Migrating from OpenClaw, ClawdBot, or MoltBot? → Jump to migration guide
~3,000 lines of auditable Python. No mystery dependencies. No open ports by default. Budget-capped so it cannot bankrupt you overnight.
- No open ports by default — WebChat is opt-in; Telegram and WhatsApp connectors use outbound polling only
- Hard budget caps — session cap ($1.00) and monthly cap ($20.00) enforced before every LLM call; raises
BudgetExceededbefore your card is charged - Auditable in an afternoon — ~3,000 lines across 6 core modules, fully type-hinted, zero magic
- One-command migration —
cato migrate --from-openclawcopies your OpenClaw / ClawdBot / MoltBot workspaces and validates SKILL.md compatibility instantly - Conduit headless browser — cryptographically signed audit trail, VOIX protocol, Ed25519 agent identity, SHA-256 hash-chained action log — no other local AI daemon comes close
OpenClaw (also distributed as ClawdBot and MoltBot in earlier versions) has accumulated a pattern of undisclosed credential handling, silent telemetry, and a dependency tree that ships with known CVEs. Cato is the clean-room replacement.
Specific issues with OpenClaw / ClawdBot / MoltBot:
- Credential exposure: API keys stored in plaintext JSON under
~/.openclaw/keys/with 644 permissions — readable by any process on the machine - Silent telemetry: Usage data sent to
telemetry.openclaw.iowithout opt-out in versions prior to 2.4.0 — OpenClaw phones home every session - Supply-chain risk: Transitive dependency
openclaw-nativebundles a pre-built C extension with no reproducible build — you cannot verify what you're running - No budget enforcement: OpenClaw / ClawdBot has no spend caps; a runaway agent loop can drain your API balance overnight
- PostgreSQL + Redis required: OpenClaw's full stack requires Docker, PostgreSQL, and Redis just to run locally — Cato needs none of this
Cato stores all credentials in AES-256-GCM encrypted vault (vault.enc), emits zero telemetry, and has zero C extensions. Every outbound connection is one you configured.
# From PyPI (recommended)
pip install cato-daemon
patchright install chromium # one-time browser download (~130 MB)
# Or install from source
git clone https://github.com/bkauto3/cato
cd cato && pip install -e .
patchright install chromiumcato initThe wizard asks for:
- Monthly and session budget caps (defaults: $20 / $1)
- A vault master password (used to encrypt all API keys with AES-256-GCM)
- Whether to enable Telegram, WhatsApp, or SwarmSync routing
cato start # WebChat on localhost:8080
cato start --channel telegram # Telegram polling only
cato start --channel all # all channelsThat's it. No Docker. No PostgreSQL. No Redis. SQLite for memory, a single YAML for config, one encrypted file for secrets.
Coming from OpenClaw, ClawdBot, or MoltBot? One command brings everything over:
# Preview what would be migrated (safe, no files written)
cato migrate --from-openclaw --dry-run
# Apply the migration
cato migrate --from-openclawThis command:
- Scans
~/.openclaw/agents/for all agent workspaces (works for OpenClaw, ClawdBot, and MoltBot — all used the same directory structure) - Copies workspace files:
SOUL.md,AGENTS.md,USER.md,IDENTITY.md,MEMORY.md,TOOLS.md,HEARTBEAT.md,CRONS.json - Validates each
SKILL.md— must have a# Titleand## Instructionssection - Validates each session
.jsonl— every line must be valid JSON - Copies
sessions/*.jsonlandskills/*.mdper agent - Prints a summary: agents migrated, skills migrated, sessions migrated, files skipped
What is NOT copied from OpenClaw / ClawdBot / MoltBot:
config.json— Cato uses YAML; re-runcato initto configurenode_modules/, Node binaries — not applicable to Cato.envfiles — re-enter API keys viacato init(your OpenClaw plaintext keys are now encrypted in Cato's vault)
After migration, run cato doctor to audit token budgets and cato init to configure API keys.
| Issue | OpenClaw / ClawdBot / MoltBot | Cato |
|---|---|---|
| API key storage | Plaintext JSON, 644 perms | AES-256-GCM vault, memory-only key |
| Telemetry | Silent — phones home to telemetry.openclaw.io |
Zero. No outbound connections except your LLMs |
| Budget enforcement | None — agents can spend unlimited | Hard caps per-session and per-month |
| Infrastructure | Docker + PostgreSQL + Redis required | SQLite only, runs anywhere Python does |
| C extensions | openclaw-native pre-built binary |
Zero C extensions, fully auditable |
| Migration path | Locked in | cato migrate --from-openclaw one command |
SwarmSync is an intelligent model router that selects the cheapest model capable of handling each task — without you having to think about it.
