Dakota Kim
Back to Essays
#ai#openclaw#picoclaw#raspberry-pi#edge-computing

Sometimes, Production Is You

Running an always-on AI agent on $15 hardware. PicoClaw on a Raspberry Pi Zero 2W: what it is, what it teaches, and why personal infrastructure matters.

PicoClaw running on a Raspberry Pi Zero 2W

Headless means I just plug it in and the PicoClaw gateway starts on boot. Everything happens over SSH, so physically messing with the device is a non-issue.

TL;DR

  • PicoClaw is an ultra-lightweight AI agent runtime written in Go that idles under 10MB of RAM.
  • It runs on a Raspberry Pi Zero 2W: $15, 512MB RAM, ~2 watts of power draw.
  • The setup process is a hands-on tour of SSH hardening, firewalling, systemd, and edge deployment.
  • Not everything needs five-nines reliability. Sometimes production is just you.

Running a Claw on $15 Hardware

Last week I set up OpenClaw on a Pi 5 (8GB) and have been enjoying the experiment, imagining the possibilities for individual leverage that always-on AI agents unlock. Like a lot of Pi fans, I have a drawer full of Pi Zeros from former projects, and I wanted them to join the party. Each Claw you spin up is called a Molt, and I had some hardware just waiting to become one.

The target: a Raspberry Pi Zero 2W. $15, 512MB RAM, quad-core ARM Cortex-A53, running 24/7 on roughly 2 watts of power. The project: PicoClaw, an ultra-lightweight AI agent runtime written in Go that idles under 10MB of RAM and boots in under a second.

What PicoClaw Actually Is

PicoClaw is an orchestrator. A persistent agent loop that connects to LLMs (Claude, OpenAI, DeepSeek, local Ollama, etc.) and exposes them through messaging channels like Telegram, Discord, or CLI. The always-on runtime that gives your AI a home.

It was built by the team at Sipeed as a Go rewrite of OpenClaw, cutting memory usage by 99%. That's what gets you from "needs a Mac Mini" to "runs on a Pi Zero in your drawer."

Is It Production Ready?

No. The project says so clearly: don't deploy to production before v1.0. There are unresolved security issues, the config schema is still evolving, and some guardrails are half-baked.

Sometimes production is you, though. A personal Telegram bot that summarizes your GitHub PRs, fires morning briefings, or runs cron automations against your own repos doesn't need five-nines reliability. It needs to work well enough to be useful and interesting.

That said, the nature of an orchestration tool like this is that you'll be giving it access to external systems to take action on your behalf. SSH hardening and firewalls are table stakes, but no amount of networking security and sandboxing will help if your access tokens aren't scoped properly. The real attack surface is the permissions you hand it. (With great power comes great responsibility.)

The Setup, In Brief

The full process teaches you more about secure Linux environments than most tutorials.

1. Flash the OS headlessly Use Raspberry Pi Imager with Raspberry Pi OS Lite (64-bit). Pre-configure your hostname, SSH, WiFi credentials, and username before writing. No monitor or keyboard ever required.

2. Harden SSH Generate an ed25519 key on your Mac (ssh-keygen -t ed25519), copy it to the Pi (ssh-copy-id), then disable password authentication entirely in /etc/ssh/sshd_config. From this point forward, only your key gets in.

3. Lock down the firewall Three UFW commands: default deny incoming, allow outgoing, allow SSH. One port open on the whole machine.

4. Install fail2ban Auto-bans IPs that fail SSH auth repeatedly. Set it, forget it.

5. Install PicoClaw Download the ARM64 binary directly from the releases page and copy it to the Pi.

6. Configure and run picoclaw onboard The wizard walks you through your LLM provider and messaging channel setup. Telegram is the easiest starting point.

7. Set up a systemd service The gateway starts on boot and restarts on crash, automatically, without you touching it.

What You Actually Learn

The process is a hands-on tour of real fundamentals: SSH key authentication, stateful firewalls and the "default deny" security posture, systemd service management, and edge deployment patterns. Building for the constraints of the hardware you have, not the hardware you wish you had.

Where It Gets Interesting

Once it's running, PicoClaw becomes the always-on brain of whatever you're building. Wire it to gh CLI and you have an agent that can check your PRs, clone repos, and push changes from a Telegram message. Wire it to cron and it runs on a schedule. Lots of possibilities here!

PicoClaw is moving fast, but it's early. The architecture it demonstrates is worth understanding now. Minimal agent runtime on minimal hardware, offline-first, single binary, no cloud dependency. That's where edge AI is heading.

PicoClaw: github.com/sipeed/picoclaw Raspberry Pi Zero 2W: raspberrypi.com

Read more essays