Best self-hosted AI agents in 2026
OpenClaw, Hermes, Dify, OpenHands, and Agent Zero compared: what each agent does best, what it needs, and how to run any of them safely on your own VPS.
The best self-hosted AI agents in 2026, in short
The best self-hosted AI agents in 2026 are OpenClaw for a personal assistant you reach from chat apps, Hermes Agent for the same job on the smallest possible server, Dify for a team building applications on top of language models, OpenHands for autonomous coding, and Agent Zero for a general purpose framework whose agents spawn their own sub-agents. All five are open source, and all five run on a VPS you control. This roundup compares them on what they are for, how they are built, what they need from a server, and how much security work each design asks of you, so you can pick the right one before you install anything.
We run each of these on real servers, and every section below links to the full setup and hardening guide for that tool.
What a self-hosted AI agent is
An AI agent is a loop wrapped around a language model. The model reads the situation, decides on one action, your server carries the action out, and the result feeds the next turn of the loop. The actions are tools: run a shell command, read or write a file, drive a browser, call an API. If you want the mechanics in full, building your own AI agent on a VPS walks through the loop, tools, and memory from scratch.
Self-hosted means the agent runtime, its memory, its tools, and its secrets live on your own server instead of on someone else's platform. The language model itself is usually still a hosted API, because the strongest models do not fit in a small server's memory. You can go fully local by serving a model with Ollama on the same VPS, at the price of needing enough RAM for a capable model.
The reason to self-host the agent is control: your conversation history, your files, your API keys, and every command the agent runs stay on a machine you own. The reason to be careful is the same fact. An agent that runs commands on your server is only as safe as the limits you put around it, which is why the comparison below treats security posture as a first-class axis, not a footnote.
The five agents side by side
The data behind this chart
[
{
"tool": "OpenClaw",
"primary_use": "Personal assistant with full server access",
"interface": "Chat apps (Telegram, WhatsApp, Slack, Discord)",
"isolation_model": "One gateway process, on loopback by default",
"ram_floor": "Small VPS; more if it drives a browser",
"security_posture": "Safe network default; operator must harden the rest",
"maturity": "380,000+ stars mid-2026; March 2026 CVE history"
},
{
"tool": "Hermes Agent",
"primary_use": "Lightweight personal assistant with memory",
"interface": "Chat apps (Telegram, Discord)",
"isolation_model": "Single process, runs fine under systemd",
"ram_floor": "A $5 VPS is enough",
"security_posture": "Connects outward only; no inbound port needed",
"maturity": "New (February 2026), from Nous Research"
},
{
"tool": "Dify",
"primary_use": "LLM app platform for teams",
"interface": "Web UI and API",
"isolation_model": "Docker Compose stack of about six containers",
"ram_floor": "2 GB free; 4 GB is comfortable",
"security_posture": "Ships on plain HTTP port 80; needs TLS and a proxy in front",
"maturity": "Established, fast release pace"
},
{
"tool": "OpenHands",
"primary_use": "Autonomous coding agent",
"interface": "Web UI on port 3000",
"isolation_model": "Per-task sandbox containers via the host Docker socket",
"ram_floor": "4 GB",
"security_posture": "Docker socket is root equivalent; run it on a disposable VPS",
"maturity": "Established (formerly OpenDevin)"
},
{
"tool": "Agent Zero",
"primary_use": "General purpose multi-agent framework",
"interface": "Web UI on port 50001",
"isolation_model": "Subordinate agents in separate containers",
"ram_floor": "2 GB to start",
"security_posture": "Default run exposes the UI on every interface; bind it to loopback",
"maturity": "Active, Docker-first"
}
]Two patterns in this table decide most of the security work. The personal agents, OpenClaw and Hermes, reach you through chat apps, so they connect outward and need no inbound port at all. The web-first tools, Dify, OpenHands, and Agent Zero, each serve an interface over HTTP, and in every one of those cases the default network posture is the first thing you fix after install.
