HighClaw

High performance. Built for speed and reliability. 100% Go. 100% Agnostic.
⚡️ HighClaw keeps full feature coverage with an independent Go implementation.

Fast, small, and fully autonomous AI assistant infrastructure — deploy anywhere, swap anything.

Go binary · modular traits · 22+ providers · pluggable channels/tools/memory · production-ready gateway

✨ Features

• 🏎️ High Performance: Optimized Go runtime with low-overhead startup and stable long-running execution.
• 💰 Low Deployment Cost: Single binary deployment for edge devices, VMs, and cloud hosts.
• 🚀 Deployment Efficiency Advantage: No Node/Python runtime bootstrap required; install + start in minutes.
• ⚡ Operationally Reliable: Strong defaults for gateway auth, memory persistence, and channel safety.
• 🌍 True Portability: Cross-platform binaries for macOS, Linux, and Windows (amd64/arm64).

Connect Your AI to Any Messaging Platform

HighClaw turns your AI assistant into a multi-channel gateway — one binary connects to 12+ messaging platforms with rich text, images, and interactive responses. No separate adapters, no microservices, no glue code.

Platform	Protocol	Rich Text	Images	Status
Telegram	Bot API (polling)	Markdown	Yes	Production
Discord	Gateway WebSocket	Markdown	Yes	Production
Slack	Events API	mrkdwn	Yes	Production
WhatsApp	Cloud API (webhook)	Plain	Yes	Production
Feishu / Lark	WebSocket	Rich text	Yes	Production
WeCom	Callback API	Markdown	Yes	Production
WeChat	MP API	Plain	Yes	Beta
iMessage	AppleScript bridge	Plain	No	Beta
Matrix	Client-Server API	HTML	Yes	Beta
Webhook	HTTP POST	JSON	Yes	Production
IRC	IRC protocol	Plain	No	Beta
Signal	signal-cli bridge	Plain	Yes	Planned

Key differentiators:

• Hot-reload — add or remove channels without restarting the gateway.
• Per-sender sessions — each user gets isolated conversation history across channels.
• Bind authentication — secure one-time code pairing for private bots.
• Unified API — same AI capabilities regardless of which channel the user connects from.

Why teams pick HighClaw

• Lean by default: small Go binary, fast startup, low memory footprint.
• Gateway optional: CLI/TUI works standalone — no server process, no listening port, zero service overhead. Start the gateway only when you need channels or API access.
• Secure by design: pairing, strict sandboxing, explicit allowlists, workspace scoping.
• Fully swappable: core systems are traits (providers, channels, tools, memory, tunnels).
• No lock-in: OpenAI-compatible provider support + pluggable custom endpoints.

Dual-Mode Architecture — Gateway is Optional

Unlike most agent frameworks that require a running server, HighClaw separates the agent core from the gateway service. The agent runs fully standalone — no HTTP server, no background process, no port binding.

┌─────────────────────────────────────────────────────────────┐
│                    HighClaw Dual-Mode                        │
├──────────────────────────┬──────────────────────────────────┤
│   CLI / TUI Mode         │   Gateway Mode                   │
│   (No server needed)     │   (Service process)              │
├──────────────────────────┼──────────────────────────────────┤
│ highclaw agent -m "..."  │ highclaw gateway                 │
│ highclaw agent           │                                  │
│ highclaw tui             │ Feishu / Telegram / Discord      │
│ highclaw memory search   │ HTTP API / WebSocket             │
│ highclaw sessions list   │ Pairing authentication           │
│ highclaw config set ...  │ Channel hot-reload               │
│ highclaw tasks list      │ Multi-channel message routing    │
├──────────────────────────┼──────────────────────────────────┤
│ ✅ Direct LLM calls      │ ✅ Webhook / long-connection     │
│ ✅ Local memory & session│ ✅ Bearer token security          │
│ ✅ Zero network overhead │ ✅ Multi-user channel access      │
│ ✅ No port, no process   │ ✅ Rate limiting & audit log      │
└──────────────────────────┴──────────────────────────────────┘

CLI Mode — the agent loads config, initializes provider and memory, calls the LLM API directly, and exits. No daemon, no port, no background process. Ideal for terminal-centric workflows: coding assistance, quick Q&A, scripting automation.

Gateway Mode — starts an HTTP/WebSocket server for external channel integrations (Feishu, Telegram, Discord, etc.), REST API access, and multi-user routing. Adds pairing authentication, rate limiting, and channel management.

This means: if you only use HighClaw from the terminal, you never need to run highclaw gateway. The agent works as a pure CLI tool with the same capabilities — memory, sessions, tools, and multi-turn conversations — all without a server process.

HighClaw vs OpenClaw

1) Positioning and Goals

Dimension	HighClaw	OpenClaw
Core Position	High-performance, self-hosted, single-binary-first AI assistant infrastructure (Go implementation)	Feature-rich personal AI assistant platform (Node/TS ecosystem)
Goal	Keep feature coverage while improving stability, deployment efficiency, and secure defaults	Deliver a complete user experience with broad ecosystem integrations
Typical Scenarios	Backend services, edge devices, low-resource hosts, long-running daemons	Desktop-first use, frontend-centric workflows, deep Node ecosystem integration

You can think of HighClaw as an engineering-focused Go runtime in the Claw ecosystem: deployable, operable, and extensible.

2) Tech Stack and Runtime Shape

Dimension	HighClaw	OpenClaw
Main Language	Go	TypeScript (Node.js)
Runtime	Native binary	Node.js runtime
Execution Form	Single binary + config.yaml	Node runtime + JS/TS artifacts
Dependency Model	Go modules + minimal system dependencies	Heavier npm ecosystem dependency chain
Delivery	make build / make release for multi-platform artifacts	Usually depends on Node environment and package workflows

3) Resource Efficiency and Operations

Metric	HighClaw	OpenClaw
Deployment Complexity	Low (single-file-first)	Medium (Node + dependencies required)
Multi-platform Release	Built-in make release (linux/darwin/windows, amd64/arm64)	Depends on Node build and packaging toolchain
Secure Defaults	Pairing auth, rate limit, workspace scope, command allowlist	Similar security possible, but default path differs
Ops Controllability	More backend-observability and daemon-oriented	More application-layer feature oriented

Core Positioning (Conclusion)

• HighClaw is not a reduced OpenClaw clone; it is an independent Go engineering implementation.
• In the Claw ecosystem, HighClaw focuses on high-performance deployment, backend stability, low-resource operation, and secure defaults.
• If your priority is delivery and operations of AI assistant infrastructure, HighClaw is the better fit.

