Who this guide is for
You want a self-hosted AI assistant or agent live this week, on a budget you can defend, without writing your own Docker recipes. As of 2026 three platforms ship real one-click installs that get you there: AWS Lightsail (OpenClaw blueprint), Hostinger (OpenClaw or Hermes Agent), and Cloudflare Workers (MoltWorker). Here is what each one is, what it costs, and how to pick.
Meet the products
OpenClaw is a private, always-on AI chat gateway: "Your own AI agent. Private, always on and live in 60 seconds." Built-in support for Telegram, WhatsApp, email, and a browser dashboard. The same product ships on all three platforms below: it is a one-click blueprint on AWS Lightsail (with Amazon Bedrock pre-wired to Anthropic Claude Sonnet 4.6), a one-click app on Hostinger (managed or VPS flavour), and an edge-native deploy on Cloudflare Workers. The Cloudflare flavour was originally announced under the name MoltWorker; it is the same project, now consolidated under the OpenClaw brand.
Hermes Agent is the alternative: a self-improving assistant from Nous Research, "a self-improving AI agent that creates skills from experience and refines them during use." It supports more than 200 LLM models, multi-platform messaging (Telegram, Discord, Slack, WhatsApp, Signal, email), persistent memory, and task scheduling. Hostinger publishes it as a one-click VPS application.
Side by side
Pick by trade-off, not by trend.
| Dimension | OpenClaw on AWS Lightsail | OpenClaw or Hermes on Hostinger | OpenClaw on Cloudflare |
|---|---|---|---|
| Runtime shape | Linux VPS + blueprint | Linux VPS + one-click app | Workers + Sandbox Containers (no VPS) |
| One-click install | Lightsail console blueprint | hPanel marketplace | Wrangler deploy from the OpenClaw repo |
| Default LLM wiring | Amazon Bedrock, Claude Sonnet 4.6 | Bundled credits + 200+ models (Hermes) | AI Gateway with your provider key |
| Recommended plan | 4 GB Lightsail instance | Managed (₹549/mo) or KVM 2 VPS (₹799/mo) | Workers Paid plan (required) |
| TLS / DNS | Lightsail-managed Let's Encrypt | Hostinger-managed + free domain | Cloudflare edge (built in) |
| Messaging channels | Telegram, WhatsApp | Telegram, Discord, Slack, WhatsApp, Signal, email | Browser, plus channels OpenClaw adds |
| Best for | Teams already in AWS who want Bedrock | Cheapest start, includes a managed option | Teams already on the Cloudflare developer platform |
Path 1: OpenClaw on AWS Lightsail
Best fit if you live in the AWS ecosystem already. Lightsail's OpenClaw blueprint comes pre-configured with Amazon Bedrock as the default model provider, so the assistant works the moment IAM permissions are set up.
- Create the instance. Lightsail console → Create instance → Linux/Unix → Blueprint: OpenClaw. The 4 GB plan is the recommended starting size.
- Wait for Running. The instance comes up in a couple of minutes. Lightsail issues a Let's Encrypt cert for the public IP automatically (no manual TLS setup).
- Pair your browser. Open the instance, hit the Getting started tab, click Connect using SSH. The MOTD prints a Dashboard URL and an Access Token. Open the URL in a new tab, paste the token, click Connect, approve the CLI and the device pairing.
- Enable Bedrock. Back on the Getting started tab, click Copy the script under "Enable Amazon Bedrock as your model provider", then Launch CloudShell. Paste, hit Enter. The script creates
LightsailRoleFor-<instance-id>with Bedrock + Marketplace permissions. Wait for "Done". - First-time Anthropic access. Default model is Claude Sonnet 4.6. If this is your first Anthropic use in your AWS account, complete the FTU form in the Bedrock console (Model catalog → pick Anthropic). One-time per account.
- Optional: attach a static IP. Networking tab → create + attach. Lightsail re-issues the Let's Encrypt cert against the new IP automatically. You will need to re-pair browsers after this.
- Optional: connect a channel. SSH back in, run
openclaw channels add, pick Telegram or WhatsApp, follow the bot-token or QR flow.
What costs you actually pay
Lightsail per-hour up to the monthly cap (4 GB plan), Bedrock token costs per message (model-dependent), Marketplace fees for third-party models like Anthropic, data transfer overages, and snapshot storage. The instance itself is the smallest of these for any real workload.
Path 2: OpenClaw or Hermes Agent on Hostinger
Cheapest start, both products are first-class one-click installs in the Hostinger marketplace. Pick OpenClaw if you want the simpler chat-gateway shape, or Hermes Agent if you want the 200+ LLM range and the multi-channel breadth.
- Pick the plan. Managed OpenClaw is the simplest (currently ₹549/mo intro, ₹999/mo renew). For root access pick the OpenClaw VPS plan (KVM 2 territory, ~₹799/mo intro, ₹1,199/mo renew) or the Hermes Agent VPS tier that matches your workload (KVM 1 to KVM 8).