# ~/.cato/config.yaml
swarmsync_enabled: true
swarmsync_api_url: https://api.swarmsync.ai/v1/chat/completionsOr enable interactively during cato init.
- Before each LLM call, Cato sends the task description to the SwarmSync router
- The router scores each of the 16 supported models against the task complexity
- The cheapest capable model is selected automatically
- The selected model's actual cost is tracked in your budget as normal
- Routing itself costs $0.00
When SwarmSync is disabled (the default), Cato uses default_model from config.yaml for every call.
Conduit is Cato's built-in headless browser engine. It is on by default and replaces every other agent browser integration you've seen. No other local AI daemon — not OpenClaw, not ClawdBot, not MoltBot, not AutoGPT, not AgentGPT, not anything — ships with what Conduit ships with out of the box.
# Already enabled by default in your config
conduit_enabled: trueEvery Cato instance generates a unique Ed25519 keypair on first run, stored at {data_dir}/conduit_identity.key. Every browser session is cryptographically tied to that identity. You can prove which agent performed which action at which time — forever.
No other headless browser integration for local AI agents does this.
Every browser action — navigate, click, type, extract, screenshot — is written to an append-only, SHA-256 hash-chained audit log in SQLite. Each row's hash includes the previous row's hash, making the entire chain tamper-evident. If anyone modifies or deletes a row, cato audit --verify detects it instantly.
cato audit --session <id> # full action-by-action replay
cato audit --verify # tamper detection across all sessions
cato receipt --session <id> # signed fare receipt with line-item logThis is the same pattern used in blockchain and financial audit systems — brought to your local AI agent browser.
Conduit automatically strips VOIX <tool> and <context> tags from all extracted page content before it reaches the agent. Pages built for agent consumption using the VOIX protocol are cleaned and normalized automatically — your agent never sees raw protocol tags in its context window.
Every browser action is checked against the session budget cap before it executes. If the action would exceed your cap, it raises BudgetExceededError and stops — it never executes the action first and asks forgiveness later. OpenClaw / ClawdBot / MoltBot have no browser budget enforcement at all.
{"error": "Conduit budget 100¢ would be exceeded", "budget_exceeded": true}Before any browser action is written to the audit log, Cato automatically redacts values whose keys match known sensitive patterns (api_key, token, password, secret, authorization, bearer, credential, etc.). Your keystrokes into password fields never appear in the audit trail.
Conduit is fully wired into Cato's reversibility safety gate. Actions are classified by risk tier before execution:
| Action | Risk Tier | Requires Confirmation |
|---|---|---|
navigate, extract, screenshot |
READ | Never |
click, type |
REVERSIBLE_WRITE | Never |
| Form submissions that send data externally | HIGH_STAKES | Yes (strict mode) |
In daemon mode (no TTY), HIGH_STAKES actions fail safe — denied by default, logged with reason.
Unlike Conduit's commercial deployment in SwarmSync (where per-action billing enables cost attribution across multi-tenant agent fleets), all Conduit actions in Cato are free. The full audit trail, identity signing, and VOIX support run at zero cost. The billing infrastructure is present in the codebase for SwarmSync compatibility but all costs are zeroed.
Conduit uses Patchright (a stealth Playwright fork) under the hood — one patchright install chromium and you're done. No Selenium server. No WebDriver binary management. No Docker container for the browser. No remote browser API. The browser runs locally, the audit log stays local, the identity key never leaves your machine.
