McClawd
Defense-in-depth Rust agent platform. A security-first reimagining of the Claude Code / OpenClaw agent framework with sandboxing, isolated secrets, and full audit trails.
Key metrics
Architecture
Defense-in-depth design isolates agent, tools, and secrets across multiple trust boundaries. Every task runs in an ephemeral sandbox with egress allowlists, encrypted secret vaults, and provenance tracking captured to a tamper-evident audit log.
Case study
McClawd
OpenClaw secure clone — defense-in-depth agent platform for hardened LLM tool execution.
What if Claude Code's agent framework didn't trust tools with secrets or unrestricted filesystem access? McClawd is the answer to that question, written in Rust and built for environments where the threat model includes prompt injection, secret exfiltration, and tools running code you didn't write.
Vanilla agent frameworks run tools in-process with soft guardrails. McClawd starts with zero-trust: every task gets its own ephemeral sandbox, MCP tool servers run inside that sandbox (never on the host), and secrets are mounted as encrypted files that only the sandbox can read. Defense-in-depth across identity, container isolation, egress gating, DLP hooks, audit, and provenance — composable as a chainable middleware so you can add your own scanners without forking.
Highlights
- Rust-native, single-binary deployment with Docker Compose
- Ephemeral per-task containers with egress allowlists
- Pluggable security hooks (
SecurityHooktrait) for DLP, audit, and taint tracking - Encrypted secret vaults with AES-256-GCM-SIV; secrets never reach LLM context
- Per-session channel isolation prevents context leakage between users (Telegram, Discord, Slack, Email connectors all included)
- Tamper-evident audit log with full call lineage from agent → task → tool → result
Architecture (high level)
McClawd is structured as a Rust workspace of focused crates: a core agent loop, a swarm orchestrator for multi-agent workflows, a tool registry that fronts MCP servers, a channel layer for chat-based interfaces, a task manager for sandbox lifecycle, and an HTTP API for the control plane. Each connector (Telegram, Discord, Slack, Email) is its own crate so you only ship what you need.
Status
v0.12.0. 13 Rust workspace crates. ~110,000 lines of Rust. 618 test functions. 16-page React UI for control + observability. Phase 0 complete with security review and code-quality audit; production-ready core, with Phase 1 (full DLP scanning, SPIRE identity) in progress.