Quick Start

git clone https://github.com/903174293/highclaw.git
cd highclaw
make build
make install

# Quick setup (no prompts)
highclaw onboard --api-key sk-... --provider openrouter

# Or interactive wizard
highclaw onboard --interactive

# Or quickly repair channels/allowlists only
highclaw onboard --channels-only

# Chat
highclaw agent -m "Hello, HighClaw!"

# Interactive mode
highclaw agent

# Start the gateway (webhook server)
highclaw gateway                # default: 127.0.0.1:8080
highclaw gateway --port 0       # random port (security hardened)

# Start full autonomous runtime
highclaw daemon

# Check status
highclaw status

# Run system diagnostics
highclaw doctor

# Check channel health
highclaw channel doctor

# Get integration setup details
highclaw integrations info Telegram

# Manage background service
highclaw service install
highclaw service status

# Migrate memory from OpenClaw (safe preview first)
highclaw migrate openclaw --dry-run
highclaw migrate openclaw

Dev fallback (no global install): run make build then use ./dist/highclaw directly (example: ./dist/highclaw status).

Session Management — Unified Multi-Session Engine

HighClaw implements a unified local session store (~/.highclaw/sessions) shared by CLI, TUI, and all channels. Every conversation is tracked, persisted, and switchable — giving you full control over multi-task workflows.

Core Capabilities

Feature	Description
Auto-create	Every highclaw agent -m "..." creates a new session automatically
Multi-turn resume	highclaw agent -m "..." --session <key> resumes an existing session with full history
TUI integration	TUI sidebar shows all sessions from CLI and TUI, with live switching
Session persistence	All sessions saved as JSON files in ~/.highclaw/sessions/
Auto-cleanup	sessions prune removes stale sessions (default: 30 days, max 500)
Channel binding	External channels (Telegram/Discord/etc.) bind to sessions via routing
Memory association	Every memory entry tagged with session_key for per-session recall

Session Key Format

agent:{agentId}:{sessionName}

Examples:

• agent:main:cli-1234567890 — CLI one-shot session
• agent:main:session-42601 — TUI interactive session
• agent:main:main — Default session for external channels

CLI Commands

# Send a single message (creates new session)
highclaw agent -m "Hello!"

# Resume an existing session (multi-turn)
highclaw agent -m "Continue our topic" --session agent:main:cli-1234567890

# Session management
highclaw sessions list                    # List all sessions
highclaw sessions get <key>               # Show session details (JSON)
highclaw sessions current                 # Show current active session
highclaw sessions switch <key>            # Switch active session
highclaw sessions reset <key>             # Clear message history
highclaw sessions delete <key>            # Delete a session permanently

# Session cleanup
highclaw sessions prune                   # Clean up stale sessions (default: 30d / 500 max)
highclaw sessions prune --max-age 7       # Prune sessions idle > 7 days
highclaw sessions prune --max-count 100   # Cap at 100 sessions

# External channel bindings
highclaw sessions bindings                # List all bindings
highclaw sessions bind <ch> <conv> <key>  # Bind channel conversation to session
highclaw sessions unbind <ch> <conv>      # Remove binding

External Channels — DM Scope Routing (Inspired by OpenClaw)

HighClaw implements 4-level DM Scope for per-sender session isolation, matching OpenClaw's industry-leading design:

dmScope	Session Key Format	Use Case
main	agent:main:main	All DMs share one session (legacy mode)
per-peer	agent:main:direct:<peerId>	Each user gets own session, merged across channels
per-channel-peer	agent:main:<channel>:direct:<peerId>	Each user/channel pair isolated (recommended)
per-account-channel-peer	agent:main:<channel>:<accountId>:direct:<peerId>	Full isolation for multi-bot setups

Group/Channel messages are always routed by group ID:

agent:main:<channel>:<peerKind>:<groupId>

Configuration (~/.highclaw/config.yaml):

session:
  scope: per-sender         # 全局启用 per-sender 路由
  dmScope: per-channel-peer # DM 隔离级别
  mainKey: main             # 主会话名
  identityLinks:            # 跨渠道身份合并
    alice:
      - telegram:alice_tg
      - whatsapp:+1234567890

Explicit Binding Override — CLI/TUI keep explicit session switching support:

highclaw sessions bind telegram 123456789 agent:main:custom-session
highclaw sessions unbind telegram 123456789
highclaw sessions bindings

TUI Key Actions

Key	Action
Tab	Switch focus between sidebar and input
↑ / ↓	Navigate session list
Enter	Send message (input) / Open session (sidebar)
Ctrl+N	Create a new session
Ctrl+L	Clear current view
Ctrl+R	Reload session list
Ctrl+C	Quit

Slash Commands (In-Chat Session Control)

When chatting through any channel (Feishu, Telegram, Discord, etc.) or TUI, type these slash commands directly in the conversation to manage sessions and agent context on the fly:

Command	Description
/new or /reset	Start a fresh session — clears history, keeps model and thinking level
/session <key>	Switch to a specific session by key
/sessions	List all sessions for the current agent (sorted by last active)
/agent <id>	Switch to a different agent and reset session context
/model [provider/model]	View or override the model for the current session
/think [level]	View or set thinking level (off / low / medium / high / max)
/help or /commands	Show all available slash commands

Examples (in Feishu / Telegram / TUI chat):

/new                          # Start a new conversation
/sessions                     # See all sessions, pick one to resume
/session agent:main:main      # Switch back to the default session
/agent Code-Agent             # Switch to Code-Agent
/model minimax/MiniMax-M2.5   # Override model for this session
/think high                   # Enable deep thinking

Quick Verification

# Create two sessions
highclaw agent -m "first message"
highclaw agent -m "second message"

# Resume the first session
highclaw sessions list
highclaw agent -m "continue first topic" --session <first-session-key>

# Open TUI and see all sessions in sidebar
highclaw tui

You should see at least two CLI sessions in the TUI sidebar, with the first having 2 turns of conversation.

