The secure, open-source operating system for AI agents
Quick Start β’ Building β’ Why RustyClaw β’ Features β’ Security β’ Architecture
RustyClaw is an agentic AI operating system β a complete runtime for deploying, orchestrating, and securing AI agents. It provides everything agents need: tools, memory, isolation, scheduling, multi-agent coordination, and secure credential management.
Think of it as Linux for AI agents: a stable, secure foundation that handles the hard infrastructure problems so you can focus on what your agents actually do.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β YOUR AI AGENTS β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β Tools β Memory β Channels β Sessions β Scheduling β
β (30+) β (files, β (Signal, β (spawn, β (cron, β
β β search) β Matrix) β steer) β heartbeat) β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β SECURITY & ISOLATION LAYER β
β PromptGuard Β· LeakDetector Β· Sandbox Β· Encrypted Vault Β· SSRF β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β RUSTYCLAW RUNTIME (Rust) β
β ~15MB RAM Β· <50ms startup Β· Single binary β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
AI agents are powerful but risky. They can be tricked into leaking secrets, executing malicious commands, or exfiltrating data. RustyClaw is built with the assumption that agents can't always be trusted.
| Defense Layer | What It Does |
|---|---|
| PromptGuard | Detects prompt injection attacks (system override, role confusion, jailbreaks) |
| LeakDetector | Blocks credential exfiltration via API keys, tokens, SSH keys in outputs |
| Sandbox Isolation | Bubblewrap (Linux), Landlock (5.13+), sandbox-exec (macOS) |
| SSRF Protection | Blocks requests to private IPs, metadata endpoints |
| Encrypted Vault | AES-256 secrets with optional TOTP 2FA |
| HTTP Request Scanning | Validates URLs, headers, and bodies before outbound requests |
No other agent framework in the ecosystem has this level of built-in security. Most have zero prompt injection defense.
| Metric | RustyClaw | OpenClaw (Node.js) | Python Agents |
|---|---|---|---|
| Memory | ~15 MB | ~150 MB | ~100+ MB |
| Startup | <50 ms | ~500 ms | ~1s+ |
| Binary | ~8 MB | ~200 MB (w/ node) | N/A |
| Dependencies | 0 (single binary) | node_modules | venv |
Run on a $10 Raspberry Pi or a $500/month cloud instance. Same binary.
Connect to any LLM provider without code changes:
- Anthropic (Claude Opus, Sonnet, Haiku)
- OpenAI (GPT-4o, o1, o3)
- Google (Gemini Pro, Ultra)
- GitHub Copilot (with subscription)
- xAI (Grok)
- Ollama (local models)
- OpenRouter (200+ models)
- Any OpenAI-compatible endpoint
Spawn sub-agents, steer them mid-task, coordinate across sessions:
// Spawn a research agent
let research = spawn_agent("Summarize the latest papers on RLHF", AgentConfig {
model: "claude-sonnet",
timeout: Duration::minutes(10),
..default()
});
// Spawn a coding agent in parallel
let coder = spawn_agent("Implement the algorithm from the research", AgentConfig {
model: "gpt-4o",
..default()
});
// Steer mid-execution
research.steer("Focus specifically on Constitutional AI approaches");Install RustyClaw plus all supporting tools (uv, Ollama, Node.js, Exo):
# From a clone
git clone https://github.com/rexlunae/RustyClaw.git && cd RustyClaw
./scripts/setup.sh
# Or pick components
./scripts/setup.sh --skip exo # skip exo
./scripts/setup.sh --only rust rustyclaw # just Rust + RustyClawcargo install rustyclawOr download a pre-built binary from Releases.
rustyclaw onboardThis interactive wizard sets up:
- API key for your preferred provider
- Encrypted secrets vault
- Workspace directory
- Messaging via Beeper (WhatsApp, Telegram, Signal, Discord, Slack, iMessage, and more)
- Recommended skills from ClawHub
# Interactive terminal UI
rustyclaw tui
# Or run as a daemon for integrations
rustyclaw gateway startRustyClaw uses skills for messaging rather than compiled-in integrations. This means:
- β No recompilation to add new platforms
- β Single skill handles 15+ platforms
- β Privacy-preserving local API
The recommended approach uses Beeper + the claw-me-maybe skill:
# 1. Install Beeper Desktop: https://www.beeper.com/download
# 2. Enable Desktop API in Beeper Settings β Developers
# 3. Install the skill:
clawhub install claw-me-maybeSupported platforms: WhatsApp, Telegram, Signal, Discord, Slack, iMessage, Instagram, LinkedIn, Facebook Messenger, Google Messages, Google Chat, X (Twitter) DMs
The rustyclaw onboard wizard walks you through this setup step-by-step.
