🐾 ShibaClaw —Security First Personal AI Agent Framework

[RikyZ90]

ShibaClaw 🐕

Security-first AI agent with built-in WebUI, native provider support, and hardened tools.

---

📢 Welcome to ShibaClaw v0.2.0! This release adds cross-provider model search, true per-session model routing, a redesigned model-first settings flow, and OpenRouter OAuth directly in the WebUI.
See the Changelog for details.

---

ShibaClaw is a security-first AI agent for your terminal, your browser, and across 11 channels.
Security isn't glue code — it's the foundation: CVE auditing at install time, prompt-injection wrapping on every tool result, SSRF/DNS-rebinding protection, shell hardening, workspace sandboxing, and bearer-token auth are all built into the core.

22 providers · 11 chat channels · built-in WebUI · 3-level proactive memory · cron · heartbeat · skills · MCP

---

Quick Start

Docker

curl -fsSL https://raw.githubusercontent.com/RikyZ90/ShibaClaw/main/docker-compose.yml -o docker-compose.yml
docker compose up -d          # pulls from Docker Hub automatically
docker exec -it shibaclaw-gateway shibaclaw print-token

Open http://localhost:3000, paste the token, and follow the onboard wizard.

pip

pip install shibaclaw
shibaclaw web --with-gateway   # starts WebUI + agent engine on :3000

Open http://localhost:3000 and follow the onboard wizard.
Prefer the CLI? shibaclaw onboard runs the same guided setup from the terminal.

---

Security, Built In

Defenses that are normally scattered across app glue or external proxies — in ShibaClaw they ship in the core, on by default.

🛡️ Prompt-Injection Wrapping (Tool Sandboxing)

Instead of simply feeding raw tool outputs back to the LLM, ShibaClaw wraps every tool result in a dynamically generated XML-like boundary with a randomized nonce (e.g., <tool_output_a1b2c3d4>).
Why this matters: Attackers often try to prematurely close tags or inject fake system instructions inside tool outputs (like web page content). By using a randomized boundary generated per-iteration, the agent can reliably differentiate between actual system instructions and injected payloads. Furthermore, any attempt to inject the specific closing tag inside the content is automatically sanitized and escaped, ensuring the sandbox remains airtight and the original system prompt takes precedence.

🔍 Install-Time Package Autoscan

Before executing any pip, npm, or apt install command, ShibaClaw intercepts the action and parses the dependencies. It runs tools like pip-audit or npm audit --json to scan for known vulnerabilities against CVE databases before applying any changes.
Why this matters: It shifts security entirely to the left. Instead of blindly blocking package managers or relying on post-install scans, it evaluates the exact dependency tree before execution. If a package contains critical/high CVEs, or if suspicious flags (like --allow-unauthenticated for apt) are detected, the installation is blocked. This allows the AI to autonomously build software without turning the host into a liability.

Security Layers Overview

Layer	What it does
🔍 Install-time audit	Audits pip and npm before execution — blocks critical/high CVEs before they land
🛡️ Prompt-injection wrapping	Wraps every tool result in a randomized <tool_output_...> boundary and sanitizes closing tags
🔒 Shell hardening	20+ deny patterns, escape normalization (\x.., \u....), internal URL detection
🌐 Network guard	SSRF filtering, redirect revalidation, DNS-rebinding-safe resolution
📁 Workspace sandbox	File tools and file browser locked to the configured workspace
🔑 Access control	Bearer token auth, constant-time checks, channel allowlists, optional rate limiting
⚡ Distributed engine	UI (≈128 MB) decoupled from agent brain (≈256 MB+) — minimal footprint per process

[RikyZ90]

post updated ShibaClaw v0.2.0 release!