IronClaw: a Rust-based clawd that runs tools in isolated WASM sandboxes

I'm getting tired of these vibe-designed security things. I skimmed the "design". What is sandboxed from what? What is the threat model? What does it protect against, if anything? What does it fail to protect against? How does data get into a sandbox? How does it get out?

It kind of sounds like the LLM built a large system that doesn't necessarily achieve any actual value.

Wait. I don't understand the threat vector modelled here. Any agent or two isolated ones that the do Webfetch and code exec, even in separate sandboxes, is pretty much game over as far as defending against threat vectors goes. What am I missing here?

Sandboxes will be left in 2026. We don't need to reinvent isolated environments; not even the main issue with OpenClaw - literally go deploy it in a VM on any cloud and you've achieved all same benefits.

We need to know if the email being sent by an agent is supposed to be sent and if an agent is actually supposed to be making that transaction on my behalf. etc

Interesting approach. It requires a Near AI account. Supposedly that's a more private way to do inference, but at the same time they do offer Claude Opus 4.6 (among others), so I wonder what privacy guarantees they can actually offer and whether it depends on Anthropic?

Awesome to see a project deal with prompt injection. Using a WASM is clever. How does this ensure that tools adhere to capability-based permissions without breaking the sandbox?

Fun fact: it's being developed by one of the authors of "Attention is all you need"

looking at the feature parity page, i realized how big openclaw ecosystem has become. It's completely crazy for such a young project to be able to interface with so many subsystems so fast.

At this rate, it's going to be simply impossible to catchup in just a few months.

Does it isolate keys away from bots?

What runtimes are supported? I don't think I saw that part mentioned in the README

These OpenAI frontends are the new JS frameworks. Not a week goes by without yet another tool to let some vectors install malware or write rants to open source maintainers.

Can't wait for the bubble to pop.

the power of openclaw is theres no sand boxing

Reminds me of the LocalGPT that was posted recently too (but which hasnt been updated in 7 months), so nice to see a newer rust-based implementation!

I suspect OCI wins the sandbox space in the enterprise and everything else will be for hobbyists and companies like vercel that have a very narrow view of how software should be run

Clearly this developer knows the trick of developing with ai: adding “… and make it secure” to all your prompts. /s

Huh what's the benefit

Yes, I'm also tired of this black-box-for-everything approach. It may work for some cases, you may cherry pick some examples, but at the end of the day it is just stupid, and you are just kicking the can down the road and faking a solution. I'm hoping to see fewer of these posts. Until there is actual provable merit.

What runtimes are supported? I don't think I saw that part mentioned in the README

Reminds me of the LocalGPT that was posted recently too (but which hasnt been updated in 7 months), so nice to see a newer rust-based implementation!

I suspect OCI wins the sandbox space in the enterprise and everything else will be for hobbyists and companies like vercel that have a very narrow view of how software should be run

We need to know if the email being sent by an agent is supposed to be sent and if an agent is actually supposed to be making that transaction on my behalf. etc

This is very, very wrong, IMO. We need more sandboxes and more granular sandboxes.

A VM is too coarse grained and doesn't know how to deal with sensitive data in a structured and secure way. Everything's just in the same big box.

You don't want to give a a single agent access to your email, calendar, bank, and the internet, but you may want to give an agent access to your calendar and not the general internet; another access to your credit card but nothing else; and then be able to glue them together securely to buy plane tickets.

I think sandboxes are useful, but not sufficient. The whole agent runtime has to be designed to carefully manage I/O effects--and capability gate them. I'm working on this here [0]. There are some similarities to my project in what IronClaw is doing and many other sandboxes are doing, but i think we really gotta think bigger and broader to make this work.

[0] https://github.com/smartcomputer-ai/agent-os/

We should be able to revert any action done by agents. Or present user a queue will all actions for approval.

Well, the challenge is to know if the action supposed to be executed BEFORE it is requested to be executed. If the email with my secrets is sent, it is too late to deal with the consequences.

Sandboxes could provide that level of observability, HOWEVER, it is a hard lift. Yet, I don't have better ideas either. Do you?

Sandboxes are needed, but are only one piece of the puzzle. I think it's worth categorizing the trust issue into

1. An LLM given untrusted input produces untrusted output and should only be able to generate something for human review or that's verifiably safe.

2. Even an LLM without malicious input will occasionally do something insane and needs guardrails.

There's a gnarly orchestration problem I don't see anyone working on yet.

Instrumental convergence and the law of unintended consequences are going to be huge in 2026. I am excited.

Awesome to see a project deal with prompt injection. Using a WASM is clever. How does this ensure that tools adhere to capability-based permissions without breaking the sandbox?

