Capabilities

How it works

A single Go binary connects to your data sources, syncs everything to local SQLite, and lets you interact through Telegram or the terminal. Every write action goes through approval gates before it executes.

OpenBotKit architecture diagram showing the flow from user through channels, agent loop, safety layer, tool executor, and data sources - all stored in local SQLite

In action

Chat with your assistant on Telegram. It checks your calendar, sends WhatsApp messages, converts currencies, sets reminders - and asks before every action.

Telegram conversation showing OpenBotKit checking calendar availability, sending a WhatsApp message, converting currency, and setting a reminder - each with user approval

Integrations

Sources

Your assistant reads, searches, and acts across your personal data - all synced locally.

Gmail
- read, search, and send email with OAuth2.
WhatsApp
- sync messages locally via QR code pairing. Send with approval.
Apple Notes
- search and read notes on macOS via AppleScript.
iMessage
- read conversations on macOS.
Slack
- read channels and send messages.
Google Workspace
- Calendar, Docs, Sheets, Drive, and 40+ more APIs via progressive consent.
Contacts
- search your address book by name.
Web Search
- search the web. No API keys needed.
Scheduler
- create reminders and recurring tasks.

Channels

Interact with your assistant and approve actions through:

Telegram
- chat, ask questions, and approve or deny actions with inline buttons.
Terminal
- full CLI for power users via obk chat.

LLM Providers

Bring your own AI. Not locked into one provider.

Anthropic Claude (default), Google Gemini, OpenAI, OpenRouter, and Groq. Switch providers with a single config change. Cost profiles included so you know what each model costs before you use it.

The agent harness

A single Go binary. No bloated frameworks. No containers required.

Agent loop with safety gates
Multi-turn conversation with tool use. Every tool call goes through risk assessment and approval gates before execution.
100+ plain-text skills
Skills are plain language descriptions - not code. Services, helpers, personas, and recipes you can read, edit, or replace in seconds.
Background sync daemon
Runs as a launchd service on macOS or systemd on Linux. Keeps your Gmail, WhatsApp, and other sources synced in the background.
Local SQLite storage
All data lives in SQLite databases under ~/.obk/. Pure Go driver - no CGO, no external dependencies.

Safety architecture

8 independent defense layers. Not prompts - code. Inspired by how Anthropic builds Claude Code and informed by research from Lasso Security and Trail of Bits.

  1. Approval gates. Every write action - sending a message, creating an event, modifying a file - requires your explicit OK. Enforced in code via GuardedAction. The AI cannot bypass it.
  2. Local-first data. Your data syncs to SQLite on your machine. No cloud relay. Nothing leaves your device unless you send it.
  3. Prompt injection defense. Content boundaries with XML markers, injection scanning across plain text, base64, and homoglyph encodings, and system prompt hardening.
  4. Tiered risk levels. Low-risk actions notify you. Medium-risk actions require approval. High-risk actions require approval with a full preview of what will happen.
  5. Bash command filtering. Dangerous commands are blocked. Scheduled tasks only allow obk and sqlite3.
  6. Rubber-stamp detection. If you approve 5+ actions in 30 seconds, the system warns you to slow down. Approval fatigue is a real attack vector.
  7. Restricted unattended mode. Scheduled tasks get fewer tools, no file write access, and a restricted tool registry.
  8. Audit logging. Every tool execution is logged to a local SQLite database. You can review what your assistant did at any time.

Ready to try it?

$ curl -fsSL https://raw.githubusercontent.com/priyanshujain/openbotkit/master/install.sh | sh
$ obk setup