Deployment Playbook (Windows / Ubuntu / CentOS / macOS)

macOS (Intel/Apple Silicon)

git clone https://github.com/903174293/highclaw.git
cd highclaw
make build
./dist/highclaw onboard
./dist/highclaw gateway

Ubuntu (20.04/22.04/24.04)

sudo apt-get update
sudo apt-get install -y make golang-go
git clone https://github.com/903174293/highclaw.git
cd highclaw
make build
sudo make install
highclaw onboard
highclaw daemon

CentOS / RHEL / Rocky

sudo yum install -y make golang git
git clone https://github.com/903174293/highclaw.git
cd highclaw
make build
sudo make install
highclaw onboard
highclaw daemon

Windows (PowerShell)

git clone https://github.com/903174293/highclaw.git
cd highclaw
make build
.\dist\highclaw.exe onboard
.\dist\highclaw.exe gateway

Note: Windows requires GNU Make (install via choco install make or use MSYS2/WSL).

Why deployment is a product advantage

• Single Go binary delivery minimizes environment drift.
• Fast cold-start and low memory footprint improve edge/server density.
• Same command surface across platforms reduces ops friction.

Multi-Agent Architecture

HighClaw supports a full multi-agent runtime with agent-to-agent (A2A) communication, sub-task delegation, and flexible message routing. Key capabilities:

• Agent Registry — Define multiple agents with independent models, prompts, tools, and workspaces.
• Message Routing — 8-level priority routing binds incoming messages to agents by channel, account, peer, guild, and role.
• Sub-agent Spawn — Agents can delegate tasks to other agents via agent_spawn tool with concurrency control.
• Announce Queue — 6 modes for result delivery: direct, followup, collect, steer, steer-backlog, interrupt.
• Group Chat Strategies — Mention-based activation, broadcast groups, per-sender tool permissions, and group gating.
• Session Isolation — Each agent gets independent session keys and workspace directories.
• Announce Stats — Token usage, cost, and duration tracked per sub-agent task.

See docs/multi-agent-guide.md for the full multi-agent operations manual and docs/heartbeat-guide.md for the heartbeat usage guide.

Architecture

Every subsystem is a trait — swap implementations with a config change, zero code changes.

Subsystem	Trait	Ships with	Extend
AI Models	Provider	22+ providers (OpenRouter, Anthropic, OpenAI, Ollama, Venice, Groq, Mistral, xAI, DeepSeek, Together, Fireworks, Perplexity, Cohere, Bedrock, etc.)	custom:https://your-api.com — any OpenAI-compatible API
Channels	Channel	CLI, Telegram, Discord, Slack, iMessage, Matrix, WhatsApp, Webhook	Any messaging API
Memory	Memory	SQLite with hybrid search (FTS5 + vector cosine similarity), Markdown	Any persistence backend
Tools	Tool	shell, file_read, file_write, memory_store, memory_recall, memory_forget, browser_open (Brave + allowlist), composio (optional)	Any capability
Observability	Observer	Noop, Log, Multi	Prometheus, OTel
Runtime	RuntimeAdapter	Native, Docker (sandboxed)	WASM (planned; unsupported kinds fail fast)
Security	SecurityPolicy	Gateway pairing, sandbox, allowlists, rate limits, filesystem scoping, encrypted secrets	—
Identity	IdentityConfig	OpenClaw (markdown), AIEOS v1.1 (JSON)	Any identity format
Tunnel	Tunnel	None, Cloudflare, Tailscale, ngrok, Custom	Any tunnel binary
Heartbeat	Engine	HEARTBEAT.md periodic tasks	—
Skills	Loader	TOML manifests + SKILL.md instructions	Community skill packs
Integrations	Registry	50+ integrations across 9 categories	Plugin system

Runtime support (current)

• ✅ Supported today: runtime.kind = "native" or runtime.kind = "docker"
• 🚧 Planned, not implemented yet: WASM / edge runtimes

When an unsupported runtime.kind is configured, HighClaw now exits with a clear error instead of silently falling back to native.

Memory System — Industry-Leading Full-Stack Search Engine

Zero external dependencies. No Pinecone. No Elasticsearch. No LangChain. No Redis. Everything runs inside a single SQLite file.

HighClaw ships with one of the most complete memory systems in the open-source AI agent space. Most agent frameworks delegate memory to cloud vector databases or heavyweight search engines — HighClaw implements the entire pipeline natively in Go, with zero network dependencies for core memory operations.

Architecture

Performance — modernc.org/sqlite In-Process Engine

HighClaw uses modernc.org/sqlite — a pure Go translation of SQLite, running in-process with zero CGO and zero system dependencies. This delivers 30–60x performance improvement over the previous os/exec CLI approach, while maintaining perfect cross-compilation support.

Approach	Latency per Operation	Relative Speed	Trade-off
os/exec → sqlite3 CLI (old)	5,000,000–15,000,000 ns (5–15ms)	1x (baseline)	Process fork overhead per query
modernc.org/sqlite (current)	20,000–250,000 ns (20–250μs)	30–60x faster	Pure Go, zero deps
CGO mattn/sqlite3 (C native)	10,000–100,000 ns (10–100μs)	60–150x	Requires gcc/clang, breaks cross-compile

os/exec (old)      ████████████████████████████████████████████████████  5~15ms
modernc (current)  █                                                    20~250μs
CGO (C native)     ▌                                                    10~100μs

Why modernc.org/sqlite over CGO?

Dimension	modernc.org/sqlite	CGO mattn/sqlite3
Performance gap	Only 1–2.5x slower	Baseline
Cross-compilation	✅ Works everywhere	❌ Needs C cross-compile toolchain
Build dependencies	✅ Zero (pure Go)	❌ Requires gcc/clang
Single binary	✅ Guaranteed	⚠️ Dynamic linking or static compile
CI/CD complexity	✅ Minimal	❌ Matrix builds per platform

Conclusion: modernc.org/sqlite delivers the best cost-performance ratio — only 1–2.5x slower than raw C, but with zero engineering overhead.