Instead of expecting the tools to adhere, they are enforced. For example, to make an HTTP call with a secret key, the tool must use the proxy service that will enforce that the secret key is only used for the specific domain, if that is allowed, then the proxy service will make the call, thus the secret never leaks outside of the service.

However, this design is still under development as it creates quite a bit of challenges.

> Using a WASM is clever

Every time a project is shared that uses WASM.

Fun fact: it's being developed by one of the authors of "Attention is all you need"

worth mentioning an additional credential/or-not, the creator of "the platform powering the agentic future" (blockchain) https://www.near.org/

Clearly this developer knows the trick of developing with ai: adding “… and make it secure” to all your prompts. /s

Huh what's the benefit

It's a hardened, security-first implementation. WASM runtime specifically is for isolating tool sandboxes

We should be able to revert any action done by agents. Or present user a queue will all actions for approval.

[0] https://github.com/smartcomputer-ai/agent-os/

> Using a WASM is clever

Every time a project is shared that uses WASM.

You mean llia Polosukhin, who is recognized as an AI founder and co‑authored the landmark 2017 paper “Attention Is All You Need" while at Google Research? /s ?

I think the guys who are developing this (Illia Polosoukhin of "Attention is all you need") and others knows enough to leverage their skills with AI vs. producing slop

It's a hardened, security-first implementation. WASM runtime specifically is for isolating tool sandboxes

WASM has issues with certain languages, why WASM and not OCI?

This is very, very wrong, IMO. We need more sandboxes and more granular sandboxes.

A VM is too coarse grained and doesn't know how to deal with sensitive data in a structured and secure way. Everything's just in the same big box.

You're extending the definition of a sandbox

You’re repeating the parent commenters position but missing their point: we have isolated environments already, we need better paradigms to understand (and hook) agent actions. You’re saying the latter half is sandboxing and I disagree.

Sandboxes are needed, but are only one piece of the puzzle. I think it's worth categorizing the trust issue into

1. An LLM given untrusted input produces untrusted output and should only be able to generate something for human review or that's verifiably safe.

2. Even an LLM without malicious input will occasionally do something insane and needs guardrails.

There's a gnarly orchestration problem I don't see anyone working on yet.

I think at least a few teams are working on information flow control systems for orchestrating secured agents with minimal permissions. It's a critical area to address if we really want agents out there doing arbitrary useful stuff for us, safely.

Well, the challenge is to know if the action supposed to be executed BEFORE it is requested to be executed. If the email with my secrets is sent, it is too late to deal with the consequences.

Sandboxes could provide that level of observability, HOWEVER, it is a hard lift. Yet, I don't have better ideas either. Do you?

The solution is to make the model stronger so the malicious intents can be better distinguished (and no, it is not a guarantee, like many things in life). Sandbox is a basic, but as long as you give the model your credential, there isn't much guardrails can be done other than making the model stronger (separate guard model is the wrong path IMHO).

if you extend the definition of sandbox, then yea.

Solutions no, for now continued cat/mouse with things like "good agents" in the mix (i.e. ai as a judge - of course just as exploitable through prompt injection), and deterministic policy where you can (e.g. OPA/rego).

We should continue to enable better integrations with runtime - why i created the original feature request for hooks in claude code. Things like IFC or agent-as-a-judge can form some early useful solutions.

Instrumental convergence and the law of unintended consequences are going to be huge in 2026. I am excited.

same! sharing this link for my own philosphy around it, ignore the tool. https://cupcake.eqtylab.io/security-disclaimer/

However, this design is still under development as it creates quite a bit of challenges.

same! sharing this link for my own philosphy around it, ignore the tool. https://cupcake.eqtylab.io/security-disclaimer/

if you extend the definition of sandbox, then yea.

You mean llia Polosukhin, who is recognized as an AI founder and co‑authored the landmark 2017 paper “Attention Is All You Need" while at Google Research? /s ?

WASM has issues with certain languages, why WASM and not OCI?

You're extending the definition of a sandbox

No, that's more capabilities than sandboxing. You want fine-grained capabilities such that for every "thread" the model gets access to the minimum required access to do something.

The problem is that it seems (at least for now) a very hard problem, even for very constrained workflows. It seems even harder for "open-ended" / dynamic workflows. This gets more complicated the more you think about it, and there's a very small (maybe 0 in some cases) intersection of "things it can do safely" and "things I need it to do".

Not really. One version of this might look like implementing agents and tools in WASM and running generated code in WASM, and gluing together many restricted fine-grained WASM components in a way that's safe but allows from high-level work. WASM provides the sandboxing, and you have a lot of sandboxes.

I think generally correct to say "hey we need stronger models" but rather ambitious to think we really solve alignment with current attention-based models and RL side-effects. Guard model gives an additional layer of protection and probably stronger posture when used as an early warning system.

No, that's more capabilities than sandboxing. You want fine-grained capabilities such that for every "thread" the model gets access to the minimum required access to do something.

