DEV.co
MCP Servers · ghostwright

phantom

Phantom is a self-evolving AI agent that runs on its own dedicated VM, maintains persistent memory, and autonomously builds infrastructure (databases, dashboards, APIs) without manual intervention. It integrates with Slack, email, and other channels, supports multiple LLM providers, and is built on TypeScript with Apache 2.0 licensing.

Source: GitHub — github.com/ghostwright/phantom
1.4k
GitHub stars
190
Forks
TypeScript
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryghostwright/phantom
Ownerghostwright
Primary languageTypeScript
LicenseApache-2.0 — OSI-approved
Stars1.4k
Forks190
Open issues64
Latest releaseUnknown
Last updated2026-06-16
Sourcehttps://github.com/ghostwright/phantom

What phantom is

TypeScript-based autonomous agent framework leveraging Claude Agent SDK with MCP server support, persistent vector-based memory (Qdrant), Docker-based sandboxed execution, multi-provider LLM abstraction (Anthropic, OpenRouter, Ollama, vLLM, LiteLLM), and self-evolution capabilities via feedback loops. Designed for long-running workloads on dedicated infrastructure.

Quickstart

Get the phantom source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/ghostwright/phantom.gitcd phantom# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Enterprise Autonomous Workflow Automation

Deploy Phantom on a dedicated VM to autonomously handle recurring tasks (data analysis, report generation, infrastructure monitoring, CI/CD oversight) with persistent state, learning, and self-improvement across sessions.

Internal Tool Scaffolding & Rapid Deployment

Use Phantom to rapidly prototype and deploy internal dashboards, analytics platforms, REST APIs, and integrations without manual DevOps; the agent builds, deploys, and registers tools as MCP endpoints for reuse.

Multi-Channel AI Co-Worker for Technical Teams

Integrate Phantom into Slack/email/webhook ecosystems to provide a persistent, learning AI assistant that spans multiple communication channels, remembers context across weeks, and autonomously extends its own capabilities.

Implementation considerations

  • Docker socket mount (`/var/run/docker.sock`) grants the Phantom container root-equivalent access to the host Docker daemon; run on a dedicated VM/machine, not a shared or personal workstation, and isolate from untrusted workloads.
  • Requires a stable LLM provider (Anthropic API key by default; supports fallback to OpenRouter, Ollama, vLLM, or LiteLLM). Plan for API rate limits, costs, and latency; Claude Opus or cheaper alternatives (e.g., Z.AI GLM) must be budgeted.
  • Persistent memory relies on Qdrant (vector database) for semantic recall. Deploy Qdrant as a managed service or sidecar; ensure disk persistence and backup strategy for critical agent memory.
  • Multi-channel integration (Slack, Telegram, email, webhooks) requires credential setup and ongoing token rotation. Phantom has credential collection facilities; audit token handling against organizational security policy.
  • No official release versioning (latestRelease: none); deployments use Docker image tags or git commit SHA. Version pinning and testing strategy must account for main-branch-driven updates.

When to avoid it — and what to weigh

  • Highly Regulated Data Environments — Phantom autonomously installs software, creates databases, and builds infrastructure. In HIPAA, PCI, SOC2, or similar environments, this unbounded autonomy and the lack of explicit audit/compliance trail may violate governance requirements. Requires deep security review and custom hardening.
  • Single-Use or Stateless Query Workloads — Phantom is built for persistent, learning agents that improve over time. If you need a one-off API call or stateless inference, use a lighter LLM framework (LangChain, Llamaindex, or raw API clients). Phantom overhead is unjustified.
  • Environments Without Dedicated Hardware or VM Capacity — Phantom requires its own machine (or VM) with Docker and reasonable compute/memory. Shared multi-tenant or resource-constrained environments (CI runners, serverless functions, embedded systems) are not suitable.
  • Closed-Source Proprietary Code & IP Concerns — Phantom is Apache 2.0 licensed (permissive), but the agent autonomously builds, installs, and generates code/infrastructure on its VM. Organizations with strict IP controls may need custom data segmentation and audit trails before deploying.