Full-Stack Capabilities

Layer	Implementation	Why it matters
Hybrid Search	FTS5 keyword (BM25) + vector cosine similarity, weighted merge	Better recall than keyword-only or vector-only — catches both exact terms and semantic meaning
FTS5 content= Mode	Zero-redundancy FTS5 with 3 auto-sync triggers (INSERT/DELETE/UPDATE)	Index stays in sync without duplicating data — same approach as ZeroClaw
BM25 Normalization	Raw BM25 scores normalized to [0,1] range	Consistent scoring across different query lengths and document sizes
CJK Fallback	FTS5 → LIKE auto-fallback for Chinese/Japanese/Korean	Most FTS engines silently fail on CJK; HighClaw handles it transparently
Vector DB	Embeddings stored as BLOB in SQLite, computed cosine similarity	No external vector database needed — zero infra cost
Embedding Provider	OpenAI-compatible API, custom URL, or noop	Works offline (noop), or plug any embedding service
Batch Embedding	embedBatch() API — 100 texts per API call	50–100x faster reindexing; reduces API round-trips dramatically
Embedding Cache	SQLite embedding_cache table with LRU eviction (default: 10,000 entries)	Avoids redundant API calls, saves cost and latency
Keyword Search	FTS5 virtual tables with BM25 scoring	Fast, battle-tested full-text search built into SQLite
Markdown Chunker	Heading-aware document splitter with configurable token limits	Preserves document structure, respects heading boundaries
Memory Hygiene	Auto-archive (7d), auto-purge (30d), conversation retention pruning, 12h throttle	Self-maintaining — no manual cleanup needed
Safe Reindex	Rebuild FTS5 + batch re-embed missing vectors atomically	Zero downtime index rebuilds via highclaw memory sync
Session-Aware	Every memory entry tagged with session_key, channel, sender	Cross-session recall with per-session isolation when needed
Dual Backend	SQLite (full-featured) + Markdown (append-only, human-readable)	Choose power or simplicity; none falls back to Markdown safely
Parameterized Queries	database/sql with ? placeholders throughout	SQL injection eliminated; WAL mode + busy_timeout for concurrency
CLI Access	memory search / get / list / status / sync / reset	Full memory inspection without code — debug and verify in seconds

Comparison with ZeroClaw Memory System

Capability	HighClaw (Go)	ZeroClaw (Rust)	Winner
SQLite backend (in-process)	✅ modernc.org/sqlite	✅ rusqlite	Tie
FTS5 + content= + triggers	✅	✅	Tie
Vector search + cosine similarity	✅	✅	Tie
Hybrid merge (weighted fusion)	✅	✅	Tie
Batch embedding API	✅ 100/batch	❌ One-by-one	HighClaw
CJK auto-fallback	✅ FTS5 → LIKE	❌	HighClaw
Session-aware storage	✅ Full implementation	⚠️ Field exists, unused	HighClaw
Complete CLI memory ops	✅ 6 commands	⚠️ Limited	HighClaw
Cross-compile (no C deps)	✅ Pure Go	❌ Needs C toolchain	HighClaw
Raw SQLite performance	20–250μs	10–100μs	ZeroClaw

Comparison with Other Agent Frameworks

Capability	HighClaw	LangChain	AutoGPT	CrewAI
Hybrid Search (keyword + vector)	✅ Native	❌ Requires Pinecone/Weaviate	❌	❌
Zero external dependencies	✅ Single SQLite file	❌ Requires vector DB service	❌ Requires Redis	❌ Requires ChromaDB
In-process SQLite (no CLI)	✅ modernc.org/sqlite	❌	❌	❌
CJK full-text search	✅ Auto-fallback	❌	❌	❌
Batch embedding API	✅ 100/batch	❌	❌	❌
Embedding cache with LRU	✅ Built-in	❌	❌	❌
Memory hygiene (auto-cleanup)	✅ Archive + Purge + Prune	❌ Manual	❌ Manual	❌
Session-aware memory	✅ Per-session tagging	❌	❌	❌
CLI memory inspection	✅ search/get/list/status/sync/reset	❌	❌	❌
Offline operation	✅ Works without network	❌	❌	❌
Single binary deployment	✅	❌	❌	❌
Parameterized queries (no SQL injection)	✅	N/A	N/A	N/A

Configuration

memory:
  backend: "sqlite"            # "sqlite" | "markdown" | "none"
  autoSave: true               # auto-save user/assistant messages
  hygieneEnabled: true          # auto archive + purge + prune
  archiveAfterDays: 7           # archive daily files after N days
  purgeAfterDays: 30            # purge archives after N days
  conversationRetentionDays: 30 # prune old conversation entries
  embeddingProvider: "openai"   # "none" | "openai" | "custom:https://..."
  embeddingModel: "text-embedding-3-small"
  embeddingDimensions: 1536
  vectorWeight: 0.7             # hybrid search: vector weight
  keywordWeight: 0.3            # hybrid search: keyword weight
  embeddingCacheSize: 10000     # LRU cache capacity
  chunkMaxTokens: 512           # markdown chunker token limit

Quick Demo

# Search memory (supports Chinese, English, mixed queries)
highclaw memory search "项目架构"
highclaw memory search "deployment strategy"

# Inspect a specific entry
highclaw memory get user_msg_abc123

# Paginated list with filters (SQLite backend)
highclaw memory list --category conversation --limit 10
highclaw memory list --since 2025-01-01T00:00:00Z --until 2025-02-01T00:00:00Z
highclaw memory list --sort -created_at --search "important"
highclaw memory list --limit 20 --offset 40   # Page 3

# Check memory health
highclaw memory status

# Rebuild search index
highclaw memory sync

Security

HighClaw enforces security at every layer — not just the sandbox. It passes all items from the community security checklist.

Security Checklist

#	Item	Status	How
1	Gateway not publicly exposed	✅	Binds 127.0.0.1 by default. Refuses 0.0.0.0 without tunnel or explicit allow_public_bind = true.
2	Pairing required	✅	6-digit one-time code on startup. Exchange via POST /pair for bearer token. All /webhook requests require Authorization: Bearer <token>.
3	Filesystem scoped (no /)	✅	workspace_only = true by default. 14 system dirs + 4 sensitive dotfiles blocked. Null byte injection blocked. Symlink escape detection via canonicalization + resolved-path workspace checks in file read/write tools.
4	Access via tunnel only	✅	Gateway refuses public bind without active tunnel. Supports Tailscale, Cloudflare, ngrok, or any custom tunnel.

