Your AI agent. Hardened.
CovertClaw is a security-first fork of OpenClaw — a self-hosted personal AI assistant that routes messages through LLMs across messaging platforms.
OpenClaw has 355K GitHub stars but ships with no authentication, plaintext API key storage, a fail-open sandbox, and an actively compromised skills marketplace. CovertClaw fixes all of that and adds a full intelligence layer on top.
| OpenClaw | CovertClaw | |
|---|---|---|
| Gateway auth | None (default) | Required (auto-generated 256-bit token, 0600 perms) |
| API key storage | Plaintext JSON | AES-256-GCM encrypted (scrypt KDF) |
| Sandbox behavior | Fail-open | Fail-closed |
| Skills marketplace | Enabled (1,184 malicious skills found) | Disabled (5-point lockdown, allowlist-only) |
| System events | Spoofable from any channel | HMAC-SHA256 signed |
| Config writes | Truncation bug (#64385) | Atomic writes + backup recovery |
| Extensions | 130+ (massive attack surface) | 16 core (audited) |
| CI security | CodeQL manual-only | Every PR + dependency audit + CSP check |
| Tool permissions | None | Denylist/allowlist gate |
| Content filtering | None | 9-pattern prompt injection sanitizer |
| Credential leak detection | None | 15-pattern scanner, auto-redact outbound |
| Session importance | None | HIGH/MEDIUM/LOW scorer (audit prioritization) |
| Container isolation | None | Docker ephemeral sandbox for tool execution |
| Browser sandboxing | None | Playwright in Docker (SSRF-protected) |
| Semantic memory | None | Vector embeddings via Ollama |
| Context compaction | None | Importance-scored message retention |
| Multi-agent routing | Single model | Per-channel model routing + fallback chains |
| Active memory | None | QMD/SQLite persistent recall |
| Audit trail | None | Persistent JSONL audit log |
CovertClaw implements security at both the OS/container level and the application level.
Layer 1 — OS / Container Isolation
- Docker ephemeral sandbox: Tool execution runs in isolated containers (
node:22-slim) with--read-only,--cap-drop ALL,--pids-limit 64,--network none, and--memory 512m. Containers are destroyed after every execution regardless of outcome. Falls back gracefully when Docker is unavailable. - Sandboxed browser: Web browsing uses Playwright inside a Docker container (
mcr.microsoft.com/playwright). SSRF protection blocks all private/internal IPs includinglocalhost, RFC-1918 ranges,169.254.169.254(AWS metadata), and.local/.internalhostnames. - Fail-closed sandbox: If the sandbox runtime cannot be confirmed available, execution is denied — never silently falls through to host.
Layer 2 — Application
- Mandatory gateway auth: All gateway connections require a 256-bit token, auto-generated on first run and stored at
~/.covertclaw/gateway.tokenwith0600permissions. - AES-256-GCM encrypted secrets: API keys and credentials are stored encrypted using AES-256-GCM with scrypt KDF. Encrypt via
covertclaw encrypt-secrets. - HMAC-signed system events: Internal system events are signed with HMAC-SHA256 to prevent spoofing from channel messages.
- Skills marketplace lockdown (5-point): Marketplace disabled by default, local allowlist required, signature verification enforced, install logging mandatory, network fetch blocked for unverified skills.
- Tool permission gate: Configurable denylist and allowlist for all tool calls. Every access decision is written to the audit log.
- Content sanitizer: 9 prompt injection patterns detected and neutralized on inbound messages — covers
[INST],<<SYS>>,[SYSTEM], "ignore all previous instructions", "you are now a/an", and Llama/ChatML special tokens. - Credential leak detection: 15 patterns scan all outbound agent responses. Detected credentials are auto-redacted (first 4 chars preserved, remainder replaced with
***). Covers: OpenAI keys, Anthropic keys, GitHub PATs, Slack tokens/webhooks, AWS access/secret keys, Telegram tokens, PEM private keys, PGP private keys, database URLs, JWTs, bearer tokens, password assignments. - Session importance scorer: Lightweight heuristic scorer (no LLM call required) classifies every message as HIGH, MEDIUM, or LOW. HIGH = credential/secret patterns. MEDIUM = code blocks, stack traces, structured data. Used for audit prioritization and future auto-archiving.
- Persistent JSONL audit trail: Every security decision — tool access, injection detection, credential leak, sandbox execution — appended to a persistent audit log.
- Atomic config writes with backup recovery: Config file updates use atomic temp-file-and-rename to prevent corruption. A backup is kept for recovery. Fixes OpenClaw issue #64385.
