Hacker News Focuses on an IRC-Based AI Agent Built for a $7/month VPS
Original: Show HN: I put an AI agent on a $7/month VPS with IRC as its transport layer View original →
Intentional agent design on a small box
George Larson's post on Hacker News drew attention because the public-facing agent, nullclaw, is deliberately small. It runs on a $7/month VPS as a 678 KB Zig binary, uses about 1 MB of RAM, and connects to an Ergo IRC server. Visitors do not talk to it through a heavyweight chat stack. Instead, they reach it through a gamja web IRC client embedded in the site. The result is an AI interface built on a transport that is old, simple, and easy to reason about.
The post also describes a split architecture. A private agent called ironclaw lives on a separate box connected through Tailscale. That private side handles email, calendar, and other private context, while the public box keeps no private data. This separation is central to why the HN discussion cared: the design treats the internet-facing service as a narrow gateway instead of a full-trust agent host. The system is interesting not only because it works on modest hardware, but because its trust boundaries are explicit.
Small footprint, limited blast radius
Larson says the total footprint stays under 10 MB of binaries and under 5 MB of idle RAM. Conversation is handled by Haiku 4.5, while Sonnet 4.6 is used for tool use, with a $2/day cap. The post highlights an A2A passthrough design in which the private-side agent can borrow the public gateway's inference pipeline. That means one API key and one billing relationship can cover both sides without copying private context onto the internet-facing machine. HN commenters read that as a practical systems choice rather than a model showcase.
nullclawis the public entry point on a $7/month VPS.ironclawis the private companion on a separate box via Tailscale.- Ergo IRC and gamja keep the transport layer simple.
- Haiku 4.5 and Sonnet 4.6 split conversation from tool use under a fixed cost cap.
The security posture is explicit rather than implied. The post mentions a read-only or workspace-only allowlist, audit logs, a Cloudflare proxy, limited ports, and the rule that no private data sits on the public box. Those details matter because they frame the system around containment. The thread was not mainly about chasing maximum autonomy. It was about what happens when an agent is designed with a visible blast radius and a constrained path to sensitive context.
HN commenters focused on three themes: whether tiered inference is the right tradeoff, whether IRC is a sensible transport layer for agents, and how much prompt-injection or monitoring risk remains even with these boundaries in place. That mix explains why the thread mattered. The interest was not just that an AI agent ran cheaply, but that the design made its constraints legible through small binaries, simple transport, separated trust zones, and clear operational boundaries.
Related Articles
OpenAI said on X on March 9 that it plans to acquire Promptfoo, an AI security platform, and keep the project open source. The deal strengthens OpenAI Frontier’s agentic testing and evaluation stack.
OpenAI announced on X that Codex Security has entered research preview. The company positions it as an application security agent that can detect, validate, and patch complex vulnerabilities with more context and less noise.
Perplexity has introduced Computer for Enterprise as a major upgrade to its Enterprise offering. The product pushes Perplexity beyond answer generation into long-running workflows across websites and internal web apps, while adding audit, identity, and data-governance controls.
Comments (0)
No comments yet. Be the first to comment!