Run your own nmap: nmap -p 1-65535 <your-host> — HighClaw binds to localhost only, so nothing is exposed unless you explicitly configure a tunnel.

Sandbox Policy (Workspace Scope)

By default, HighClaw restricts all file and shell operations to the workspace directory (~/.highclaw/workspace). This prevents accidental access to sensitive system paths like ~/Desktop, /etc, or ~/.ssh.

Default behavior: workspaceOnly: true (secure by default, matches ZeroClaw)

Configuration Methods

Method 1: Permanent configuration (recommended)

# Check current setting
highclaw config get autonomy.workspaceOnly
# Output: true

# Allow access to absolute paths (e.g., ~/Desktop)
highclaw config set autonomy.workspaceOnly false

# Restore restriction
highclaw config set autonomy.workspaceOnly true

Method 2: Temporary override (single command)

# Only affects this command, does not modify config file
highclaw agent -m "Organize desktop images" --no-sandbox

Method 3: Edit config file directly

# ~/.highclaw/config.yaml
autonomy:
  level: supervised
  workspaceOnly: false  # Allow access to absolute paths
  allowedCommands:      # Additional commands to allow (merged with defaults)
    - docker
    - kubectl
  forbiddenPaths:       # Always blocked even when workspaceOnly=false
    - /etc
    - /root

Behavior Summary

Setting	Behavior
workspaceOnly: true (default)	Operations restricted to workspace; absolute paths blocked
workspaceOnly: false	Allow access to absolute paths (e.g., ~/Desktop)
--no-sandbox flag	Temporary bypass for a single command

Approval Mechanism

For medium/high-risk commands, HighClaw uses a model self-approval mechanism (same as ZeroClaw):

• Shell tool accepts an approved: bool parameter
• When executing risky commands, the model must set "approved": true in the tool call
• If not set, the command returns an error, and the model retries with approval

This is not manual user approval — the AI model decides whether to approve based on context and risk assessment.

Channel allowlists (Telegram / Discord / Slack)

Inbound sender policy is now consistent:

• Empty allowlist = deny all inbound messages
• "*" = allow all (explicit opt-in)
• Otherwise = exact-match allowlist

This keeps accidental exposure low by default.

Recommended low-friction setup (secure + fast):

• Telegram: allowlist your own @username (without @) and/or your numeric Telegram user ID.
• Discord: allowlist your own Discord user ID.
• Slack: allowlist your own Slack member ID (usually starts with U).
• Use "*" only for temporary open testing.

If you're not sure which identity to use:

1. Start channels and send one message to your bot.
2. Read the warning log to see the exact sender identity.
3. Add that value to the allowlist and rerun channels-only setup.

If you hit authorization warnings in logs (for example: ignoring message from unauthorized user), rerun channel setup only:

highclaw onboard --channels-only

WhatsApp Business Cloud API Setup

WhatsApp uses Meta's Cloud API with webhooks (push-based, not polling):

1. Create a Meta Business App:

   • Go to developers.facebook.com
   • Create a new app → Select "Business" type
   • Add the "WhatsApp" product

2. Get your credentials:

   • Access Token: From WhatsApp → API Setup → Generate token (or create a System User for permanent tokens)
   • Phone Number ID: From WhatsApp → API Setup → Phone number ID
   • Verify Token: You define this (any random string) — Meta will send it back during webhook verification

3. Configure HighClaw:

   channels_config:
     whatsapp:
       access_token: "EAABx..."
       phone_number_id: "123456789012345"
       verify_token: "my-secret-verify-token"
       allowed_numbers:
         - "+1234567890" # E.164 format, or ["*"] for all

4. Start the gateway with a tunnel:

   highclaw gateway --port 8080

   WhatsApp requires HTTPS, so use a tunnel (ngrok, Cloudflare, Tailscale Funnel).

5. Configure Meta webhook:

   • In Meta Developer Console → WhatsApp → Configuration → Webhook
   • Callback URL: https://your-tunnel-url/whatsapp
   • Verify Token: Same as your verify_token in config
   • Subscribe to messages field

6. Test: Send a message to your WhatsApp Business number — HighClaw will respond via the LLM.

Configuration

Config: ~/.highclaw/config.yaml (created by onboard)

api_key: "sk-..."
default_provider: "openrouter"
default_model: "anthropic/claude-sonnet-4"
default_temperature: 0.7

memory:
  backend: "sqlite" # "sqlite", "markdown", "none"
  auto_save: true
  embedding_provider: "openai" # "openai", "noop"
  vector_weight: 0.7
  keyword_weight: 0.3

gateway:
  require_pairing: true
  allow_public_bind: false

autonomy:
  level: "supervised" # "readonly", "supervised", "full"
  workspace_only: true
  allowed_commands: ["git", "go", "make", "ls", "cat", "grep"]
  forbidden_paths: ["/etc", "/root", "/proc", "/sys", "~/.ssh", "~/.gnupg", "~/.aws"]

runtime:
  kind: "native" # "native" or "docker"
  docker:
    image: "alpine:3.20"
    network: "none"
    memory_limit_mb: 512
    cpu_limit: 1.0
    read_only_rootfs: true
    mount_workspace: true
    allowed_workspace_roots: []

heartbeat:
  enabled: false
  interval_minutes: 30

tunnel:
  provider: "none" # "none", "cloudflare", "tailscale", "ngrok", "custom"

secrets:
  encrypt: true

browser:
  enabled: false
  allowed_domains: ["docs.rs"]

composio:
  enabled: false

identity:
  format: "openclaw" # "openclaw" or "aieos"
# aieos_path: "identity.json"
# aieos_inline: '{"identity":{"names":{"first":"Nova"}}}'

Identity System (AIEOS Support)

HighClaw supports identity-agnostic AI personas through two formats:

OpenClaw (Default)

Traditional markdown files in your workspace:

• IDENTITY.md — Who the agent is
• SOUL.md — Core personality and values
• USER.md — Who the agent is helping
• AGENTS.md — Behavior guidelines

AIEOS (AI Entity Object Specification)

AIEOS is a standardization framework for portable AI identity. HighClaw supports AIEOS v1.1 JSON payloads, allowing you to:

