Skip to content

Instantly share code, notes, and snippets.

@initcron

initcron/claw_code.txt

Created April 7, 2026 11:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save initcron/11fcb451d6b2971cabd9cf0024d160a4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save initcron/11fcb451d6b2971cabd9cf0024d160a4 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
claw_code.txt
Security & Enterprise-Readiness Report: Claw Code
Subject: claw-code (ultraworkers/claw-code, Rust, v0.1.0)
Comparators: IronClaw, OpenClaw, ZeroClaw
Hermes: Not present in this experiments/ workspace — excluded from comparison.
Date: 2026-04-07
---
TL;DR — Is Claw Code safe?
Short answer: Not for enterprise use, and not for handling sensitive data on macOS or Windows.
Claw Code is a young (v0.1.0), well-architected Rust agent harness with a strong permission-mode design and memory-safe foundations, but it has three critical security gaps that the other
three projects in this family have already addressed:
1. Plaintext credential storage — OAuth tokens and API keys are saved as plaintext JSON in ~/.claw/settings.json. No OS keychain, no encryption at rest.
2. Sandboxing only works on Linux — On macOS and Windows there is zero process isolation. The LLM-driven shell runs with full user privileges.
3. No audit log — Tool executions, bash invocations, and permission decisions are not recorded to any persistent audit trail.
Of the four projects, the security ranking is unambiguous:
┌──────┬───────────┬────────────────────────────────────────────────────────────────────────────────────┐
│ Rank │ Project │ Safety Verdict │
├──────┼───────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ 1 │ IronClaw │ Production-ready single-user, defense-in-depth, encrypted secrets, sandboxed tools │
├──────┼───────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ 2 │ ZeroClaw │ Strong cryptographic foundations, secure-by-default, but pre-1.0 │
├──────┼───────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ 3 │ OpenClaw │ Mature ops tooling, strong approval system, but host-execution by default │
├──────┼───────────┼────────────────────────────────────────────────────────────────────────────────────┤
│ 4 │ Claw Code │ Strong permission model, but plaintext secrets, Linux-only sandbox, no audit log │
└──────┴───────────┴────────────────────────────────────────────────────────────────────────────────────┘
---
1. Sandboxing & Process Isolation
┌──────────┬────────────────────────────────────────────────────────────┬──────────────────────────┬─────────────────────────────────┬───────────────────────┬─────────────────────────┐
│ Project │ Mechanism │ Default │ Cross-Platform │ Network Isolation │ Verdict │
├──────────┼────────────────────────────────────────────────────────────┼──────────────────────────┼─────────────────────────────────┼───────────────────────┼─────────────────────────┤
│ Claw │ Linux namespaces (unshare --user/mount/ipc/pid/uts) │ WorkspaceOnly │ Linux only — silent no-op on │ Opt-in │ Weak │
│ Code │ │ │ macOS/Windows │ │ │
├──────────┼────────────────────────────────────────────────────────────┼──────────────────────────┼─────────────────────────────────┼───────────────────────┼─────────────────────────┤
│ IronClaw │ WASM (Wasmtime) + Docker (defense-in-depth) + HTTP proxy │ ReadOnly │ All platforms (Docker) │ Per-container, │ Strong │
│ │ with domain allowlist │ │ │ allowlisted │ │
├──────────┼────────────────────────────────────────────────────────────┼──────────────────────────┼─────────────────────────────────┼───────────────────────┼─────────────────────────┤
│ ZeroClaw │ Docker, Firejail, Bubblewrap, Linux Landlock LSM, optional │ Multiple backends │ Linux primary, Docker for │ Yes (--network none) │ Adequate→Strong │
│ │ WASM │ auto-detected │ portability │ │ │
├──────────┼────────────────────────────────────────────────────────────┼──────────────────────────┼─────────────────────────────────┼───────────────────────┼─────────────────────────┤
│ OpenClaw │ Docker / SSH remote sandbox │ mode = "off" (host │ Docker on all platforms │ Docker network mode │ Adequate │
│ │ │ execution) │ │ │ (config-dependent) │
└──────────┴────────────────────────────────────────────────────────────┴──────────────────────────┴─────────────────────────────────┴───────────────────────┴─────────────────────────┘
Key finding for Claw Code:
The sandbox at rust/crates/runtime/src/sandbox.rs (385 LOC) is well-coded for Linux but has explicit fallback documented at lines 216-217: macOS and Windows operators get no isolation at
all. The Containerfile is a 14-line dev container with no hardening (no CAP_DROP, no read-only rootfs, no user restriction).