RustyClaw is organized as a Cargo workspace with three crates:
| Crate | Path | Description |
|---|---|---|
| rustyclaw-core | crates/rustyclaw-core/ |
Core library β config, gateway, tools, secrets, providers |
| rustyclaw-cli | crates/rustyclaw-cli/ |
CLI binaries (rustyclaw and rustyclaw-gateway) |
| rustyclaw-tui | crates/rustyclaw-tui/ |
Terminal UI client (ratatui) |
- Rust 1.85+ (Edition 2024)
- OpenSSL development headers (vendored by default)
# macOS β no extra deps needed (uses vendored OpenSSL)
# Ubuntu / Debian
sudo apt install build-essential pkg-config
# Fedora / RHEL
sudo dnf install gcc openssl-develgit clone https://github.com/rexlunae/RustyClaw.git
cd RustyClaw
# Debug build (fast compile, all crates)
cargo build --workspace
# Release build (optimized, ~11 MB binary with LTO)
cargo build --releaseBinaries are produced at:
target/release/rustyclawβ main CLI + TUItarget/release/rustyclaw-gatewayβ standalone gateway daemon
Features are split across the workspace crates:
rustyclaw-cli (binary crate):
| Feature | Description | Default |
|---|---|---|
tui |
Terminal UI (ratatui + crossterm) | β |
rustyclaw-core (library crate):
| Feature | Description | Default |
|---|---|---|
web-tools |
HTML parsing via scraper + html2md | β |
matrix |
Matrix messenger support | |
browser |
CDP browser automation (chromiumoxide) | |
full |
web-tools + matrix + browser | |
signal |
Signal messenger (source-only, see below) |
# Default (TUI + web tools)
cargo build --release
# Headless gateway only (no TUI)
cargo build --release -p rustyclaw-cli --no-default-features
# With Matrix support
cargo build --release --features rustyclaw-core/matrix
# Everything enabled
cargo build --release --features rustyclaw-core/full
# Build only the core library
cargo check -p rustyclaw-core
# Build only the TUI client
cargo check -p rustyclaw-tui# All workspace tests
cargo test --workspace
# Core library tests only
cargo test -p rustyclaw-core
# TUI client tests only
cargo test -p rustyclaw-tuiBuild a headless gateway for ARM using cross:
cargo install cross --git https://github.com/cross-rs/cross
# 64-bit (Pi 3/4/5)
cross build --release --target aarch64-unknown-linux-gnu \
-p rustyclaw-cli --no-default-features
# 32-bit (Pi 2/3)
cross build --release --target armv7-unknown-linux-gnueabihf \
-p rustyclaw-cli --no-default-featuresSignal requires git-only dependencies not on crates.io. See BUILDING.md for detailed instructions on enabling Signal support.
Everything an agent needs to be useful:
| Category | Tools |
|---|---|
| Files | read_file, write_file, edit_file, list_directory, search_files |
| Execution | execute_command, process, apply_patch |
| Web | web_fetch, web_search, browser |
| Memory | memory_search, memory_get |
| Scheduling | cron, heartbeat system |
| Multi-Agent | sessions_spawn, sessions_send, sessions_steer |
| Secrets | secrets_list, secrets_get, secrets_store |
| Devices | canvas, nodes, tts |
Extend capabilities with skills β markdown files that teach agents new abilities:
---
name: github
description: GitHub operations via gh CLI
requires:
bins: [gh]
env: [GITHUB_TOKEN]
---
# GitHub Skill
You can use the `gh` CLI to manage issues, PRs, and repos...Skills support dependency gating: if requirements aren't met, the agent sees what's missing and can try to install it.
Browse community skills at ClawHub.
Connect agents to the platforms where work happens:
- Signal (secure messaging)
- Matrix (federated chat)
- Telegram (bot API)
- Discord (bot API)
- Slack (with app tokens)
- WhatsApp (QR code pairing)
- HTTP webhooks (custom integrations)
Two-layer memory system for long-running agents:
- MEMORY.md β Long-term facts (LLM-curated)
- HISTORY.md β Grep-searchable event log
Memory consolidation runs automatically, keeping context windows manageable while preserving important information.
