My local AI agent, Tars, could talk. It could answer questions via iMessage and Slack. But it couldn’t actually do anything—couldn't create files, couldn’t read my calendar, couldn’t manage tasks. It was a chatbot trapped behind glass.

Phase 2 of the Notion replacement project was about giving Tars hands. Phases 3 and 4 were about teaching it what to do with them. Phase “oh no” was when it started doing things I didn’t ask for.

From Chatbot to Agent

OpenClaw ships with something called “tool profiles”—presets that control what an agent can and can’t do. Out of the box, Tars was running the messaging profile. Sounds reasonable. Here’s what that actually means:

Messaging profile: sessions_list, sessions_history, sessions_send, message

Four tools. All it could do was read and write messages. It couldn’t touch the filesystem, run commands, or use any of the skills I was about to install. I needed the full profile.

I found this by reading OpenClaw’s bundled JavaScript source code. The tool profiles aren’t documented anywhere obvious—they're defined in a minified file called tool-catalog-CDe8aNjS.js. The full profile is literally an empty object: {}. No restrictions.

{
 “tools”: {
 “profile”: “full”
 }
}

One config change, gateway restart, and Tars went from a chatbot to an autonomous agent with read, write, edit, and execute permissions on my machine.

This is the moment where self-hosting gets real. You’re not toggling a feature in a SaaS dashboard with guardrails someone else built. You’re handing your local AI unrestricted shell access. The power is exhilarating. The implications are sobering. We’ll come back to that.

ClawPad: The Editor That Sees What The Agent Writes

ClawPad is a Notion-style document editor that connects to the same workspace Tars uses. When Tars creates a file at ~/.openclaw/workspace/pages/daily-notes/2026-03-07.md, it shows up in ClawPad instantly. When I edit a page in ClawPad, Tars can read the changes.