- Click Install. hPanel handles the OS, Docker, firewall, TLS, and a free first-year domain. Hostinger advertises a 60-second time-to-first-message, which is roughly the truth on a quiet day.
- Open the admin UI. Hostinger emails a URL and credentials. OpenClaw and Hermes Agent both ship browser-based control panels.
- Add messaging channels. Both products do this from the admin UI: Telegram + WhatsApp for OpenClaw; Telegram, Discord, Slack, WhatsApp, Signal, and email for Hermes Agent. Bot tokens or QR pairing depending on the channel.
- Wire your LLM. Bundled credits cover the first few interactions; for production traffic plug in your own OpenAI, Anthropic, Google, or open-model provider key (Hermes supports 200+ models).
- Verify backups. Weekly automatic backups are on by default. Trigger a test restore before you trust them.
Path 3: OpenClaw on Cloudflare (formerly MoltWorker)
This is the odd one out: there is no VPS. The agent runs in Cloudflare Workers and Sandbox Containers at the edge, with R2 for files, AI Gateway for model providers, and Cloudflare Access as the auth layer. The project was originally introduced as MoltWorker; it has since consolidated under the OpenClaw name. If you already use the Cloudflare developer platform, this is the cleanest fit.
- Get a Workers Paid plan. Sandbox Containers require it. ($5/mo as of this writing.)
- Clone the OpenClaw repo. The Cloudflare project initially shipped as
cloudflare/moltworker; check the current OpenClaw docs for the canonical repo, since Cloudflare may have renamed or re-homed it. A safe starting point:# original moltworker repo (still installable): git clone https://github.com/cloudflare/moltworker openclaw cd openclaw - Configure AI Gateway. Cloudflare dashboard → AI → AI Gateway → create gateway. Either point it at your own provider key, or enable Unified Billing so all model usage shows up on the Cloudflare invoice.
- Set Wrangler vars. Wrangler is the Cloudflare CLI. Fill in the variables the README lists (gateway URL, R2 bucket name, provider key reference, Access policy).
- Deploy.
npm install npx wrangler deploy - Front with Access. Add a Zero Trust Access policy (email OTP, Google, GitHub, SSO) so only your authenticated users can reach the Worker. The agent never sits on the public internet without auth.
- Watch logs and costs. Workers Logs and the AI Gateway analytics dashboard show every request, every model call, and every dollar. This is the unsung win of the Cloudflare path.
When OpenClaw on Cloudflare wins: teams already on Cloudflare for DNS, CDN, or Pages. The "no VPS" property means no patching, no SSH, no security group audits. The trade-off is unfamiliar ergonomics if your team has not worked with Workers before.
Common gotchas across all three
- Token rotation surprises pairings. OpenClaw rotates gateway tokens daily by default (MOTD 2.0.0). Every paired browser and channel must re-pair after a rotation. Disable rotation only after you understand the security cost.
- Static IP changes break TLS without managed certs. Lightsail handles this via its certificate daemon. On Hostinger and self-managed setups you have to remember to re-issue.
- Bundled credits run out. Hostinger's "AI included" is a starter credit, not unlimited. Wire your own model provider key before the first real customer demo.
- Sandbox restrictions surprise plugin authors. OpenClaw isolates tool execution in Docker by default. Some plugins need looser permissions; loosen knowingly with
openclaw config set tools.exec.security .... - OpenClaw on Cloudflare requires the Workers Paid plan. Sandbox Containers do not run on the free Workers plan. Check this before deciding the budget.
- No backup plan. Lightsail automatic snapshots, Hostinger weekly backups, Cloudflare R2 versioning. Pick the one for your platform, then trigger a test restore. Untested backups are not backups.
Which one should you actually pick?
- Already in AWS? OpenClaw on Lightsail. Bedrock comes wired, IAM is one CloudShell script, TLS is automatic.
- Cheapest start, want a managed option? OpenClaw managed on Hostinger.
- Need 200+ LLMs and multi-channel breadth (Discord, Slack, Signal)? Hermes Agent on Hostinger.
- Already on the Cloudflare developer platform? OpenClaw on Workers (the project formerly known as MoltWorker). No VPS to patch, Access for auth, AI Gateway for cost visibility.
When to outgrow these
Stay on a one-click install until you hit one of these:
- You need more than one instance for availability or load.
- You need a managed database with point-in-time recovery.
- You need to spread across regions for latency or residency.
- SOC 2 or HIPAA scope arrives.
- You need to plug a custom model, custom planner, or non-trivial tool catalogue into the agent.
At that point migrate to ECS / EKS on AWS, a dedicated Kubernetes cluster on any provider, or a managed agent runtime your engineering team controls end to end. Until then, a one-click install is the right answer.
Want help with the next step?
Kiebot ships agents into production for clients every week. If you want a pair of hands on the architecture, the deploy, or the eval harness, see our Add AI to your product solution. For the production-readiness story, see Designing AI Applications That Survive Production.
