Case Study · Personal

OpenClaw + WhatsApp
All the leverage of an AI assistant — none of the access risk.

A persistent AI orchestration layer running on a Hetzner VPS. OpenClaw reads a deterministic Python pipeline that pulls my IBKR portfolio context, turns it into structured JSON, and produces scheduled portfolio reviews and WhatsApp briefings — without ever touching the brokerage directly. Every outbound action passes through an explicit confirmation gate.

Year

2026

Role

Solo · design + build

Stack

OpenClaw · Python · IBKR · Hetzner

Status

Personal · in development

Still building. This case study is a living document — the cost-discipline sprint, the IBKR auth automation, and a v2 of the WhatsApp sender skill are all in flight. Check back as the architecture matures.

The Benefit

What I get out of it.

Before the architecture — here's what OpenClaw earns its keep with. Quiet, scheduled, delivered to the channel I already check first thing.

Morning briefing. World headlines, Indonesian politics, market open and macro context — one WhatsApp message, every day, before 7am.
Weekly portfolio review. Every Monday, a written breakdown of each IBKR position: directional exposure, days-to-expiry, break-even, moneyness, and a one-line risk read.
Ad-hoc questions, where I already chat. “What's my IBIT 36P delta sitting at?” — reply lands in the same thread as the rest of my life, not a separate app.
Voice in, not thumbs. A ChatGPT-4o transcription skill cleans up my WhatsApp voice notes before OpenClaw reads them — faster than typing, especially when the question runs more than a sentence.
Reminders that actually land. iOS Reminders quietly forgets to fire half the time. WhatsApp is the app I open by reflex — scheduled nudges from OpenClaw show up in a thread I can't help but check.
Cost predictable by design. Scheduled jobs with per-job token budgets — no surprise bill from a 2am rabbit hole, no runaway model spend.

OpenClaw morning briefing in WhatsApp — geopolitics, markets, technology — Daily morning briefing — geopolitics, markets, tech.

OpenClaw portfolio analysis in WhatsApp — strikes, targets, gaps — Portfolio analysis — institutional targets vs current, mapped to my strikes.

The Problem

Trusted AI automation — without uncontrolled access.

The real question was never build an AI bot. It was: how do I run a controlled, self-hosted AI automation layer that touches my portfolio data and messaging channels — without exposing sensitive systems or letting the model take uncontrolled actions?

That framing came with five non-negotiables:

Run outside my laptop — no overheating, no dependency on my personal machine.
Support recurring jobs — daily news, weekly portfolio reviews.
Deliver through WhatsApp — the channel I actually use.
Connect to IBKR for analysis only — never for trading.
Stay cheap enough to run forever.

Each constraint sounds simple in isolation. Together they ruled out most off-the-shelf chatbot patterns. Hosting on Vercel or Railway leaks brokerage credentials. Running locally requires the laptop to stay on. Letting an LLM call IBKR directly puts trade execution one prompt-injection away. The interesting design work was making all five constraints true at once.

Architecture

Six layers, one rule.

The AI never touches raw infrastructure directly. That single principle drove every layer of the system.

Surface

User

WhatsApp · Portal · CLI

Reasoning

OpenClaw Gateway

Hetzner VPS · Skills · Channels

Interface

Shared Data Layer

latest_portfolio_context.json
openclaw_review_input.json

Deterministic

Python Pipeline

snapshot.py · enrich_prices.py · build_portfolio_context.py

Auth boundary

IB Gateway

Headless · 127.0.0.1:4001

Source

IBKR

Read-only · positions · market data

The user reaches OpenClaw through WhatsApp, a local portal, or CLI. OpenClaw — the gateway — runs persistently on a Hetzner VPS as the orchestration layer. It reads prepared data, runs approved skills, and produces narrative output.

Behind OpenClaw sits a shared data layer of static JSON files: latest_portfolio_context.json and openclaw_review_input.json. These files are the interface contract between the deterministic and probabilistic halves of the system.

A Python pipeline writes those files. snapshot.py pulls positions from the IBKR API. enrich_prices.py overlays bid, ask, last, mark, and option model prices. build_portfolio_context.py derives expiry, strike, moneyness, break-even, and directional exposure. Each script is dumb and predictable — easy to log, easy to retry, easy to read at 2am.

IB Gateway runs locally on the VPS, headless, with the IBKR API enabled on 127.0.0.1:4001. Brokerage credentials never leave the box. OpenClaw consumes JSON, not API access. It doesn't have an IBKR token. It can't execute trades. It can only summarize, narrate, and message. When something breaks, the deterministic layer is debuggable on its own — and the AI can be swapped or unplugged without touching the pipeline.

Build Highlights

Four moments worth keeping.

VPS + IBKR pipeline, end-to-end

First milestone: get OpenClaw and IB Gateway running together on a Hetzner Ubuntu box. SSH key login, port 4001 enabled, IB Gateway running headless under Xvfb + openbox + x11vnc so it could be logged in once and left running. The first successful Python call to reqAccountSummary returning real account data felt like the moment the project went from idea to system.

Snapshot → enrich → context

The pipeline matured in three layers. snapshot.py captured positions plus the IBKR-specific fields that matter for options — conId, strike, right, multiplier. enrich_prices.py requested delayed market data and stitched it in. build_portfolio_context.py interpreted the result, deriving days-to-expiry, premium per share, break-even, moneyness, and a one-line directional read for each position. The output became something an LLM could actually reason over without hallucinating the strike.