| Feature | Conduit (Cato) | OpenClaw browser | AutoGPT browser | AgentGPT | Playwright MCP |
|---|---|---|---|---|---|
| Ed25519 agent identity | ✅ | ❌ | ❌ | ❌ | ❌ |
| SHA-256 hash-chained audit log | ✅ | ❌ | ❌ | ❌ | ❌ |
| VOIX protocol stripping | ✅ | ❌ | ❌ | ❌ | ❌ |
| Budget enforcement before action | ✅ | ❌ | ❌ | ❌ | ❌ |
| Sensitive input redaction | ✅ | ❌ | ❌ | ❌ | ❌ |
| Tamper-evident audit trail | ✅ | ❌ | ❌ | ❌ | ❌ |
| Safety gate (reversibility tiers) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Signed receipts per session | ✅ | ❌ | ❌ | ❌ | ❌ |
| Free for local use | ✅ | ✅ | ✅ | ✅ | ✅ |
| No external server required | ✅ | ❌ | ❌ | ❌ | ✅ |
Conduit exposes the same browser tool interface as before — nothing changes in how you write skills or prompts:
# In any skill or agent prompt:
Use browser.navigate to go to https://example.com
Use browser.extract to get the page content
Use browser.click on the "Submit" button
Use browser.screenshot to capture the resultEvery action is automatically logged, signed, and budget-checked. You get a full audit receipt at the end of every session with cato receipt --session <id>.
All 16 models across 6 providers, with per-call cost tracking:
| Model | Provider | Input $/M | Output $/M |
|---|---|---|---|
| claude-opus-4-6 | Anthropic | $15.00 | $75.00 |
| claude-sonnet-4-6 | Anthropic | $3.00 | $15.00 |
| claude-haiku-4-5 | Anthropic | $0.80 | $4.00 |
| gpt-4o | OpenAI | $2.50 | $10.00 |
| gpt-4o-mini | OpenAI | $0.15 | $0.60 |
| o3-mini | OpenAI | $1.10 | $4.40 |
| gemini-2.0-pro | $1.25 | $5.00 | |
| gemini-2.0-flash | $0.10 | $0.40 | |
| gemini-2.0-flash-lite | $0.075 | $0.30 | |
| deepseek-v3 | DeepSeek | $0.27 | $1.10 |
| deepseek-r1 | DeepSeek | $0.55 | $2.19 |
| groq-llama-3.3-70b | Groq | $0.59 | $0.79 |
| mistral-small | Mistral | $0.10 | $0.30 |
| minimax-2.5 | MiniMax | $0.20 | $1.00 |
| kimi-k2.5 | Moonshot | $0.15 | $0.60 |
| swarmsync-router | SwarmSync | $0.00 | $0.00 |
Also supports OpenRouter (OPENROUTER_API_KEY) for access to 300+ models through a single key — a popular choice for former OpenClaw / MoltBot users who want multi-provider access without managing separate keys.
Cato ships with 6 ready-to-use skills in cato/skills/. They are loaded automatically by the agent loop and are fully compatible with OpenClaw / ClawdBot / MoltBot skill files (same SKILL.md format).
| Skill file | Capabilities | What it does |
|---|---|---|
web_search.md |
browser.search, browser.navigate | DuckDuckGo search with source citations |
summarize_url.md |
browser.navigate, browser.snapshot | Fetch any URL and return a 3-5 sentence summary |
send_email.md |
browser.navigate, browser.click, browser.type | Draft and send email via Gmail web UI (confirms before sending) |
add_notion.md |
shell | Add pages to a Notion database via the REST API |
daily_digest.md |
browser.search, memory.search, file.read | Personalized news digest from tracked topics + open tasks |
coding_agent.md |
shell | Delegate tasks to Claude Code, Codex, or Gemini CLIs installed locally |
A SKILL.md file requires exactly two structural elements (same format as OpenClaw / ClawdBot / MoltBot skills — they migrate directly):
# My Skill Name
**Version:** 1.0.0
**Capabilities:** shell, browser.navigate
## Instructions
Tell the agent exactly what to do step by step.
Use numbered lists for sequential actions.
Reference tools by their canonical names: `shell`, `browser`, `file`, `memory`.Drop the file into ~/.cato/agents/{your-agent}/skills/ and restart Cato. The context builder injects active skills into every turn.
Cato is intentionally flat. Every module does exactly one thing:
| File | Lines | Purpose |
|---|---|---|
cato/vault.py |
~150 | AES-256-GCM credential store, Argon2id KDF |
cato/budget.py |
~170 | Spend cap enforcement, call-level cost tracking |
cato/config.py |
~90 | YAML config with safe defaults, first-run detection |
cato/core/context_builder.py |
~160 | 7,000-token context assembly with priority stack |
cato/core/memory.py |
~210 | SQLite + BM25 + sentence-transformer hybrid memory |
cato/cli.py |
~260 | init, start, stop, migrate, doctor, status |
No orchestration magic. No hidden event loops. Read it in a coffee break.
