How the Transformer Creator Built a Secure Rust Reimplementation of OpenClaw

Problem Statement

OpenClaw can grant an AI agent unrestricted access to a host machine, exposing user credentials and data. An example given is granting OpenClaw access to an email account, which would transmit the bearer token to the LLM provider’s database, allowing potential leakage of all email contents and other sensitive information.

IronClaw Architecture

IronClaw is an open‑source runtime for AI agents written in Rust, designed with security as a primary goal. The codebase is intended to be clear, auditable, and suitable for enterprise deployment.

Core Components

Agent Loop – main task scheduler for agents

Router – user‑intent routing layer

Scheduler – parallel task dispatcher

Worker – executes models and tools

Orchestrator – manages containers, permissions, and LLM calls

Web Gateway – interaction entry point

Routines Engine – automation task engine

Workspace – long‑term memory and retrieval layer

Safety Layer – security safeguards

Security Enhancements

Replace direct filesystem access with a database and enforce explicit data‑usage policies.

Load dynamic tools via WebAssembly (WASM) in isolated sandboxes, preventing arbitrary host‑code execution.

Encrypt all credentials; credentials never reach the LLM or logs, and each credential carries a policy that validates its intended target.

Introduce heuristic prompt‑injection defenses, with plans to add continuously updated small models for detection.

Store memory in a database using hybrid BM25 and vector search, virtualizing file access and isolating it from the OS.

Heartbeats and Routines provide periodic summaries, aimed at regular users rather than only developers familiar with cron.

Support multiple communication channels (Web, CLI, Telegram, Slack, WhatsApp, Discord) with additional channels planned.

Future Enhancements

User‑defined behavior policies that agents must satisfy before acting.

Immutable audit logs to trace failures and provide tamper‑evident records.

Example of Credential Leakage Mitigation

In the OpenClaw scenario, an email bearer token would be sent to the LLM provider and stored in their database. IronClaw mitigates this by encrypting the token at rest, never exposing it to the LLM, and executing any skill that needs the token inside a sandboxed container.

Project Resources

GitHub repository: https://github.com/nearai/ironclaw

Reddit AMA (original post): https://www.reddit.com/r/MachineLearning/comments/1rlnwsk/d_ama_secure_version_of_openclaw/