• Import identities from the AIEOS ecosystem
• Export identities to other AIEOS-compatible systems
• Maintain behavioral integrity across different AI models

Enable AIEOS

identity:
  format: "aieos"
  aieos_path: "identity.json" # relative to workspace or absolute path

Or inline JSON:

identity:
  format: "aieos"
  aieos_inline: |
{
  "identity": {
    "names": { "first": "Nova", "nickname": "N" }
  },
  "psychology": {
    "neural_matrix": { "creativity": 0.9, "logic": 0.8 },
    "traits": { "mbti": "ENTP" },
    "moral_compass": { "alignment": "Chaotic Good" }
  },
  "linguistics": {
    "text_style": { "formality_level": 0.2, "slang_usage": true }
  },
  "motivations": {
    "core_drive": "Push boundaries and explore possibilities"
  }
}

AIEOS Schema Sections

Section	Description
identity	Names, bio, origin, residence
psychology	Neural matrix (cognitive weights), MBTI, OCEAN, moral compass
linguistics	Text style, formality, catchphrases, forbidden words
motivations	Core drive, short/long-term goals, fears
capabilities	Skills and tools the agent can access
physicality	Visual descriptors for image generation
interests	Hobbies, favorites, lifestyle

See aieos.org for the full schema and live examples.

Gateway API

Endpoint	Method	Auth	Description
/health	GET	None	Health check (always public, no secrets leaked)
/pair	POST	X-Pairing-Code header	Exchange one-time code for bearer token
/webhook	POST	Authorization: Bearer <token>	Send message: {"message": "your prompt"}
/whatsapp	GET	Query params	Meta webhook verification (hub.mode, hub.verify_token, hub.challenge)
/whatsapp	POST	None (Meta signature)	WhatsApp incoming message webhook

Commands

HighClaw provides 60+ CLI commands organized by function. All commands follow the pattern highclaw <command> [subcommand] [flags].

Setup & Onboarding

Command	Description
highclaw onboard --api-key sk-... --provider openrouter	Quick non-interactive setup with API key and provider
highclaw onboard --interactive	Full interactive 9-step wizard (provider, model, channels, tunnel, skills, etc.)
highclaw onboard --channels-only	Fast repair flow — reconfigure channels and allowlists only
highclaw config show	Display the full configuration file
highclaw config get <key>	Get a single configuration value
highclaw config set <key> <value>	Set a configuration value
highclaw config validate	Validate configuration file for errors

AI Agent & Chat

Command	Description
highclaw agent	Start interactive chat mode (multi-turn conversation)
highclaw agent -m "Hello"	Send a single message and print the response
highclaw agent -m "..." --session <key>	Send a message within a specific session
highclaw agent -l	Continue the most recent session
highclaw agent --provider anthropic --model claude-sonnet-4	Override provider and model for one run
highclaw agent rpc	Start agent in RPC mode (JSON stdin/stdout, for tool integration)
highclaw message "Hello"	Shortcut — send a single message and print the response
highclaw tui	Launch the terminal UI for interactive chat
highclaw tui --session main --model gpt-4o	Launch TUI with specific session and model

Gateway & Daemon

Command	Description
highclaw gateway	Start the WebSocket + HTTP gateway (default: 127.0.0.1:18789)
highclaw gateway --port 3000	Start gateway on a custom port
highclaw gateway --port 0	Random port mode (security hardened)
highclaw gateway --bind all --dev	Bind to all interfaces in dev mode
highclaw daemon	Start the full autonomous runtime (background)
highclaw daemon install	Install HighClaw as a system daemon (launchd/systemd)
highclaw daemon start	Start the installed daemon
highclaw daemon stop	Stop the running daemon
highclaw daemon status	Show daemon running status
highclaw daemon uninstall	Remove the system daemon
highclaw service install|start|stop|status	Alias of daemon — identical behavior

Channels (Messaging Integrations)

Command	Description
highclaw channels status	Show status of all configured channels
highclaw channels doctor	Run health diagnostics for all channels
highclaw channels login <name>	Login to a messaging channel (e.g. WhatsApp QR)
highclaw channels logout <name>	Logout from a messaging channel
highclaw channels send <channel> <to> <text>	Send a message through a specific channel
highclaw integrations info Telegram	Show setup details and required config keys for a channel

Supported channels: Telegram, Discord, Slack, WhatsApp, Feishu/Lark, WeCom, WeChat, iMessage, Matrix, IRC, Signal, Webhook.

Sessions

Command	Description
highclaw sessions list	List all active sessions
highclaw sessions current	Show the current active session
highclaw sessions get <key>	Get details for a specific session
highclaw sessions switch <key>	Switch to a different session
highclaw sessions reset <key>	Clear message history for a session
highclaw sessions delete <key>	Delete a session
highclaw sessions bind <channel> <conv-id> <session-key>	Bind an external conversation to a session
highclaw sessions unbind <channel> <conv-id>	Remove an external conversation binding
highclaw sessions bindings	List all external channel session bindings
highclaw sessions prune	Clean up stale and excess sessions

Memory

Command	Description
highclaw memory status	Show memory backend status (SQLite, entry count, index health)
highclaw memory list	List memory entries with pagination (default 50/page)
highclaw memory list --limit 20 --offset 40	Paginated browsing
highclaw memory list --category core	Filter by category
highclaw memory list --since 2025-01-01T00:00:00Z	Filter by date range (RFC3339)
highclaw memory list --sort -created_at	Custom sort (- desc, + asc)
highclaw memory list --search "keyword"	Full-text search within list (FTS5, SQLite only)
highclaw memory get <key>	Retrieve a specific memory entry by key
highclaw memory search <query>	Semantic + keyword hybrid search (recommended)
highclaw memory sync	Rebuild FTS5 index and batch re-embed missing vectors
highclaw memory reset	Reset the memory index

Skills

Command	Description
highclaw skills list	List all installed skills (open-skills + workspace)
highclaw skills install <url|path>	Install a skill from GitHub URL or local path
highclaw skills uninstall <name>	Remove an installed skill
highclaw skills status	Show skills summary and counts

Models & Providers

Command	Description
highclaw models list	List available models from all configured providers
highclaw models scan	Scan and discover available models from providers
highclaw models set <model>	Set the default model