Cron-driven recurring intelligence

Once the pipeline produced clean JSON, recurring intelligence became a scheduling problem. A wrapper script runs the three Python steps in order, then triggers OpenClaw to produce a portfolio review on top of the freshly-built context. World news and Indonesian political updates run as separate scheduled briefings — each with its own model tier, token budget, and output length.

WhatsApp as a controlled sender skill

Sending through WhatsApp turned out to be the hardest design problem. OpenClaw's default allowFrom policy conflated who can command the bot with who the bot can message. The fix was a dedicated sender skill: a contact resolver against a contacts.json allowlist, E.164 phone normalization, a confirmation preview, and a single sender script. Inbound stays locked to me. Outbound is explicit, auditable, per-message.

The Hard Parts

Where the system pushed back.

IBKR auth is a state machine, not an endpoint

The IBKR API isn't really REST. Client Portal Gateway needed a browser session before any curl would succeed. IB Gateway needed a real GUI session before the Python socket connection would authenticate. The fix was Xvfb + openbox + x11vnc, manually logging in once via VNC and letting the session live as long as IBKR allowed. Fully unattended login was possible, but a manual gate was a fair operational trade-off for a personal system.

WhatsApp replies through your personal number — a real risk

The biggest architectural surprise. By default, OpenClaw replied through my personal WhatsApp number — which meant any contact who messaged me could trigger the AI, and the AI could fire off replies to anyone in my contact book. Combined with its read access to my IBKR positions, options exposure, and option metadata, that profile was uncomfortable: a misbehaving or jailbroken model could leak personal financial data to my entire contact list.

A strict allowlist solved inbound but broke outbound — one policy couldn't honor both only I can DM the bot and the bot can DM anyone I explicitly tell it to. The fix was to split the two: API access restricted to my personal chat only on the inbound side, and outbound flowing through a confirmation-gated sender skill with a per-message preview. The AI gets to be useful; my contacts never see a message I didn't consciously send.

Duplicate runtimes cause cost ambiguity

At one point OpenClaw was running on both my laptop and the VPS, each with its own cron jobs, each consuming tokens. There was no central inventory. Disabling one didn't immediately reveal which scripts had been running where. The fix was tactical — kill local autostart, standardize on the VPS, write a single runbook listing active services, cron entries, ports, and expected costs. The fix was also a lesson.

$18.88 in a single day forced a pause

Two recurring jobs — daily news + Monday portfolio briefing — ramped from $0.16/day to $18.88/day in seven days. No length limits, no cheap-model fallback for simple summarization, full context windows on every call. I paused both jobs on day 15 to audit, and the spend went to zero overnight.

The rebuild — per-job token budgets, model tiering for cheap subtasks, summarization caches, hard output-length caps — is the next sprint, not a finished story. The lesson I'm taking from this isn't that I optimized brilliantly; it's that pausing first was the right call, and every scheduled AI job needs the same cost discipline as any other piece of cloud infrastructure: observability, budget, ownership.

Peak

$18.88/day

14-day total

$118.51

Implied month

~$254

After Apr 14

$20

$15

$10

$0.16

first tests

$0.65

cron live

$14

$19

peak

$15

$12

$16

$14

jobs paused →

OpenAI spend, daily · April 2026 · Two scheduled jobs (world news + portfolio briefing) on the default model with no token caps. Paused Apr 15 for audit · rebuild with budget guardrails is the next sprint.

What I Learned

Four takeaways I'll carry forward.

Separate the policy of who commands the AI from who the AI can act on. One allowlist can't do both — splitting them is the difference between a hobby bot and an auditable system.
A data product beats a naked prompt. The strongest LLM workflow wasn't a longer prompt — it was a structured JSON file that pre-computed expiry, strike, moneyness, and break-even. The model didn't have to guess. It had to summarize. Both layers got easier.
Cron is easy. Reliable scheduled automation is hard. Logs, dependency checks, retry semantics, env-var plumbing, and budget caps make the difference between a script that runs once and a system that runs every Monday at 7am for a year.
AI as reasoning layer, deterministic code as execution layer. Read-only access, JSON contracts between the two halves, and confirmation gates on every outbound action. The AI gets to be smart. The pipeline gets to be predictable. I stay in control of what actually happens to the brokerage account.
Design every permission for the worst-case prompt. An AI assistant with read access to your brokerage and outbound access to your personal WhatsApp is a profile worth re-thinking — a single hallucination or jailbreak could leak financial data to your entire contact list. The architecture restricts the API to my personal chat only, splits inbound and outbound trust, and treats every new permission like a blast radius to bound.

Where This Goes

From luxury to leverage.

In private banking, a dedicated research analyst is a six-figure cost most clients can't justify. OpenClaw is the personal version — an analyst that reads my brokerage every morning, summarizes what changed, and surfaces what matters before I open the markets app.

The economics flip the moment the same pipeline fans out. A scheduled portfolio briefing costs cents to generate; routing the same JSON pipeline and same reasoning model to a hundred subscribers turns one personal experiment into one of the cheapest research operations imaginable. One deterministic pipeline, one reasoning model, many recipients. The interesting next step isn't more features — it's more readers.