Compare with IronClaw's src/tools/wasm/ which puts every tool inside Wasmtime with fuel limits, memory caps, and credential injection at the host boundary — the WASM module never sees
plaintext secrets.
---
2. Secrets Management — The Biggest Gap
┌──────────┬──────────────────────────────────────────┬────────────┬──────────────────────────────────────────────┬────────────────────────────────────┬───────────────────────────────┐
│ Project │ Storage at Rest │ Encryption │ OS Keychain │ Secret Redaction │ Leak Detection │
├──────────┼──────────────────────────────────────────┼────────────┼──────────────────────────────────────────────┼────────────────────────────────────┼───────────────────────────────┤
│ Claw │ Plaintext JSON at ~/.claw/settings.json │ None │ None │ Bearer headers redacted in logs │ None in LLM context │
│ Code │ │ │ │ only │ │
├──────────┼──────────────────────────────────────────┼────────────┼──────────────────────────────────────────────┼────────────────────────────────────┼───────────────────────────────┤
│ IronClaw │ AES-256-GCM with HKDF-SHA256, per-secret │ Yes │ macOS Keychain, Linux Secret Service │ Aho-Corasick + regex two-point │ Yes — │
│ │ salts │ │ (security-framework, secret-service) │ scanning (request + response) │ src/safety/leak_detector.rs │
├──────────┼──────────────────────────────────────────┼────────────┼──────────────────────────────────────────────┼────────────────────────────────────┼───────────────────────────────┤
│ ZeroClaw │ ChaCha20-Poly1305 AEAD, key at │ Yes │ No (file-based with strict perms) │ Yes, with first-4-char preview │ Pattern-based │
│ │ ~/.zeroclaw/.secret_key (0600) │ │ │ │ │
├──────────┼──────────────────────────────────────────┼────────────┼──────────────────────────────────────────────┼────────────────────────────────────┼───────────────────────────────┤
│ OpenClaw │ Plaintext JSON at │ None │ None │ 18+ patterns, constant-time secret │ detect-secrets baseline in CI │
│ │ ~/.openclaw/credentials/ │ │ │ comparison │ │
└──────────┴──────────────────────────────────────────┴────────────┴──────────────────────────────────────────────┴────────────────────────────────────┴───────────────────────────────┘
This is where Claw Code is weakest. The OAuth flow at runtime/src/oauth.rs writes access_token, refresh_token, expires_at, and scopes to disk in plaintext. Anyone with file access (another
user, a malicious npm/cargo postinstall, malware, a stolen laptop without FDE) gets your Anthropic credentials.
IronClaw is the gold standard here: secrets are encrypted with AES-256-GCM, the master key lives in the macOS Keychain or Linux Secret Service, and the WASM credential injector decrypts on
demand and injects directly into HTTP headers — the tool code itself never sees the plaintext. ZeroClaw uses ChaCha20-Poly1305 with backward-compatible migration from a legacy XOR scheme
(enc: → enc2: prefixes).
---
3. PII & Privacy
┌──────────┬────────────────────────────────────────────┬──────────────────────────┬──────────────────────────────────────────────────┬────────────────────────────────────────────────┐
│ Project │ Session Storage │ PII Detection │ Telemetry │ Local-Only Mode │
├──────────┼────────────────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────┤
│ Claw │ .claw/sessions/*.jsonl plaintext, no TTL │ None │ Telemetry crate exists but undocumented; status │ Possible via ANTHROPIC_BASE_URL (Ollama, │
│ Code │ │ │ unclear │ OpenRouter) │
├──────────┼────────────────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────┤
│ IronClaw │ Local PostgreSQL or libSQL/Turso, │ None (user │ No telemetry │ Yes — by design │
│ │ configurable │ responsibility) │ │ │
├──────────┼────────────────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────┤
│ ZeroClaw │ Local audit logs │ None │ Opt-in only (NoopObserver default) │ Yes │
├──────────┼────────────────────────────────────────────┼──────────────────────────┼──────────────────────────────────────────────────┼────────────────────────────────────────────────┤
│ OpenClaw │ Local sessions in ~/.openclaw/ │ Redaction in logging │ No built-in telemetry │ Yes — loopback by default │
│ │ │ only │ │ │
└──────────┴────────────────────────────────────────────┴──────────────────────────┴──────────────────────────────────────────────────┴────────────────────────────────────────────────┘
Claw Code implication: Your full conversation history — including any code, secrets, or sensitive prompts you've entered — is sitting in unencrypted JSONL files under .claw/sessions/. No
expiration, no encryption, no purge command.