- CI security gates: CodeQL analysis runs on every PR. Dependency audit on every PR. CSP check in CI.
- Semantic memory search: Vector embeddings via Ollama (
nomic-embed-text). Messages stored with cosine-similarity search. Future path:sqlite-vecfor persistent vector storage. - Context compaction: When a conversation exceeds a token budget, LOW-importance messages are removed first, then MEDIUM. System messages, the first message, and the last N messages are always protected. A compaction notice is injected when messages are dropped.
- Multi-agent routing: Different AI models can be assigned per channel or session. Per-agent model configuration supported.
- Model fallback chains: If the primary model fails, fallback models are tried in sequence (e.g., Qwen as a local fallback).
- Active memory (QMD/SQLite): Persistent recall across sessions backed by SQLite.
- Cron scheduling: Jobs can be scheduled with cron syntax for recurring agent tasks.
Telegram, Discord, Slack, Signal, Matrix, WhatsApp, IRC, iMessage, WebChat
OpenAI, Anthropic, Google, Ollama (local), OpenRouter
- Security Assistant: Persona skill tuned for security-aware responses.
- Secure Coder: Persona skill for security-conscious code review and generation.
- 53 total skills in the audited skills directory.
git clone https://github.com/c0vertbyte/covertclaw.git
cd covertclaw
docker compose up -dOn first run, CovertClaw generates a gateway token:
[CovertClaw] Gateway token written to: ~/.covertclaw/gateway.token
Use that token to authenticate all gateway connections.
Requirements: Node.js >= 22.14, pnpm >= 10.x
git clone https://github.com/c0vertbyte/covertclaw.git
cd covertclaw
pnpm install
pnpm run build
node covertclaw.mjs gatewaynode covertclaw.mjs encrypt-secretsThis encrypts all plaintext credentials in ~/.covertclaw/config.json using AES-256-GCM. Prompts for a passphrase; stores derived key via scrypt KDF.
In ~/.covertclaw/config.json:
{
"tools": {
"denylist": ["exec", "shell", "delete_file"],
"allowlist": null
}
}Set allowlist to an array to switch to allowlist mode (only listed tools are permitted).
{
"sandbox": {
"enabled": true,
"image": "node:22-slim",
"memoryLimit": "512m",
"cpuLimit": "1.0",
"timeout": 30,
"networkMode": "none"
}
}Requires Ollama running locally with nomic-embed-text pulled:
ollama pull nomic-embed-textConfigure in ~/.covertclaw/config.json:
{
"memory": {
"semantic": {
"enabled": true,
"ollamaBaseUrl": "http://localhost:11434"
}
}
}{
"agents": [
{
"name": "telegram-agent",
"channel": "telegram",
"model": "gpt-4o",
"fallback": ["gpt-4o-mini", "ollama/qwen2.5"]
},
{
"name": "discord-agent",
"channel": "discord",
"model": "claude-opus-4"
}
]
}CovertClaw implements defense-in-depth across two layers:
All tool execution and browser activity runs inside ephemeral Docker containers. Containers have no network access (tool sandbox), read-only root filesystems, all Linux capabilities dropped, and a strict PID limit. They are destroyed after each use regardless of outcome.
The browser sandbox adds SSRF protection at the application layer — private IP ranges are blocked before a container is even spawned.
The application layer covers authentication (256-bit gateway token), encryption (AES-256-GCM secrets), message integrity (HMAC-signed system events), content filtering (9-pattern injection sanitizer), outbound scanning (15-pattern credential leak detector), tool access control (denylist/allowlist gate), and a full audit trail.
The session importance scorer acts as a meta-layer: it continuously classifies session content so that high-value sessions (those containing credentials, private keys, or sensitive code) surface first in the audit log and are protected during context compaction.
CovertClaw inherits OpenClaw's one-user trusted-operator model. A single gateway instance is designed for one trusted operator. Multi-tenant or adversarial-user deployments require separate gateway instances and separate OS users. See SECURITY.md for the full threat model.
CovertClaw ships a comprehensive test suite covering all security components:
- 15 CovertClaw-specific test files covering the full security layer
- 163 tests across the security module (tier-b integration suite + unit tests)
- 61 test files in
src/security/covering audit, crypto, sandbox, browser, leak detection, content sanitization, token handling, HMAC events, context compaction, semantic memory, and session importance - End-to-end integration test (
test/security-integration.test.ts) validates the full chain
Run the security test suite:
pnpm vitest run src/security/tier-b.test.ts
pnpm vitest run test/security-integration.test.tsMIT — inherited from OpenClaw.
Built by c0vertbyte. Forked from openclaw/openclaw v2026.4.11.