I gave an AI agent access to my entire digital life. Here's how I made sure that wasn't stupid.
T

Full Stack Engineer & Writer

I gave an AI agent access to my entire digital life. Here's how I made sure that wasn't stupid.

Last weekend I set up an AI personal assistant on a Raspberry Pi. It can read my email, manage my calendar, send me Telegram messages, track my calories, monitor news feeds, and publish posts to this blog. It wrote the first draft of this post, actually. I had to rewrite most of it.

The framework is called OpenClaw. It's open source, the Discord is called "Friends of the Crustacean" (the mascot is a lobster), and it's been blowing up lately among developers who want a personal AI assistant they actually own. You run it on your own hardware, connect it to whatever chat apps you use — Telegram, WhatsApp, Discord, iMessage, Signal, Slack — point it at an AI model, and you've got an always-on assistant in your pocket.

Really cool technology. But the moment you give an AI agent access to your email, calendar, and messaging accounts, you've created something with a serious attack surface. I want to talk about how I set this up and how I made sure it wasn't a security disaster.

What's running

Everything lives on a Raspberry Pi on my desk:

  • OpenClaw — the AI agent framework (open source, handles everything)
  • Claude from Anthropic — the AI brain
  • Telegram — the chat interface
  • Tailscale — keeps everything locked down
  • Gmail — real-time email notifications
  • Notion — blog publishing

The problem

No cloud servers. Just a Pi on my desk.

Let's be honest about what this thing has access to. It can read my email. It knows my schedule. It can send messages on my behalf. It has keys to multiple services. If someone compromised this Pi, they'd have a pretty complete picture of my life and the ability to act within it.

An AI agent that can take actions is a different kind of risk than a normal app. It doesn't just hold data. It can do things with it.

So the question is: how do you get the benefits of a personal AI agent without leaving the front door wide open?

Tailscale and zero exposed ports

The backbone of my security setup is Tailscale. For anyone unfamiliar, Tailscale creates a private encrypted network between your devices. All traffic is encrypted end-to-end, and you don't need to open any ports on your router.

My Pi has zero ports exposed to the public internet. If you scanned my home IP, you'd get nothing back. The Pi only exists on my Tailscale network — they call it a "tailnet" — which means you'd need to be a device I've personally authenticated to even know it's there.

The OpenClaw control panel runs behind Tailscale Serve, which makes it available to my laptop and phone but invisible to the rest of the internet. No port forwarding, no firewall rules to maintain. If your device isn't on my tailnet, the control panel simply doesn't exist.

For Telegram, it's even simpler. My Pi reaches out to Telegram's servers to check for new messages. Telegram never connects to my Pi at all. Everything is outbound.

The one exception (that I killed)

Gmail needs a publicly reachable URL for real-time notifications. When a new email arrives, Google sends a push notification to that URL. There's no way around this for instant email — or so I thought.

I originally used Tailscale Funnel for this — it lets you expose a specific URL to the public internet. But when I ran a security audit, I realized Funnel is all-or-nothing per domain. I couldn't expose just the Gmail webhook without also exposing my entire control panel. That bothered me. So I killed it. Gmail now runs on a polling cron job that checks for new emails every five minutes. Emails are slightly delayed instead of instant, but nothing is exposed to the public internet anymore. Zero inbound connections. I'll take the five-minute delay.

Is it perfect? No, it's still a URL on the internet. But one validated endpoint is a lot different than an entire exposed server.

Almost everything is outbound

Here's the pattern that makes this work: nearly all connections go from the Pi outward.

  • Telegram — Pi checks for messages. Outbound.
  • Anthropic — Pi sends prompts, gets responses. Outbound.
  • Notion — Pi pushes blog content. Outbound.
  • Tailscale — Pi connects to the network. Outbound.

There are no inbound paths anymore. Everything is the Pi reaching out, not the other way around. That's about as simple as network security gets. Instead of defending open doors against the entire internet, you're making encrypted requests to services you already trust.

Who can talk to the bot

OpenClaw has a pairing system for Telegram. Random people can't just find my bot and start chatting with it. When someone new sends a message, the bot generates a code, and I have to approve it before it responds.

Without this, anyone who found the bot's username could ask it to read my email or check my calendar. With pairing, it just ignores people I haven't approved.

Where the keys live

All API keys and tokens are stored on the Pi itself. They never pass through another service. They never get stored in someone else's database.

If Anthropic gets breached, they don't have my Telegram token. If Telegram gets breached, they don't have my Anthropic key. Each service only knows its own credentials. That's the basic advantage of running this yourself — you control where the secrets are.

What I trust and what I don't

I trust Anthropic with my prompts. That's the tradeoff of using a cloud AI model. I trust Telegram with my messages. I trust Google with my email (they already have it). I trust Tailscale with coordinating my network, though the actual traffic is encrypted so they can't see it anyway.

What I don't trust is any single company having the combination of all these things plus the ability to act on them. That's what self-hosting eliminates. There's no middleman sitting with access to my email and my messages and my calendar and the ability to take actions across all of them at once.

How to set it up

For anyone who wants to try this:

  1. Get a Raspberry Pi, install Tailscale, log in
  2. Install OpenClaw and run the setup wizard
  3. The wizard connects your AI model, chat apps, email, whatever you want
  4. Point Tailscale Serve at the control panel so your devices can reach it
  5. Set up ufw to deny all incoming traffic except on the Tailscale interface
  6. That's it

The OpenClaw docs and Tailscale docs are both good. Took me an evening to get running and a couple more to get it dialed in.

The audit

A day after setting this up, I asked the bot to run a security audit on itself. It checked open ports, firewall status, Tailscale configuration, SSH settings, disk encryption, auto-updates, and ran OpenClaw's built-in security scanner.

It found things I'd missed. Samba was running and listening on all interfaces — I'd forgotten it was even installed. SSH was open on the LAN, not just Tailscale. There was no firewall at all. The OpenClaw state directory had loose permissions. And that Gmail Funnel endpoint was exposing more than just the webhook path.

So we locked it down. Killed Samba entirely. Set up ufw to deny all incoming traffic except on the Tailscale interface. Removed the Funnel so nothing is publicly reachable. Switched Gmail to polling. Now the only way to reach this Pi is through my Tailscale account. If you're not an authenticated device on my tailnet, the Pi doesn't exist.

The irony isn't lost on me: I had the AI audit its own security and then fix the problems it found. It told me what was wrong, gave me the exact commands, and I ran them. Took about ten minutes. That's the thing about having an agent that actually understands your infrastructure — it can check its own homework.

Worth it?

I message a Telegram bot and it handles things for me. Checks my email, reminds me about appointments, tracks what my fiancée eats, writes blog drafts (badly, but it tries), monitors the news.

Could I get this from a hosted service? Probably. But then I'm giving one company access to everything and hoping for the best. I'd rather run it myself and know exactly what's exposed and what isn't.

The tech is fun. OpenClaw is having a moment right now and for good reason. The Tailscale approach means I get to enjoy all of it without worrying about security. Zero ports exposed, zero public endpoints, firewall locked to Tailscale only. That feels right.

← Back to Blog