OpenClaw: the most capable personal agent
OpenClaw is a personal AI agent you run on your own server and talk to from Telegram, WhatsApp, Slack, or Discord. It can run shell commands, control a browser, and read and write your files, which makes it the most capable tool on this list and also the one with the most reach into your machine. It is MIT licensed and has over 380,000 GitHub stars as of mid-2026, which makes it one of the most-starred projects on the platform, so the ecosystem and community around it are far larger than for any other agent here.
Two facts should shape your decision. First, the network side starts safe: the gateway, the single process that controls everything, listens on the loopback address by default, so it is not reachable from the internet unless you expose it yourself. Second, the project has real security history. In March 2026, nine security issues were disclosed within four days, including a critical privilege escalation flaw, CVE-2026-32922, rated 9.9 out of 10. OpenClaw's security model puts the hardening work on you, the operator, and neither fact is a reason to avoid it. They are a reason to install it the careful way, which is exactly what running OpenClaw safely on a VPS covers step by step.
Hermes Agent: the lightest personal agent
Hermes Agent comes from Nous Research and was released in February 2026, which makes it the newest tool here. It is a personal agent that keeps a persistent memory of your projects, writes its own reusable skills as it works, and reaches you through chat apps like Telegram and Discord. It is model agnostic, so you point it at whatever language model you prefer.
Its selling point is how little it demands. Hermes installs with a single command and runs comfortably on a $5 VPS, because the agent is the runtime, not the model, and the heavy computation happens at whatever API you connect it to. It works by reaching out to your model and your chat apps, so it needs no inbound port, which keeps its network surface close to zero. The honest trade against OpenClaw is maturity: Hermes is months old, and OpenClaw's integrations and community are much larger. The full setup, including why you should download and read a curl install script before running it, is in self-hosting Hermes Agent on a VPS.
Dify: the platform for teams
Dify is a different kind of tool. Instead of one agent acting for one person, it is a self-hostable platform for building applications on top of language models: a web interface for designing chat apps, agents, and retrieval pipelines, an API to call them from your own code, and one place to manage prompts, datasets, and model keys. A small team stands it up so everyone builds on one shared private base instead of scattering API keys across scripts.
That scope means more moving parts. Dify ships as a Docker Compose stack of about half a dozen containers, including a Postgres database, a Redis cache, and a vector database, so plan for at least 2 GB of free RAM and ideally 4 GB. The security work is also different: Dify's bundled web server listens on plain HTTP port 80 on every interface, and the first visitor to its install page claims the admin account. Bind it to loopback, put a TLS reverse proxy in front, and create the admin account immediately. Self-hosting Dify on a VPS walks through the install and every one of those fixes.
OpenHands: the autonomous coding agent
OpenHands, formerly OpenDevin, is an autonomous software engineering agent. You give it a task in plain language, and it plans the work, writes code, runs commands, reads the output, and iterates until the task is done. It runs with Docker, serves a web UI on port 3000, supports dozens of model backends, and wants at least 4 GB of RAM.
One design decision should drive your whole setup. To run each task in a fresh sandbox container, its controller mounts the host Docker socket, and anything that can talk to that socket can start a container that mounts your entire host filesystem. That means socket access is effectively root on the machine, so you cannot fully sandbox OpenHands away from its host. The honest mitigation is placement: give it a dedicated, disposable VPS that holds nothing else you care about, snapshot the box before you start, and rebuild from the snapshot rather than trusting a server that has run agent-authored code for weeks. The setup, the SSH tunnel to its UI, and the reasoning are in self-hosting OpenHands on a VPS.
Agent Zero: the general purpose framework
Agent Zero is a Docker-first agent framework. A primary agent can spawn subordinate agents, each running in its own isolated container, and each can execute code, drive a browser, and run shell commands. You control it all from a web UI, and it runs on hardware as small as a six-dollar VPS, which makes it the easiest way to experiment with multi-agent setups on a budget.