User message
|
v
+------+--------+ +-----------+ +----------+
| Telegram / | | Gateway | | SwarmSync|
| WhatsApp / +----->| (auth + +----->| Router |
| WebChat | | routing) | | (opt-in) |
+---------------+ +-----+-----+ +----------+
|
v
+---------+--------+
| ContextBuilder |
| (7,000-tok budget)|
| SOUL + AGENTS + |
| USER + MEMORY + |
| skills + log |
+---------+--------+
|
v
+---------+--------+
| Agent Loop |
| plan → execute |
| → reflect → done|
+---------+--------+
|
+--------------+-----------+
| | |
v v v
+--------+ +---------+ +--------+
| Shell | | Browser | | File |
| tool | | Conduit | | tool |
+--------+ +---------+ +--------+
| | |
+------+-------+-----------+
|
v
+--------------+
| Memory |
| SQLite+BM25 |
| +embeddings |
+--------------+
|
v
+--------------+
| Budget Guard |
| session+month |
| hard caps |
+--------------+
- Memory at scale: The hybrid BM25+semantic search loads all chunks for each query. Works well up to ~5,000 memory chunks. For larger memory stores, an ANN index (faiss/hnswlib) will be added in v0.2.
Pull requests welcome. The bar is: does it fit in a coffee break?
- Keep modules small and single-purpose (target < 250 lines each)
- No new required dependencies without strong justification
- Zero telemetry — every outbound connection must be user-initiated
- All credentials must pass through the vault, never environment variables
- Create
cato/tools/mytool.pyimplementing theBaseToolinterface fromcato/tools/base.py - Register it in
cato/tools/__init__.py - Add a row to the capabilities table in this README
- Create
cato/adapters/myadapter.pysubclassingBaseAdapter - Register it in
cato/adapters/__init__.py - Add the enable flag to
CatoConfigincato/config.py
- Create a SKILL.md in
cato/skills/with a# Titleand## Instructionssection - List the capabilities it requires in the frontmatter
- Add a row to the Built-in Skills table in this README
cato init # first-run wizard
cato start # start daemon (WebChat)
cato start --channel telegram # telegram only
cato start --channel all # all channels
cato stop # graceful shutdown
cato status # running state + budget summary
cato doctor # audit token budget per workspace
cato migrate --from-openclaw # migrate OpenClaw / ClawdBot / MoltBot agents
cato migrate --from-openclaw --dry-run # preview migration (no files written)
cato vault set KEY value # store an API key in the encrypted vaultAll config lives at ~/.cato/config.yaml:
agent_name: cato
default_model: claude-sonnet-4-6
monthly_cap: 20.0
session_cap: 1.0
conduit_enabled: true
swarmsync_enabled: true
swarmsync_api_url: https://api.swarmsync.ai/v1/chat/completions
telegram_enabled: false
whatsapp_enabled: false
webchat_port: 8080
max_planning_turns: 2
context_budget_tokens: 7000
log_level: INFO- Vault: AES-256-GCM, Argon2id (64 MiB, 3 iterations, 4 threads), nonce-per-encryption
- Key storage: Derived key lives in process memory only — never written to disk
- Credentials: All API keys go through
cato vault set <KEY> <VALUE>, not environment variables - No telemetry: Zero external connections except to LLM APIs you configure
- Canary key: Synthetic
sk-cato-canary-*key detects accidental credential leaks
Unlike OpenClaw / ClawdBot / MoltBot, there is no telemetry.openclaw.io or equivalent. Cato never calls home.
MIT. Do whatever you want. Attribution appreciated.
If you found this repo searching for:
- openclaw alternative — you're in the right place
- openclaw replacement —
cato migrate --from-openclawgets you running in 60 seconds - clawdbot alternative — ClawdBot was an earlier name for OpenClaw; same migration command
- moltbot alternative — MoltBot was the original name; same directory structure, same SKILL.md format
- openclaw security issues — see the Why Not OpenClaw section above
- openclaw telemetry — yes, OpenClaw phones home; Cato doesn't
- openclaw plaintext credentials — yes, OpenClaw stores keys in
~/.openclaw/keys/at 644; Cato encrypts everything
Powered by SwarmSync intelligent model routing.