Skip to content
Clawdemy

Summary: CostGuard and where your data goes

The short version

Section titled “The short version”

Two anxieties on the first week with Clawless: “what if I rack up a giant bill?” and “who is actually seeing this conversation?” Both have specific answers. CostGuard is the spending safety net: you set a monthly cap, a warn threshold, and a hard-stop behavior, and Clawless makes sure your BYOK usage does not surprise you. Pay-as-you-go API calls count toward the cap; OAuth (Codex through your ChatGPT subscription) and local models do not. The data path is short: your computer, the AI provider, your computer. There is no Clawless server holding your conversations. The one server we run is the license server; it sees license state, never message content. If Clawless ever shut down, your conversations, memories, and settings stay on your computer because that is where they have always been. Local models keep the app useful even with no internet.

Core ideas

Section titled “Core ideas”
  • The cost worry is real but bounded. A long agent loop, a runaway conversation, or an experimental prompt that produces a 10,000-word reply can cost more than you expected. Not catastrophic; more than zero. CostGuard exists for exactly this.
  • CostGuard is a software safety net that tracks your spending against a monthly cap. The cap-enforcement layer goes live at production launch; pre-release builds show accurate usage numbers but do not yet enforce the block automatically. Treat the cap as personal discipline on pre-release; the block-on-cap behavior will be live at launch.
  • Three settings in Settings, Budget. Monthly cap (dropdown: $0 / $5 / $10 / $25 / $50 / $100 / custom). Warn threshold (50% / 80% default / 90% / off). Hard-stop behavior (Block new messages by default; alternative Warn-and-allow passes the message through with a warning).
  • What counts toward the cap. Pay-as-you-go API keys (Anthropic, OpenAI, Google AI, Groq, most others): every message’s dollar cost counts. OAuth providers (specifically Codex via your ChatGPT subscription, introduced in lesson 3): $0 on the dashboard, do not count. Local models running on your computer: $0, do not count.
  • Visual cues track your spend. The dock row indicator turns yellow at the warn threshold (80% default), with a notification shown once. It turns red at 100% of the cap; with Block on (default), the next send is rejected with a friendly banner in the chat. With Warn-and-allow on, every send over the cap shows a warning but messages still go through.
  • Unblocking is fast. Raising the cap in Settings, Budget unblocks immediately on save. There is no waiting period and no “save up to the new cap” rule.
  • The period defaults to a rolling 30-day window. Cost from 31 days ago aged out today. The alternative is calendar-month resets (matches most monthly subscription billing). Both reasonable; pick the one that matches how you mentally track recurring costs.
  • Habits that compound to lower costs. Pick the right model for the task (heavyweight models cost five to ten times what smaller ones do per token). Start a fresh conversation when the topic changes (long threads carry the full history with every new message). Use OAuth where you can (Codex calls count $0 against the cap; one thing to know is that the OAuth path bills through your ChatGPT subscription, so it is governed by that subscription’s consumer terms rather than the API terms, worth a glance if your messages are sensitive). Watch the Usage dashboard (sometimes one specific session ate everything, and that tells you what to change).
  • The data path is short. Your message goes from chat input to the Clawless app on your computer, to the bundled open-source OpenClaw engine (still on your computer), to the AI provider over the internet, and the reply streams back the same way. No Clawless server in the data path.
  • Three places matter for where your stuff lives. Your computer (the bulk of it: API keys are encrypted by Clawless in OS secure storage; conversations, memories, agent definitions, and settings sit in the Clawless data folder unencrypted, which means their at-rest safety is the safety of the device; turn on FileVault on macOS, BitLocker on Windows, or LUKS on Linux if at-rest encryption matters for you). The AI provider’s servers (your messages and the memories that travel with them, for as long as it takes them to generate a reply; what they retain after that is governed by their terms). Our license server (license state only, never conversation content).
  • The four-party trust model. You trust us to ship a desktop app that does what it claims and protects local data to the standards your operating system supports. You trust the AI provider with the contents of your messages and the memories that travel with them. You trust OpenClaw (the open-source engine) to be a faithful intermediary; the code is auditable and there are independent audits. You trust any tool, skill, or integration you install with whatever permissions it asks for, the same model as browser extensions.
  • Clawless is closed-source; OpenClaw is open-source. They are not the same project. The data path crosses both. The audit story is different for each.
  • If Clawless went away tomorrow, your data stays. Conversations, memories, settings, and agent definitions are on your computer disk. They do not vanish when the company does. The app keeps working as long as the local install runs and the AI providers stay online; the license check has a grace period built in.
  • Local models are the strongest version of the no-cloud guarantee. Running models on your computer with no cloud provider in the loop means you can launch and chat completely offline. Doubles as the answer for “what if I am on a plane” and “what if I need a setup that depends on no one else’s servers.”

What changes for you

Section titled “What changes for you”

Before this lesson, “what is the worst that can happen if I screw up” probably had no specific answer in your head. Now it does: the worst-case BYOK spend is whatever cap you picked, with a friendly banner when you reach it. And “who actually sees this” has a specific answer too: the AI provider you picked, and that is the only third party in the loop because there is no Clawless server holding conversations. The most useful new habit is setting the cap to something low enough that it occasionally trips. A cap that never trips is a number on a screen; a cap that occasionally trips is teaching you what your real usage shape looks like. After the first time, you raise it intentionally rather than fearfully, and you have learned more about your own AI workflow than any dashboard could tell you.