Built-in cron system for recurring tasks:
{
"schedule": { "kind": "cron", "expr": "0 9 * * MON" },
"payload": {
"kind": "agentTurn",
"message": "Check email and summarize anything urgent"
}
}Heartbeat system for proactive monitoring without explicit schedules.
RustyClaw's security model is documented in detail:
- SECURITY.md β Full security architecture
- DEPLOYMENT.md β Production deployment guide
- SANDBOX.md β Sandbox configuration
- CLIENT_SPEC.md β WebSocket protocol for custom clients
User Input
β
βΌ
βββββββββββββββββ
β InputValidatorβ βββ Length, encoding, padding attacks
βββββββββ¬ββββββββ
β
βΌ
βββββββββββββββββ
β PromptGuard β βββ 6 injection categories, configurable sensitivity
βββββββββ¬ββββββββ
β
βΌ
βββββββββββββββββ
β Agent β βββ Sandboxed execution
βββββββββ¬ββββββββ
β
βΌ
βββββββββββββββββ
β LeakDetector β βββ Blocks secrets in outputs/requests
βββββββββ¬ββββββββ
β
βΌ
βββββββββββββββββ
β SSRF Validatorβ βββ Blocks private IPs, metadata endpoints
βββββββββββββββββ
API keys, tokens, and credentials are stored encrypted:
- AES-256-GCM encryption
- Optional TOTP 2FA for vault access
- Per-credential access policies (Always, WithApproval, WithAuth, SkillOnly)
- Agent tools cannot read the vault directory
RustyClaw follows a trait-driven architecture β core systems are pluggable:
// Swap providers without changing agent code
trait LlmProvider {
async fn chat(&self, messages: &[Message]) -> Response;
}
// Swap channels without changing agent code
trait Channel {
async fn receive(&self) -> InboundMessage;
async fn send(&self, msg: OutboundMessage);
}
// Swap runtimes for different isolation levels
trait RuntimeAdapter {
async fn execute(&self, command: Command) -> Output;
}RustyClaw/
βββ Cargo.toml # Workspace root
βββ crates/
β βββ rustyclaw-core/ # Core library (config, gateway, tools, secrets, providers)
β βββ rustyclaw-cli/ # CLI binaries (rustyclaw + rustyclaw-gateway)
β βββ rustyclaw-tui/ # Terminal UI client (ratatui)
βββ docs/ # Architecture, security, and client spec docs
βββ tests/ # Integration and E2E tests
βββ website/ # Project website and install scripts
| Component | Crate | Responsibility |
|---|---|---|
| Gateway | core | Daemon process, WebSocket protocol, session management |
| Agent Loop | core | LLM calls, tool execution, context management |
| Tool Registry | core | 30+ tools with dynamic registration and validation |
| Session Manager | core | Multi-agent coordination, history, spawn/steer |
| Security Layer | core | PromptGuard, LeakDetector, SSRF, sandbox |
| Secrets Vault | core | AES-256 encrypted credential storage, access policies |
| Terminal UI | tui | Interactive chat, tool approval, config management |
| CLI | cli | Command-line entry point, onboarding wizard |
| Feature | RustyClaw | OpenClaw | ZeroClaw | nanobot |
|---|---|---|---|---|
| Language | Rust | TypeScript | Rust | Python |
| Memory | ~15 MB | ~150 MB | <5 MB | ~100 MB |
| Startup | <50 ms | ~500 ms | <10 ms | ~1s |
| PromptGuard | β | β | β | β |
| LeakDetector | β | β | β | β |
| Encrypted Vault | β | External | β | β |
| Multi-Agent | β | β | β | β |
| Skills | β | β | β | β |
We welcome contributions! See CONTRIBUTING.md for guidelines.
Key areas we're focused on:
- Security hardening β More detection patterns, sandbox improvements
- New channels β iMessage, Teams, Zulip
- Performance β Even lower memory, faster startup
- Skills ecosystem β More community skills
MIT License. See LICENSE.
RustyClaw builds on ideas from:
- OpenClaw β The original agentic AI assistant
- IronClaw β Security patterns and HTTP scanning
- nanobot β Memory consolidation and progressive skill loading
- ZeroClaw β RuntimeAdapter and observability patterns
Built with π¦ by the RustyClaw community