Two cautions keep it safe. The standard docker run from most guides publishes the web UI on port 50001 on every network interface, so on a public VPS the control panel for a system that runs commands is reachable from the whole internet the moment the container starts; publish it on loopback instead and reach it over an SSH tunnel. And read its container isolation for what it is: subordinate agents are walled off from each other, which protects the agents, not your server. The host-side work is still yours, and self-hosting Agent Zero on a VPS covers it, including the loopback bind most tutorials skip.
Which self-hosted AI agent is right for you
- You want a capable personal assistant in your chat apps and you accept real hardening work: OpenClaw.
- You want a personal agent on the smallest, cheapest server with almost no attack surface: Hermes Agent.
- Your team wants one shared, private base for LLM apps, with a UI non-developers can use: Dify.
- You want code written while you are away, and you can give it a disposable server: OpenHands.
- You want to experiment with agents that delegate to other agents: Agent Zero.
One case sits outside this list. If what you want is an interactive coding agent you drive from the terminal, session by session, rather than an autonomous one, that category has its own tools and its own guide: see running OpenCode on a VPS for the most-starred open option, and running a coding AI agent on a VPS for the wider field.
The security work is the same for all five
Whichever agent you pick, the hardening pattern does not change, because the risk does not change: every one of these tools runs commands or code on your server, so the box must limit what a mistake can reach.
Four habits carry most of the weight. Run the agent as a dedicated unprivileged user, never as root, so the account it runs as is the ceiling on the damage, as explained in running services as an unprivileged user. Keep every control surface private: loopback binding for web UIs and gateways, with an SSH tunnel or a VPN when you need to reach them, because nobody can attack a port they cannot reach. Put a default-deny firewall in front of the server, and check IPv6 as well as IPv4, since a rule set that only covers IPv4 can leave the same service wide open on IPv6, the exact IPv6 firewall gap that catches so many self-hosters. And keep secrets in files only the agent's user can read (mode 600), loaded through the service rather than pasted on command lines.
The worked example of this whole pattern, including a hardened systemd unit with NoNewPrivileges, ProtectSystem=strict, PrivateTmp, and ProtectHome, is the OpenClaw hardening guide, and the same recipe transfers to any agent on this page. One more habit matters for all five: update on purpose. The March 2026 OpenClaw disclosures showed how fast a critical flaw in an agent becomes urgent, because an agent already runs commands, so a privilege escalation bug in one is far more serious than in an ordinary web app.
FAQ
What is the best self-hosted AI agent in 2026?
It depends on the job. OpenClaw is the most capable and most popular personal agent, with over 380,000 GitHub stars by mid-2026, and Hermes Agent is the lightest alternative for the same role. Dify is the best platform for a team building LLM applications, OpenHands is the strongest autonomous coding agent, and Agent Zero is the most flexible multi-agent framework. Pick by use case first, then by how much hardening work you are willing to do.
Can I run a self-hosted AI agent on a cheap VPS?
Yes, for most of them. Hermes Agent runs on a $5 VPS and Agent Zero starts at around 2 GB of RAM, while Dify wants 2 to 4 GB free and OpenHands wants at least 4 GB. The agents themselves are light because the language model usually runs at a hosted API. If you also self-host the model, size the server for the model, which is a much larger requirement than the agent.
Do I need a GPU to self-host an AI agent?
No. The agent is a runtime: a loop, tools, and memory, all ordinary code that runs on a CPU-only VPS. A GPU only matters if you also want to run the language model itself on your own hardware instead of calling a hosted API. In that case the model has to fit in memory, and you should size the machine for the model before you download it.
Are self-hosted AI agents safe to run?
They are as safe as the limits you put around them. Every agent here runs commands or code, so the risks are an exposed control surface, a root install, and leaked API keys. The fixes are the same for all five: an unprivileged user, loopback-only interfaces reached over SSH or a VPN, a default-deny firewall covering IPv4 and IPv6, file permissions on secrets, and prompt updates. An agent installed that way is a reasonable thing to run; an agent exposed raw on a public port is not.