Diagnostics & Status

Command	Description
highclaw status	Comprehensive status: gateway, sessions, channels, daemon, agent, models
highclaw doctor	Full diagnostics: config, auth, gateway, sandbox, security, workspace
highclaw dns	DNS diagnostics and configuration checks
highclaw logs tail	Stream live gateway logs (auto-selects latest rotated file)
highclaw logs tail -f	Follow live log output in real-time
highclaw logs query <pattern>	Search across all log files
highclaw logs list	List all log files with sizes
highclaw logs status	Show log system status (directory, file count, total size)
highclaw logs clean	Clean up expired log files

Security & Approvals

Command	Description
highclaw security audit	Run security audit on config, files, and channels
highclaw security fix	Auto-fix security issues found by audit
highclaw exec-approvals list	List pending tool execution approvals
highclaw exec-approvals approve <id>	Approve a pending execution
highclaw exec-approvals deny <id>	Deny a pending execution

Browser Control

Command	Description
highclaw browser open <url>	Open a URL in the controlled browser (CDP/headless)
highclaw browser inspect	Inspect current browser state

Scheduled Tasks (Cron)

Cron commands operate via the Gateway HTTP API. The gateway must be running (highclaw gateway).

Command	Description
highclaw cron list	List all scheduled tasks (table view, supports --all / --json)
highclaw cron add	Interactive wizard to create a scheduled task
highclaw cron edit <id>	Interactive wizard to edit a scheduled task
highclaw cron delete <id>	Delete a scheduled task (with confirmation)
highclaw cron enable <id>	Enable a scheduled task
highclaw cron disable <id>	Disable a scheduled task
highclaw cron status	Show cron scheduler status
highclaw cron runs <id>	Show task execution history (supports --limit)
highclaw cron trigger <id>	Manually trigger a scheduled task

Agent-level access control: The main agent can manage all cron jobs. Sub-agents can only list/view/edit/delete their own jobs.

Hooks & Webhooks

Command	Description
highclaw hooks list	List installed hooks (Gmail, webhooks, internal)
highclaw hooks install <name>	Install a hook
highclaw hooks status	Show hooks status
highclaw webhooks	Manage inbound/outbound webhooks

Device & Node Management

Command	Description
highclaw devices list	List paired devices
highclaw nodes list	List connected nodes (macOS/iOS/Android)
highclaw pairing	Manage device pairing (QR codes, tokens)

Plugins

Command	Description
highclaw plugins list	List installed plugins
highclaw plugins install <name>	Install a plugin
highclaw plugins sync	Sync plugin versions

Data Migration

Command	Description
highclaw migrate openclaw	Migrate config/workspace from ~/.openclaw to ~/.highclaw
highclaw migrate openclaw --dry-run	Preview migration without writing (safe)

Task Audit Log

Command	Description
highclaw tasks list	List recent task records (default 20/page, newest first)
highclaw tasks list --action chat --status success	Filter by action type and status
highclaw tasks list --since 2025-01-01T00:00:00Z --until 2025-02-01T00:00:00Z	Filter by date range (RFC3339)
highclaw tasks list --sort -duration_ms	Custom sort (- desc, + asc): created_at, duration_ms, tokens_input, tokens_output, action, module
highclaw tasks get <id>	Get task record details (JSON)
highclaw tasks search <query>	Full-text search across request/response/error fields (FTS5)
highclaw tasks stats	Show statistics: totals, token usage, avg duration, breakdowns by action/module/status
highclaw tasks count	Show total record count
highclaw tasks clean	Clean up old records (default: 90 days, max 100K)

Logs (Enhanced)

Command	Description
highclaw logs tail	Show recent log lines from the latest rotated file
highclaw logs tail -f	Follow live log output in real-time
highclaw logs tail -n 500	Show last 500 lines
highclaw logs query <pattern>	Search across all log files (case-insensitive)
highclaw logs list	List all log files with sizes and timestamps
highclaw logs status	Show log system status (directory, file count, total size, config)
highclaw logs clean	Remove expired log files based on maxAgeDays config

Multi-Agent Team

Command	Description
highclaw agents list	List all agents with configuration details (identity, workspace, model, routing)
highclaw agents add [id]	Add a new agent interactively (workspace, model, prompt, channels, bindings, skills)
highclaw agents delete [id]	Remove an agent from the team
highclaw agents show [id]	Show detailed configuration for an agent
highclaw agents set-identity [id]	Set agent identity (name, emoji, theme) from IDENTITY.md or flags
highclaw agents persona [id]	Generate SOUL.md + IDENTITY.md via LLM for an agent
highclaw agents set-skills [id]	Configure skill allowlist for an agent
highclaw agents setup-skills [id]	Install, uninstall, or manage skills for an agent
highclaw agents edit-file [id] [file]	View or edit a workspace file (SOUL.md, AGENTS.md, etc.)

Subagents (Sub-task Management)

Command	Description
highclaw subagents list	List all sub-agent tasks (runID, agent, status, duration, task)
highclaw subagents stop <id|all>	Stop a running sub-agent task or all tasks
highclaw subagents info <id>	Show detailed info for a sub-agent task (model, session, stats)
highclaw subagents log <id>	Show conversation history for a sub-agent task
highclaw subagents send <id> <message>	Send a follow-up message to a running sub-agent
highclaw subagents --port 18790	Specify gateway HTTP port (default: 18790)

System Controls (Heartbeat)

Command	Description
highclaw system heartbeat status	Show heartbeat runtime status (configured, enabled, last event)
highclaw system heartbeat enable	Enable heartbeat scheduling
highclaw system heartbeat disable	Disable heartbeat scheduling
highclaw system heartbeat now [reason]	Trigger a heartbeat run immediately (default reason: manual)
highclaw system heartbeat last	Show the last heartbeat event details (agent, reason, status, content)
highclaw system --port 18790	Specify gateway HTTP port (default: 18790)
highclaw system heartbeat setup	Interactive 5-step heartbeat configuration wizard

System Lifecycle

Command	Description
highclaw update check	Check for available updates
highclaw update install	Install the latest update
highclaw reset --yes	Reset all state (sessions, cache); keeps config by default
highclaw reset --yes --keep-config=false	Full factory reset
highclaw uninstall --yes	Uninstall HighClaw and clean up all data
highclaw version	Print version information
highclaw docs	Open documentation in browser
highclaw completion bash|zsh|fish|powershell	Generate shell autocompletion script

Skills System

HighClaw features a pure-Go, SKILL.md-driven skill system that extends your agent's capabilities with specialized knowledge — zero Node.js or npm dependencies.