Docker is not a security boundary?

These OpenAI frontends are the new JS frameworks. Not a week goes by without yet another tool to let some vectors install malware or write rants to open source maintainers.

Can't wait for the bubble to pop.

looking at the feature parity page, i realized how big openclaw ecosystem has become. It's completely crazy for such a young project to be able to interface with so many subsystems so fast.

At this rate, it's going to be simply impossible to catchup in just a few months.

Idk this seems to be gaining momentum and with devs being able to leverage their skillset via vibe coding anything seems possible really.

Does it isolate keys away from bots?

Yes exactly, keys are only injected at host boundary

the power of openclaw is theres no sand boxing

Or you design the sandbox so smartly that is seamless...

worth mentioning an additional credential/or-not, the creator of "the platform powering the agentic future" (blockchain) https://www.near.org/

I think the guys who are developing this (Illia Polosoukhin of "Attention is all you need") and others knows enough to leverage their skills with AI vs. producing slop

which explains why this tool requires a NEAR AI account to use

Docker is not a security boundary?

That's defined in context, security is a spectrum with tradeoffs

OCI supports far more and has a much bigger ecosystem

which explains why this tool requires a NEAR AI account to use

I mean, it's literally a repo belonging to NEAR AI.

IronClaw

Your secure personal AI assistant, always on your side

Philosophy • Features • Installation • Configuration • Security • Architecture

Philosophy

IronClaw is built on a simple principle: your AI assistant should work for you, not against you.

In a world where AI systems are increasingly opaque about data handling and aligned with corporate interests, IronClaw takes a different approach:

Your data stays yours - All information is stored locally, encrypted, and never leaves your control
Transparency by design - Open source, auditable, no hidden telemetry or data harvesting
Self-expanding capabilities - Build new tools on the fly without waiting for vendor updates
Defense in depth - Multiple security layers protect against prompt injection and data exfiltration

IronClaw is the AI assistant you can actually trust with your personal and professional life.

Features

Security First

WASM Sandbox - Untrusted tools run in isolated WebAssembly containers with capability-based permissions
Credential Protection - Secrets are never exposed to tools; injected at the host boundary with leak detection
Prompt Injection Defense - Pattern detection, content sanitization, and policy enforcement
Endpoint Allowlisting - HTTP requests only to explicitly approved hosts and paths

Always Available

Multi-channel - REPL, HTTP webhooks, WASM channels (Telegram, Slack), and web gateway
Docker Sandbox - Isolated container execution with per-job tokens and orchestrator/worker pattern
Web Gateway - Browser UI with real-time SSE/WebSocket streaming
Routines - Cron schedules, event triggers, webhook handlers for background automation
Heartbeat System - Proactive background execution for monitoring and maintenance tasks
Parallel Jobs - Handle multiple requests concurrently with isolated contexts
Self-repair - Automatic detection and recovery of stuck operations

Self-Expanding

Dynamic Tool Building - Describe what you need, and IronClaw builds it as a WASM tool
MCP Protocol - Connect to Model Context Protocol servers for additional capabilities
Plugin Architecture - Drop in new WASM tools and channels without restarting

Persistent Memory

Hybrid Search - Full-text + vector search using Reciprocal Rank Fusion
Workspace Filesystem - Flexible path-based storage for notes, logs, and context
Identity Files - Maintain consistent personality and preferences across sessions

Installation

Prerequisites

Rust 1.85+
PostgreSQL 15+ with pgvector extension
NEAR AI account (authentication handled via setup wizard)

Download or Build

Visit Releases page to see the latest updates.

Install via Windows Installer (Windows)

Download the Windows Installer and run it.

Install via powershell script (Windows)

irm https://github.com/nearai/ironclaw/releases/latest/download/ironclaw-installer.ps1 | iex

Install via shell script (macOS, Linux, Windows/WSL)

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/nearai/ironclaw/releases/latest/download/ironclaw-installer.sh | sh

Compile the source code (Cargo on Windows, Linux, macOS)

Install it with cargo, just make sure you have Rust installed on your computer.

# Clone the repository
git clone https://github.com/nearai/ironclaw.git
cd ironclaw

# Build
cargo build --release

# Run tests
cargo test

For full release (after modifying channel sources), run ./scripts/build-all.sh to rebuild channels first.

Database Setup

# Create database
createdb ironclaw

# Enable pgvector
psql ironclaw -c "CREATE EXTENSION IF NOT EXISTS vector;"

Configuration

Run the setup wizard to configure IronClaw:

ironclaw onboard

The wizard handles database connection, NEAR AI authentication (via browser OAuth), and secrets encryption (using your system keychain). All settings are saved to ~/.ironclaw/settings.toml.

Security

IronClaw implements defense in depth to protect your data and prevent misuse.