---
4. Tool Permissions & Approval
This is the area where Claw Code is strongest, and is genuinely competitive with the other projects.
┌──────────┬────────────────────────────────────────────────────────────────────┬────────────────────────────────────────┬──────────────────────────────────────────────────────────────┐
│ Project │ Permission Model │ Approval Flow │ Bash Safety │
├──────────┼────────────────────────────────────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ Claw │ 5 modes: ReadOnly, WorkspaceWrite, DangerFullAccess, Prompt, Allow │ Interactive prompt mode │ 48-command read-only whitelist heuristic — incomplete (perl │
│ Code │ + per-tool rules │ │ -e 'system(...)' bypasses it) │
├──────────┼────────────────────────────────────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ IronClaw │ ApprovalRequirement::{Required,Optional,Never} per tool, │ Required for shell/HTTP │ NEVER_AUTO_APPROVE_PATTERNS: rm -rf, shutdown, git push │
│ │ never-auto-approve patterns │ │ --force, etc. │
├──────────┼────────────────────────────────────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ ZeroClaw │ AutonomyLevel: ReadOnly/Supervised/Full + per-action approval flag │ Quote-aware command parser, │ Detects pipes, separators, env assignments, escapes │
│ │ │ risk-graded (Low/Medium/High) │ │
├──────────┼────────────────────────────────────────────────────────────────────┼────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ OpenClaw │ 5 modes: deny/allowlist/full × off/on-miss/always + safe-bin │ SHA256-bound approvals with file │ shell: false hardcoded (src/process/exec.ts:86-97) — refuses │
│ │ profiles │ integrity check │ to spawn via shell │
└──────────┴────────────────────────────────────────────────────────────────────┴────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘
Claw Code's permission intent is good (runtime/src/permissions.rs, 684 LOC, 270+ tests) but the enforcement has two real flaws:
- Workspace boundary uses string starts_with() (permission_enforcer.rs:143-156) — /workspace would match /workspacex, and symlinks aren't canonicalized.
- Read-only bash heuristic is a whitelist — anything not in the 48-command list, or anything using a shell metacharacter the regex doesn't catch, falls through.
OpenClaw's hardcoded shell: false (refusing to use cmd.exe//bin/sh interpolation entirely) and IronClaw's Command::new("sh").args(["-c", cmd]) with environment scrubbing are both safer
execution patterns.
---
5. Audit Logging — The Second Biggest Gap
┌──────────┬─────────────────────────────────────────────────────────────────┬───────────────────┬───────────────────────────────┬─────────────────────────────────────────────────────┐
│ Project │ Audit Log │ Integrity │ SIEM/Syslog │ What's Recorded │
│ │ │ Protection │ │ │
├──────────┼─────────────────────────────────────────────────────────────────┼───────────────────┼───────────────────────────────┼─────────────────────────────────────────────────────┤
│ Claw │ None │ N/A │ N/A │ Conversation JSONL only — no structured │
│ Code │ │ │ │ tool/permission events │
├──────────┼─────────────────────────────────────────────────────────────────┼───────────────────┼───────────────────────────────┼─────────────────────────────────────────────────────┤
│ IronClaw │ DB-backed (src/history/store.rs, 71 KB) │ None on logs │ Tracing JSON formatter │ Tool calls, LLM completions, jobs, costs │
├──────────┼─────────────────────────────────────────────────────────────────┼───────────────────┼───────────────────────────────┼─────────────────────────────────────────────────────┤
│ ZeroClaw │ Structured AuditEvent (UUID, timestamp, actor, action, result, │ None │ Prometheus + OpenTelemetry │ CommandExecution, FileAccess, ConfigChange, Auth, │
│ │ security context) │ │ exporters │ PolicyViolation │
├──────────┼─────────────────────────────────────────────────────────────────┼───────────────────┼───────────────────────────────┼─────────────────────────────────────────────────────┤
│ OpenClaw │ Control-plane audit + general logs (500MB rotation, 24h │ None │ Local file only │ Config changes with actor (clientIp, deviceId, │
│ │ retention) │ │ │ connId) │
└──────────┴─────────────────────────────────────────────────────────────────┴───────────────────┴───────────────────────────────┴─────────────────────────────────────────────────────┘
Claw Code has no audit log at all. Search across all 63K LOC turns up nothing recording tool invocations, permission decisions, or failed commands. For any compliance scenario (SOC2,
ISO27001, HIPAA, internal incident response) this is disqualifying.
