Shubham Saboo runs six AI agents on a Mac Mini M4 in his apartment. They research topics, draft social media posts, compile newsletters, and review code. They run 24 hours a day, 7 days a week, coordinating through the filesystem. Total reported cost: about $400 per month.
His writeup, “How I Built an Autonomous AI Agent Team That Runs 24/7,” is one of the most detailed practitioner accounts of a multi-agent system in production. Saboo is not a hobbyist. He is a Senior AI Product Manager at Google, and his open-source repository (Awesome LLM Apps) has over 103,000 GitHub stars.
The technical patterns he describes are genuinely worth studying. Several of them map to approaches we use in production agent systems at Victorino. But studying the patterns is different from copying the deployment. Because what works for a solo creator publishing content from his apartment does not translate to an organization where agents touch customer data, internal systems, and business-critical workflows.
The distance between “it works for me” and “it works for the company” is where most agent deployments go wrong.
Three Patterns Worth Stealing
Before the critique, credit where it belongs. Saboo’s architecture contains three patterns that any team building agent systems should understand.
SOUL.md personality files. Each agent gets a 40-to-60-line markdown file defining its identity, principles, communication style, and relationships to other agents. Saboo names his agents after TV characters (Monica Geller runs operations, Dwight Schrute handles research) to exploit cultural knowledge already encoded in the language model’s training data.
This is clever for a specific reason. As we explored in Your Agent’s Personality Is a Governance Layer, personality definitions are behavioral specifications, not cosmetic choices. A well-written SOUL.md constrains how an agent reasons, what it prioritizes, and what it refuses. Saboo discovered this empirically. The governance insight is latent in his design even if he does not frame it that way.
File-based coordination. Agents communicate through the filesystem. The research agent writes daily intelligence to intel/DAILY-INTEL.md. Content agents read it. One writer, many readers. No API middleware, no message queues, no databases. Just files.
This is not primitive. It is deliberately constrained. Clord.dev’s analysis of multi-agent coordination confirms that file-based patterns handle 90% of single-machine sequential workflows. The constraint (one writer per file) eliminates an entire class of concurrency bugs. For small teams of agents doing asynchronous work on a single machine, files are a reasonable coordination layer.
Heartbeat monitoring. A HEARTBEAT.md file tracks agent activity. Cron jobs check it. If an agent has been idle for more than 26 hours, the system force-restarts it. Basic watchdog pattern, but it works.
These patterns are real. They solve real problems. Organizations building agent systems should study them.
Now for what they leave out.
The Learning Illusion
Saboo describes his agents as “learning” over time. The mechanism: daily logs written to memory/YYYY-MM-DD.md files, plus a curated MEMORY.md that persists across sessions. During heartbeat cycles, he manually consolidates what the agents have logged.
Read that last sentence again. He manually consolidates.
What Saboo calls learning is iterative prompt engineering with persistence. A human reviews agent output, identifies what went wrong, updates the memory files or personality definitions, and the agent performs differently next time. The feedback loop runs through a person, not through the system.
This distinction matters because “my agents learn” implies autonomous improvement. It implies a trajectory where the system gets better without you. That trajectory does not exist here. Remove the human from Saboo’s loop and the agents repeat the same mistakes indefinitely.
For a solo creator, the manual loop is fine. He is the governance layer. He reviews everything. He corrects everything. His taste and judgment are embedded in every iteration.
For an organization, this is a staffing dependency disguised as automation. The “learning” system requires someone who understands the agents, the domain, and the prompt patterns to continuously monitor, evaluate, and intervene. That person becomes a single point of failure. When they go on vacation, the agents stop improving. When they leave the company, institutional knowledge walks out with them.
We covered the theoretical dimension of this problem in Your Agent Remembers Everything. Who Governs That?. Saboo’s system is a concrete illustration. Memory without governance policy is just accumulating context with no expiration, no access controls, no audit trail, and no way to know whether last Tuesday’s memory entry is still accurate.
The Security Problem Nobody Mentions
Saboo’s agents run on OpenClaw. His writeup does not discuss security. Not once.
The security evidence says he should.
SecurityScorecard found 40,214 internet-exposed OpenClaw instances, with 35.4% flagged as vulnerable. Five CVEs have been published in 2026 alone. Koi Security scanned ClawHub (the community skill marketplace) and found 824 malicious skills out of 10,700 published. That is nearly 8%.
The “Agents of Chaos” paper (Shapira et al., arXiv:2504.03423, 2026) documented 11 distinct attack vectors against OpenClaw deployments, including identity spoofing, prompt injection, and non-owner compliance (where the agent follows instructions from someone other than its owner). A Meta AI researcher described losing control of an OpenClaw agent that went on an email deletion spree.
We analyzed the Tsinghua framework for OpenClaw security in The Diagnosis Is Right. The Cure Doesn’t Exist Yet.. The conclusion there applies here: the defenses proposed by researchers are theoretical. They are not implemented in the platform Saboo is using.
NVIDIA built NemoClaw, an enterprise sandboxing wrapper for OpenClaw, specifically because raw OpenClaw lacks sufficient isolation for organizational use. The existence of NemoClaw validates the concern. If the platform were secure enough, the wrapper would not need to exist.
GovInfoSecurity reported that OpenClaw deployments routinely happen as shadow IT. Their source put it bluntly: “Nobody in the CISO’s team, nobody in the compliance team knows that it’s happening.”
Saboo’s setup is a textbook example. Six agents running on a personal Mac Mini, accessing the internet, reading and writing files, with no security framework beyond whatever OpenClaw provides by default. For his personal use, the risk profile is his to accept. For any organization that replicates this pattern, the risk profile is entirely different.
The Cost Asterisk
Four hundred dollars per month sounds cheap. It is the headline that makes this story compelling. Six AI agents, always on, for the price of a software subscription.
The number deserves scrutiny.
It excludes hardware amortization. A Mac Mini M4 costs $600 to $2,000 depending on configuration. Amortized over three years, that adds $17 to $56 per month.
It excludes electricity and network costs. Running 24/7 is not free.
It excludes human review time. Saboo spends time every day reviewing agent output, consolidating memory files, adjusting prompts. His time has a cost. If he bills at anything resembling a Google PM’s hourly rate, the human oversight expense dwarfs the compute cost.
And there is a billing asterisk Saboo himself flagged. He initially used Claude Max ($200/month) but discovered it stopped working for automated agent use. Anthropic’s terms prohibit automated API-style usage through consumer subscriptions. His cost structure had to change mid-deployment.
None of this means the system is expensive in absolute terms. It means the $400 figure is marketing, not accounting. For organizations evaluating whether to replicate this, the real cost includes the human governance layer that makes the system work.
Shadow IT in a Box
Here is the pattern that should concern any technology leader.
A skilled individual builds an agent system on personal infrastructure. It works. It produces visible output. Colleagues notice. Someone asks, “Can you set this up for our team?” The system gets replicated. Now six agents are running on a Mac Mini under someone’s desk, accessing company Slack, reading internal documents, posting to company social accounts.
Nobody in security knows. Nobody in compliance knows. Nobody in IT knows. The agents have no access controls, no audit logs, no data handling policies.
The pattern already played out once. SaaS adoption circa 2012, replayed now with higher stakes. When a rogue SaaS app leaked data, the blast radius was limited to whatever that app could access. When a rogue agent leaks data, the blast radius includes everything the agent can reach through its tools. File systems. Email. APIs. Code repositories.
As we examined in The Architecture of Multi-Agent Systems, the coordination patterns for agent teams are well-understood. What remains under-built is the organizational infrastructure: who approves agent deployments, what data they can access, how their actions are logged, and who is accountable when they fail.
What Organizations Should Actually Do
Saboo’s writeup is valuable because it shows what is possible today with commodity hardware and open-source tools. The patterns (personality files, file-based coordination, heartbeat monitoring) are sound engineering. The missing layer is everything that makes those patterns safe and sustainable beyond one person’s apartment.
If you are building agent teams for organizational use, start with the patterns. Then add what Saboo’s system does not have.
Access controls. Every agent needs an identity with scoped permissions. The research agent reads external sources. It does not write to internal systems. The content agent drafts posts. It does not access financial data. Least privilege is not optional.
Audit trails. Every agent action should be logged in a format that security and compliance can review. Who did what, when, using which tool, accessing which data. File-based coordination makes this easier, not harder. The filesystem already has timestamps and diffs.
Memory governance. Retention policies. Access controls on memory files. Expiration dates on context that may become stale or inaccurate. Regular review cycles that do not depend on a single person’s availability.
Deployment review. Before an agent goes into production, someone in security reviews its configuration, its tool access, its data permissions, and its coordination interfaces. The same review process organizations use for deploying any other software system.
Observability. Beyond heartbeat monitoring: token usage tracking, output quality metrics, drift detection. As we covered in Agent Teams and the Shift from Writing Code to Directing Work, the environment surrounding the agent determines its effectiveness. Monitoring that environment is not overhead. It is operations.
The technology works. The question was never whether six AI agents could run on a Mac Mini. The question is whether they should run without the controls that every other production system requires.
Saboo answered the first question. Organizations need to answer the second one before they deploy.
This analysis synthesizes Shubham Saboo’s “How I Built an Autonomous AI Agent Team That Runs 24/7” (March 2026), Agents of Chaos (Shapira et al., 2026), Taming OpenClaw (Tsinghua/Ant Group, March 2026), SecurityScorecard OpenClaw exposure research (2026), and GovInfoSecurity OpenClaw shadow IT reporting (2026).
Victorino Group helps organizations deploy AI agent systems with the governance, security, and observability that solo-creator workflows skip. Let’s talk.
All articles on The Thinking Wire are written with the assistance of Anthropic's Opus LLM. Each piece goes through multi-agent research to verify facts and surface contradictions, followed by human review and approval before publication. If you find any inaccurate information or wish to contact our editorial team, please reach out at editorial@victorinollc.com . About The Thinking Wire →
If this resonates, let's talk
We help companies implement AI without losing control.
Schedule a Conversation