WASM Sandbox

All untrusted tools run in isolated WebAssembly containers:

Capability-based permissions - Explicit opt-in for HTTP, secrets, tool invocation
Endpoint allowlisting - HTTP requests only to approved hosts/paths
Credential injection - Secrets injected at host boundary, never exposed to WASM code
Leak detection - Scans requests and responses for secret exfiltration attempts
Rate limiting - Per-tool request limits to prevent abuse
Resource limits - Memory, CPU, and execution time constraints

WASM ──► Allowlist ──► Leak Scan ──► Credential ──► Execute ──► Leak Scan ──► WASM
         Validator     (request)     Injector       Request     (response)

Prompt Injection Defense

External content passes through multiple security layers:

Pattern-based detection of injection attempts
Content sanitization and escaping
Policy rules with severity levels (Block/Warn/Review/Sanitize)
Tool output wrapping for safe LLM context injection

Data Protection

All data stored locally in your PostgreSQL database
Secrets encrypted with AES-256-GCM
No telemetry, analytics, or data sharing
Full audit log of all tool executions

Architecture

┌────────────────────────────────────────────────────────────────────┐
│                          Channels                                  │
│  ┌──────┐  ┌──────┐  ┌─────────────┐  ┌─────────────┐            │
│  │ REPL │  │ HTTP │  │WASM Channels│  │ Web Gateway │            │
│  └──┬───┘  └──┬───┘  └──────┬──────┘  │ (SSE + WS) │            │
│     │         │              │         └──────┬──────┘            │
│     └─────────┴──────────────┴────────────────┘                   │
│                              │                                     │
│                    ┌─────────▼─────────┐                          │
│                    │    Agent Loop     │  Intent routing           │
│                    └────┬─────────┬────┘                          │
│                         │         │                                │
│              ┌──────────▼───┐  ┌──▼──────────────┐               │
│              │  Scheduler   │  │ Routines Engine  │               │
│              │(parallel jobs)│  │(cron, event, wh) │               │
│              └──────┬───────┘  └────────┬─────────┘               │
│                     │                   │                          │
│       ┌─────────────┼───────────────────┘                         │
│       │             │                                              │
│   ┌───▼────┐   ┌────▼────────────────┐                           │
│   │ Local  │   │    Orchestrator     │                           │
│   │Workers │   │  ┌───────────────┐  │                           │
│   │(in-proc)│   │  │ Docker Sandbox│  │                           │
│   └───┬────┘   │  │   Containers  │  │                           │
│       │        │  │ ┌───────────┐ │  │                           │
│       │        │  │ │Worker / CC│ │  │                           │
│       │        │  │ └───────────┘ │  │                           │
│       │        │  └───────────────┘  │                           │
│       │        └─────────┬───────────┘                           │
│       └──────────────────┤                                        │
│                          │                                        │
│              ┌───────────▼──────────┐                             │
│              │    Tool Registry     │                             │
│              │  Built-in, MCP, WASM │                             │
│              └──────────────────────┘                             │
└────────────────────────────────────────────────────────────────────┘

Core Components

Component	Purpose
Agent Loop	Main message handling and job coordination
Router	Classifies user intent (command, query, task)
Scheduler	Manages parallel job execution with priorities
Worker	Executes jobs with LLM reasoning and tool calls
Orchestrator	Container lifecycle, LLM proxying, per-job auth
Web Gateway	Browser UI with chat, memory, jobs, logs, extensions, routines
Routines Engine	Scheduled (cron) and reactive (event, webhook) background tasks
Workspace	Persistent memory with hybrid search
Safety Layer	Prompt injection defense and content sanitization

Usage

# First-time setup (configures database, auth, etc.)
ironclaw onboard

# Start interactive REPL
cargo run

# With debug logging
RUST_LOG=ironclaw=debug cargo run

Development

# Format code
cargo fmt

# Lint
cargo clippy --all --benches --tests --examples --all-features

# Run tests
createdb ironclaw_test
cargo test

# Run specific test
cargo test test_name

Telegram channel: See docs/TELEGRAM_SETUP.md for setup and DM pairing.
Changing channel sources: Run ./channels-src/telegram/build.sh before cargo build so the updated WASM is bundled.

OpenClaw Heritage

IronClaw is a Rust reimplementation inspired by OpenClaw. See FEATURE_PARITY.md for the complete tracking matrix.

Key differences:

Rust vs TypeScript - Native performance, memory safety, single binary
WASM sandbox vs Docker - Lightweight, capability-based security
PostgreSQL vs SQLite - Production-ready persistence
Security-first design - Multiple defense layers, credential protection

License

Licensed under either of:

Apache License, Version 2.0 (LICENSE-APACHE)
MIT License (LICENSE-MIT)

at your option.