---
6. Authentication & Multi-User
All four projects are single-user by design — none of them are multi-tenant safe. But the auth mechanisms differ:
┌──────────┬───────────────────────────────────────────────────────────────────────────────────────────┬───────────────────────────────────┬────────────────────────────────────────────┐
│ Project │ Auth │ Multi-Tenancy │ Notes │
├──────────┼───────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────┤
│ Claw │ OAuth PKCE + API key, per-worktree sessions │ No │ Reasonable PKCE flow at │
│ Code │ │ │ runtime/src/oauth.rs │
├──────────┼───────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────┤
│ IronClaw │ Bearer token (subtle::ConstantTimeEq), per-job ephemeral 32-byte tokens │ No │ Tailscale-compatible │
├──────────┼───────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────┤
│ ZeroClaw │ One-time pairing code → SHA-256-hashed bearer token, brute-force protection (5 attempts / │ No │ Best brute-force defenses of the four │
│ │ 5 min lockout) │ │ │
├──────────┼───────────────────────────────────────────────────────────────────────────────────────────┼───────────────────────────────────┼────────────────────────────────────────────┤
│ OpenClaw │ none/token/password/trusted-proxy + 2-role RBAC (operator/node), per-IP rate limit │ Explicitly non-goal │ Tailscale trusted-proxy mode for │
│ │ │ (SECURITY.md:120) │ per-device auth │
└──────────┴───────────────────────────────────────────────────────────────────────────────────────────┴───────────────────────────────────┴────────────────────────────────────────────┘
---
7. Supply Chain & Code Provenance
┌──────────┬───────────────┬──────────────┬──────────────────────────────────────────────┬──────────────────────────────────────────────────────┬──────────────────────────────────────┐
│ Project │ Lockfile │ SBOM │ Signed Releases │ Dep Audit │ unsafe Policy │
├──────────┼───────────────┼──────────────┼──────────────────────────────────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ Claw │ Cargo.lock │ No │ No │ None configured │ forbid(unsafe_code) workspace-wide │
│ Code │ │ │ │ │ │
├──────────┼───────────────┼──────────────┼──────────────────────────────────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ IronClaw │ Cargo.lock │ No │ SHA256 checksums in release manifests, WASM │ Compile checks only │ Confined unsafe in OS/FFI paths │
│ │ │ │ artifacts pre-signed │ │ │
├──────────┼───────────────┼──────────────┼──────────────────────────────────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ ZeroClaw │ Cargo.lock │ Yes (Syft, │ Reproducible build CI workflow │ cargo-deny + RUSTSEC + Gitleaks + CodeQL weekly │ forbid(unsafe_code) + tracked │
│ │ (v4) │ in CI) │ │ │ exception policy │
├──────────┼───────────────┼──────────────┼──────────────────────────────────────────────┼──────────────────────────────────────────────────────┼──────────────────────────────────────┤
│ OpenClaw │ pnpm-lock │ No │ No │ detect-secrets, 120-day min release age, Node 22.16+ │ TypeScript, no eval, shell: false │
│ │ │ │ │ enforced (CVE pinned) │ │
└──────────┴───────────────┴──────────────┴──────────────────────────────────────────────┴──────────────────────────────────────────────────────┴──────────────────────────────────────┘
ZeroClaw has by far the best supply chain hygiene — deny.toml enumerates accepted advisories with rationale, sec-audit.yml runs RUSTSEC + cargo-deny + Gitleaks + a custom unsafe-debt audit,
and there's a reproducible-build CI workflow.
Claw Code's only supply chain wins are forbid(unsafe_code) and using rustls instead of OpenSSL — both good defaults, but no scanning, no SBOM, no signed releases, no auto-update
verification.
---
8. Threat Model Honesty
┌───────────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Project │ Documented Threat Model │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ Claw Code │ Implicit only — ROADMAP mentions "trust prompt resolver" and "MCP lifecycle hardening" as future phases. Acknowledges security gaps obliquely. │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ IronClaw │ Explicit src/NETWORK_SECURITY.md with named open findings (F-2…F-8), severities, and mitigations │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ ZeroClaw │ Explicit SECURITY.md lines 165-190: enumerates path traversal, command injection, workspace escape, runaway usage │
├───────────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┤
│ OpenClaw │ Explicit SECURITY.md with in-scope and out-of-scope threats, trust boundaries, deployment assumptions │
└───────────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────┘
This matters: of the four, Claw Code is the only one whose docs don't honestly describe what it does and doesn't defend against. The other three all explicitly state "we are single-user,
here is our trust boundary, here are the known gaps." Claw Code leaves you to infer that.
