ZeroClaw is designed with security in mind, featuring a Rust-based memory-safe codebase, optional sandboxing, and strict access controls. Harden network exposure, API key management, and deployment configurations before production use.
- Bind to localhost: The gateway binds to 127.0.0.1 by default; refuses 0.0.0.0 without tunnel
- Front external access with an authenticated reverse proxy and HTTPS
- Do not expose admin or metrics endpoints publicly without authentication
- Apply request limits and logging on reverse proxy routes
- Use firewall rules to restrict access to trusted networks only
- Tunnel required: Gateway refuses public bind without active tunnel
¶ 2) Protect API keys and secrets
- API keys are encrypted with local key file (
~/.zeroclaw/.secret_key)
- Never commit API keys to version control or hardcode in configuration files
- Use Ansible Vault or similar for encrypted secret storage in automation
- Rotate API keys periodically and after any suspected compromise
- Limit filesystem permissions on configuration files to the service account
- Store API keys using environment variables or secret management solutions
¶ 3) Enable sandboxing (Linux only)
ZeroClaw supports optional seccomp-bpf sandboxing for additional isolation:
zeroclaw --sandbox
Notes:
- Adds 1-2 ms to startup time
- Linux-only feature
- Restricts system calls available to the runtime
- Run ZeroClaw as a non-root user or service account
- Use Docker security options:
- Read-only root filesystem (
read_only: true)
- Dropped capabilities (
cap_drop: ALL)
- Limited capabilities (
cap_add: NET_BIND_SERVICE)
- No new privileges (
security_opt: no-new-privileges:true)
- tmpfs for temporary files
- Enable resource limits to prevent denial-of-service conditions:
- CPU limits (e.g., 1.0 cores)
- Memory limits (e.g., 256M)
- Monitor logs for unusual activity or errors
- Keep the application updated with security patches
- Expose Prometheus metrics only on internal networks
- Use structured JSON logging for easier security analysis
- Set appropriate log levels (info for production, debug for troubleshooting)
- Implement log rotation to prevent disk exhaustion
- workspace_only = true by default; 14 system dirs + 4 sensitive dotfiles blocked
- Define explicit allowlists for tools and actions
- Scope workspace access to minimum required directories
- Review and audit custom skills before deployment
- Use pair mode for sensitive operations requiring approval
- Deny-by-default: Empty channel allowlist = deny all inbound
- Configure user/member ID allowlists for each channel
- Telegram: Operator-approval flow for bot interactions
- Discord/Slack: User ID allowlists required
- Mattermost: API v4 with user ID allowlists
- Matrix: E2EE support available for encrypted communications
¶ 8) Pairing and authentication
- 6-digit one-time code required on startup for pairing
- Bearer token required for
/webhook endpoint
- Pairing mode ensures explicit approval before agent operates
| Feature |
Implementation |
| Memory Safety |
Compile-time guarantees via Rust ownership model |
| Unsafe Code |
Under 1% of codebase, confined to FFI boundaries |
| Sandboxing |
Optional seccomp-bpf (Linux only), Docker runtime isolation |
| Gateway Binding |
Binds 127.0.0.1 by default; refuses 0.0.0.0 without tunnel |
| Pairing |
6-digit one-time code on startup; bearer token for /webhook |
| Filesystem Scoping |
workspace_only = true by default; 14 system dirs + 4 sensitive dotfiles blocked |
| Channel Allowlists |
Deny-by-default; empty allowlist = deny all inbound |
| Encrypted Secrets |
API keys encrypted with local key file (~/.zeroclaw/.secret_key) |
| Symlink Escape Detection |
Canonicalization + resolved-path workspace checks |
| Null Byte Injection |
Blocked at input validation layer |
| Skill Security Audit |
Built-in static audit blocks symlinks, scripts, unsafe patterns |
| CVEs |
Zero documented CVEs as of latest release (v0.1.7) |
| Binary Type |
Static binary with no runtime dependencies |
- ZeroClaw source repository: https://github.com/zeroclaw-labs/zeroclaw
- Official website: https://zeroclawlabs.ai
- Security advisories: https://github.com/zeroclaw-labs/zeroclaw/security
- Critical Security Notice (2026-02-19): Beware of impersonation from
openagen/zeroclaw, zeroclaw.org, zeroclaw.net
Any questions?
Feel free to contact us. Find all contact information on our contact page.