How Skills Work

Skills are Markdown files (SKILL.md) that contain instructions, prompts, and context. On every conversation turn, all active skills are injected into the agent's system prompt, giving it specialized knowledge and behavior.

Skill Sources                    Skill Manager                   Agent Runtime
─────────────                    ─────────────                   ─────────────
~/open-skills/skills/  ──┐       LoadAll()                       buildSystemPrompt()
                         ├──►    loadSkillFromMD()  ──►          ToSystemPrompt()
<workspace>/skills/    ──┘       Install / Remove                → active in all turns

Skill Directory Structure

~/open-skills/skills/           # Community skills (auto-synced)
  ├── chat-logger/SKILL.md
  ├── web-search/SKILL.md
  ├── browser-automation-agent/SKILL.md
  └── ... (19 community skills)

<workspace>/skills/             # Your custom skills
  ├── my-custom-skill/SKILL.md
  └── another-skill/SKILL.md

CLI Commands

# List all installed skills
highclaw skills list

# Show skills summary
highclaw skills status

# Install from GitHub
highclaw skills install https://github.com/user/my-skill

# Install from local path
highclaw skills install /path/to/local/skill

# Remove a skill
highclaw skills uninstall my-skill

Creating a Custom Skill

1. Create a directory under <workspace>/skills/:

mkdir -p ~/.highclaw/workspace/skills/my-skill

2. Write a SKILL.md file:

# My Custom Skill

This skill teaches the agent specialized behavior for code review.

## Instructions

When the user asks for a code review:
1. Check for security vulnerabilities first
2. Then check for performance issues
3. Finally suggest style improvements

3. Verify it loads:

highclaw skills list
# Should show: my-skill v0.1.0

Open-Skills Community Repository

HighClaw automatically syncs the open-skills community repository:

• Location: ~/open-skills/
• Sync interval: Every 7 days (auto git pull)
• First run: Auto git clone --depth 1
• Disable: export HIGHCLAW_OPEN_SKILLS_ENABLED=false

Onboard Integration

The highclaw onboard --interactive wizard includes Step 8/9 "Skills Configuration" where you can:

• View all loaded skills
• Install additional skills from URL or local path

Configuration

Environment Variable	Default	Description
HIGHCLAW_OPEN_SKILLS_ENABLED	true	Enable/disable open-skills auto-sync

Skills directory paths:

• Open-skills: ~/open-skills/skills/
• Workspace skills: <workspace>/skills/

Development

All build commands go through make. See docs/build-guide.md for the full compilation guide.

make build               # Release build (current platform)
make build-dev           # Dev build (with debug symbols)
make build-linux         # Cross-compile for Linux amd64
make build-linux-arm64   # Cross-compile for Linux arm64
make test                # Run tests (race enabled)
make fmt                 # Format code
make lint                # Lint (golangci-lint)
make release             # Build all 6 platforms + package

Important: make build only compiles for the current OS/arch. To deploy on a Linux server from macOS, use make build-linux or make deploy. See docs/build-guide.md for details.

Makefile Usage Guide

HighClaw ships with a full Makefile automation flow for development, testing, packaging, installation, and release.

Common Targets

make help               # list all targets
make build              # release build for current platform → dist/highclaw
make build-dev          # dev build with debug symbols → dist/highclaw-dev
make test               # run tests (race enabled)
make check              # vet + test
make clean              # clean artifacts

Cross-Compile (Most Common Need)

make build-linux        # macOS → Linux amd64 → dist/highclaw-linux-amd64
make build-linux-arm64  # macOS → Linux arm64 → dist/highclaw-linux-arm64
make build-darwin       # current arch macOS  → dist/highclaw-darwin-<arch>
make build-all          # all 6 platforms at once

One-Click Server Deploy

# Compile + upload + restart gateway in one command
make deploy DEPLOY_HOST=root@your-server

# Optional: specify arch and install path
make deploy DEPLOY_HOST=root@your-server DEPLOY_ARCH=arm64
make deploy DEPLOY_HOST=root@your-server DEPLOY_PATH=/opt/highclaw

Package and Release

make package            # build-all + tar.gz/zip → dist/release/
make release            # same as package

Default artifacts:

• dist/highclaw-linux-amd64
• dist/highclaw-linux-arm64
• dist/highclaw-darwin-amd64
• dist/highclaw-darwin-arm64
• dist/highclaw-windows-amd64.exe
• dist/highclaw-windows-arm64.exe
• dist/release/highclaw-<version>-<os>-<arch>.tar.gz|zip

Install and Uninstall (Local)

make install            # install to GOBIN / GOPATH/bin / ~/go/bin
make uninstall          # uninstall highclaw

Install path priority: GOBIN > GOPATH/bin > ~/go/bin

Code Quality and Diagnostics

make fmt                # format code
make vet                # static analysis
make lint               # golangci-lint (install first)
make doctor             # print version, Go env, host platform, install path

Pre-push hook

A git hook runs format check, static analysis, and tests before every push. Enable it once:

git config core.hooksPath .githooks

To skip the hook when you need a quick push during development:

git push --no-verify

Support

HighClaw is an open-source project maintained with passion. If you find it useful and would like to support its continued development, hardware for testing, and coffee for the maintainer, you can support me here:

License

MIT — see LICENSE

• IP policy — see INTELLECTUAL_PROPERTY.md
• Trademark policy — see TRADEMARKS.md

Contributing

See CONTRIBUTING.md. Implement a trait, submit a PR:

• Individual CLA (required) — see CLA-INDIVIDUAL.md
• Security reporting — see SECURITY.md
• CI workflow guide: docs/ci-map.md
• New Provider → src/providers/
• New Channel → src/channels/
• New Observer → src/observability/
• New Tool → src/tools/
• New Memory → src/memory/
• New Tunnel → src/tunnel/
• New Skill → ~/.highclaw/workspace/skills/<name>/

---

HighClaw — High performance. Built for speed and reliability. Deploy anywhere. Swap anything.