---
9. Enterprise Readiness Scorecard
┌────────────────────────────┬────────────────────┬──────────────────┬──────────────────────┬────────────────────┐
│ Capability │ Claw Code │ IronClaw │ ZeroClaw │ OpenClaw │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Maturity (version) │ v0.1.0, alpha │ v0.18.0, beta/RC │ v0.1.7, pre-1.0 │ 2026.3.24, early │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Documented threat model │ ❌ │ ✅ │ ✅ │ ✅ │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Encrypted secrets at rest │ ❌ │ ✅ AES-256-GCM │ ✅ ChaCha20-Poly1305 │ ❌ │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ OS keychain integration │ ❌ │ ✅ │ ❌ │ ❌ │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Cross-platform sandbox │ ❌ Linux only │ ✅ Docker+WASM │ ⚠️ Docker │ ⚠️ Docker (opt-in) │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Audit log │ ❌ │ ✅ │ ✅ │ ⚠️ Logs only │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Permission/approval system │ ✅ Strong design │ ✅ │ ✅ │ ✅ Best-in-class │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Memory-safe language │ ✅ Rust, no unsafe │ ✅ Rust │ ✅ Rust, no unsafe │ ✅ TypeScript │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Supply chain scanning │ ❌ │ ⚠️ │ ✅ │ ⚠️ │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ SBOM │ ❌ │ ❌ │ ✅ │ ❌ │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Signed releases │ ❌ │ ⚠️ SHA256 only │ ⚠️ │ ❌ │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ Multi-tenant / SSO / RBAC │ ❌ │ ❌ │ ❌ │ ❌ │
├────────────────────────────┼────────────────────┼──────────────────┼──────────────────────┼────────────────────┤
│ On-prem / air-gap story │ ⚠️ Manual │ ✅ Self-host DB │ ✅ Single binary │ ✅ Local-first │
└────────────────────────────┴────────────────────┴──────────────────┴──────────────────────┴────────────────────┘
---
10. Concrete Recommendations
If you must use Claw Code today
1. Run it only on Linux — the sandbox is meaningless on macOS/Windows.
2. Set permission mode to Prompt — never Allow or DangerFullAccess.
3. Use a dedicated low-privilege OS user with no access to other secrets/credentials on the machine.
4. Use chmod 600 ~/.claw/settings.json and put it on an encrypted filesystem (FileVault/LUKS).
5. Use a dedicated Anthropic API key with the lowest possible quota — assume it will be leaked.
6. Don't feed it production secrets, customer data, or PII — sessions are stored in plaintext indefinitely.
7. Run inside a Docker container as your real isolation layer, since the built-in Containerfile is unhardened.
If you have the choice — pick something else
- Want production-ready security with the best defense-in-depth? → IronClaw. Encrypted secrets in OS keychain, WASM+Docker dual sandbox, leak detection, declared threat model, signed WASM
artifacts.
- Want the cleanest security-by-default Rust core? → ZeroClaw. ChaCha20-Poly1305 secrets, Landlock + WASM + Docker, cargo-deny + CodeQL + SBOM + reproducible builds, forbid(unsafe_code).
- Want the most mature operator tooling and approval UX? → OpenClaw. The 5-mode exec approval system with SHA256 file binding, shell: false hardcoded refusal, and openclaw security audit
--deep are best-in-class — but you must explicitly enable sandboxing because host execution is the default.
---
Final Verdict on Claw Code
Claw Code is an early-stage developer tool, not a secure agent platform. The architectural foundations (Rust, forbid(unsafe_code), modular crates, well-tested permission enforcer) are sound
and the project is clearly capable of getting where it needs to go — its own ROADMAP acknowledges that hardening is planned. But as it ships today (v0.1.0):
- It does not safely sandbox tool execution outside Linux.
- It does not secure your API credentials or OAuth tokens at rest.
- It does not protect personal information in conversation history.
- It does not produce an audit trail you could show a compliance team.
For an enterprise environment, or any context where the host machine handles sensitive data, Claw Code is not safe. Use IronClaw if you need a single-user agent with real security, or
ZeroClaw if you want the leanest Rust runtime with strong cryptographic foundations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment