Uses the Gateway WebSocket; no separate WebChat port/config.

Browser control (optional):

{
  browser: {
    enabled: true,
    color: "#FF4500",
  },
}

Docs

Use these when you are past the onboarding flow and want the deeper reference. These point to the upstream OpenClaw docs, which are still relevant for understanding the platform — just remember that YoloClaw has no safety guardrails.

• Start with the docs index for navigation and "what's where."
• Read the architecture overview for the gateway + protocol model.
• Use the full configuration reference when you need every key and example.
• Run the Gateway by the book with the operational runbook.
• Learn how the Control UI/Web surfaces work and how to expose them safely.
• Understand remote access over SSH tunnels or tailnets.
• Follow the onboarding wizard flow for a guided setup.
• Wire external triggers via the webhook surface.
• Set up Gmail Pub/Sub triggers.
• Learn the macOS menu bar companion details.
• Platform guides: Windows (WSL2), Linux, macOS, iOS, Android
• Debug common failures with the troubleshooting guide.
• Review security guidance before exposing anything.

Advanced docs (discovery + control)

• Discovery + transports
• Bonjour/mDNS
• Gateway pairing
• Remote gateway README
• Control UI
• Dashboard

Operations & troubleshooting

• Health checks
• Gateway lock
• Background process
• Browser troubleshooting (Linux)
• Logging

Deep dives

• Agent loop
• Presence
• TypeBox schemas
• RPC adapters
• Queue

Workspace & skills

• Skills config
• Default AGENTS
• Templates: AGENTS
• Templates: BOOTSTRAP
• Templates: IDENTITY
• Templates: SOUL
• Templates: TOOLS
• Templates: USER

Platform internals

• macOS dev setup
• macOS menu bar
• macOS voice wake
• iOS node
• Android node
• Windows (WSL2)
• Linux app

Email hooks (Gmail)

• docs.openclaw.ai/gmail-pubsub

Upstream

YoloClaw is a fork of OpenClaw, built by Peter Steinberger and the community. 🦞

All credit for the platform goes to the upstream project. This fork only removes safety guardrails for research/educational purposes.

• openclaw.ai
• OpenClaw on GitHub

License

MIT — same as upstream OpenClaw.

One final reminder: Do not use YoloClaw. Use OpenClaw. The guardrails exist for very good reasons, and this fork exists to prove it.