License & commercial use

Apache License 2.0 (Apache-2.0). Permissive open-source license permitting commercial use, modification, distribution, and sublicensing under the condition that original copyright notices and a copy of the license are retained. No patent grant explicitly provided by the license text alone; standard ALv2 patent indemnity clauses apply.

Apache 2.0 is a permissive OSI-approved license that explicitly allows commercial use and derivative works. No proprietary restrictions or usage-based fees are imposed by the license itself. However, Phantom autonomously builds infrastructure and generates code; ensure internal compliance review covers data handling, IP assignment, and audit logging for commercial deployments. Third-party dependencies (Claude API, Docker, Qdrant, etc.) have their own licensing; verify compliance with each.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

Critical: Docker socket mount grants the Phantom container root-equivalent access to the host Docker daemon; a compromised process could create, modify, or destroy containers. Mitigation: run Phantom on a dedicated, isolated VM (not personal workstation), disable untrusted workloads on the same host, and enforce network segmentation. Additionally: (1) Phantom autonomously installs software and creates infrastructure—no hard sandbox limits prevent privilege escalation or lateral movement; (2) credential collection facilities exist (email identity, secure token submission for Discord) but require audit of secret handling and rotation; (3) no formal security audit, CVE disclosure, or threat model publication is evident from data. (4) multi-provider LLM support means credentials for OpenAI, Ollama, vLLM, etc., must be stored and rotated. (5) persistent memory and code generation can leak training data if ingestion is not carefully scoped. Requires formal security review before production deployment in sensitive environments.

Alternatives to consider

LangGraph / LangChain Agent Framework

Lighter-weight, widely-adopted orchestration for agentic workflows; no dedicated VM required. Best if you need task automation without persistent autonomous infrastructure; less self-evolution capability.

AutoGPT / AgentGPT (Legacy) or Newer Forked Variants

Similar autonomous agent design but less mature ecosystem and community support. Phantom is more polished and has real production examples; AGI-inspired projects have slower iteration and smaller user base.

OpenAI Assistants API + Custom Orchestration

Managed, stateful agent backend from OpenAI with file/knowledge indexing and built-in tool use. No infrastructure management, but less autonomy over tool creation and self-evolution; vendor lock-in to OpenAI models.

Software development agency

Build on phantom with DEV.co software developers

Start with Docker Compose on a dedicated VM, or claim a free managed Phantom at ghostwright.dev/phantom. Review security.md for threat model and isolation requirements before production deployment.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Related on DEV.co

Explore the category and the services that help you build with it.

phantom FAQ

Can I run Phantom on my laptop instead of a dedicated VM?
Yes, technically—but it is not recommended. The Docker socket mount grants root-equivalent access; a compromised Phantom process could access all containers on your machine. Use a dedicated VM, server, or isolated Docker host only.
Does Phantom support models other than Claude?
Yes. Out-of-the-box support includes Anthropic (Claude), Z.AI (GLM), OpenRouter (100+ models), Ollama (self-hosted GGUF), vLLM, LiteLLM, and custom Anthropic-compatible endpoints. Switch providers with two lines of YAML.
What happens to Phantom's memory if I restart the container?
Qdrant (vector database) persists memory to disk by default (in docker-compose setup). Restart the container and memory persists. Loss occurs only if you explicitly delete the Qdrant volume or fail to enable persistence.
Is Phantom suitable for HIPAA or PCI-compliant environments?
Not without significant custom hardening and audit infrastructure. Phantom autonomously installs software, creates databases, and generates code—unbounded autonomy conflicts with regulated data-handling requirements. Requires dedicated security review.

Software developers & web developers for hire

Adopting phantom is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate mcp servers software in production.

Ready to deploy a persistent, learning AI co-worker?

Start with Docker Compose on a dedicated VM, or claim a free managed Phantom at ghostwright.dev/phantom. Review security.md for threat model and isolation requirements before production deployment.