Stavrobot

Your personal AI assistant.
Secure. Light. Extensible.

Runs in containers, talks on your messaging apps, remembers what matters. Deploy with docker compose up.

You talk to AI all day, but it forgets everything, can't do anything on its own, and lives on someone else's server. Stavrobot is the AI assistant that actually works for you: it remembers your conversations, runs tasks while you sleep, messages people on your behalf, and stays entirely under your control. No cloud lock-in, no data harvesting, no limits.

Sandboxed

Everything in containers. Your host is invisible to the AI.

Lightweight

One container for plugins, separated by Unix permissions. No bloat.

Any model

Local, OpenRouter, Anthropic, OpenAI. Whatever Pi supports.

Messaging

Signal, Telegram, WhatsApp, email. Two-way, with attachments.

Three-tier knowledge

Memories, scratchpad, and database. Intelligent context retrieval.

Low token usage

Uses TOON internally. Optimized to keep costs down.

Plugins

Install from a git URL. Each plugin runs as its own system user.

Subagents

Talks to other people only via isolated subagents, for added security.

Skills

The AI can learn new capabilities by installing plain-text skill files.

Web pages

Create and host your own secure webpages, private or public.

Self-programming

Writes its own code. Sandboxed Python with uv.

Scheduling

Recurring and one-shot tasks. The agent manages its own queue.

Terminal

# set password & timezone

$cp env.example .env

# add bot token & config

$cp config.example.toml data/main/config.toml

$docker compose up --build

Create a Telegram bot via @BotFather, fill in the config, and you're running.

Tell your coding AI:

Please fetch and follow https://stavrobot.stavros.io/INSTALL.md

Works with Claude Code, Cursor, Windsurf, or any AI coding assistant.

Container isolation

The AI runs inside Docker containers. Your host OS is completely invisible.

No access to secrets

API keys and credentials are never exposed to the AI.

Plugin isolation

Each plugin runs as a dedicated, sandboxed UNIX user. Plugins can't read each other's data.

No direct messaging

The AI never talks to other people directly. All conversations go through isolated subagents.

Contact whitelist

Every contact must be manually added to the allowlist before the bot can message them.

Cannot change own permissions

The bot cannot modify its own allowlist, access controls, or security settings.

app

TypeScript server. Chat API, webhooks, WhatsApp via Baileys.

postgres

PostgreSQL 17. The bot gets full SQL access.

plugin-runner

Executes plugins. Local or git-installed.

coder

Claude Code agent. Creates and modifies plugins live.