IronClaw: Privacy-First AI Assistant in Rust

Privacy-First AI Assistant Built for Security and Control

IronClaw represents a fundamental shift in how personal AI assistants handle user data and security. Developed by NEAR AI as a Rust-based reimplementation inspired by OpenClaw, this open-source project prioritizes user privacy, data sovereignty, and transparent operations. In an era where AI systems increasingly operate as black boxes with opaque data practices, IronClaw establishes a new paradigm: your AI assistant should work exclusively for you, not harvest your data for corporate interests.

The project addresses critical concerns facing modern AI users: where does my data go? Who can access my conversations? Can malicious actors exploit my AI assistant? IronClaw answers these questions with a security-first architecture that keeps all data local, runs untrusted code in isolated sandboxes, and implements multiple defense layers against emerging threats like prompt injection attacks.

Technical Architecture and Security Design

IronClaw's architecture reflects a defense-in-depth philosophy, where multiple security layers protect user data and prevent exploitation. The system is built on Rust, leveraging memory safety guarantees and native performance while maintaining a modular, extensible design that supports dynamic capability expansion.

WebAssembly Sandbox Isolation

At the core of IronClaw's security model lies its WebAssembly-based tool execution environment. Unlike traditional AI assistants that execute tools with full system access, IronClaw runs all untrusted code within isolated WASM containers governed by capability-based permissions. This architecture ensures that tools can only access resources explicitly granted to them.

The sandbox implements several critical security controls:

• Capability-based permissions: Tools must explicitly request access to HTTP requests, secrets, or other tool invocations. By default, WASM modules operate in complete isolation.
• Endpoint allowlisting: HTTP requests are restricted to explicitly approved hosts and URL paths, preventing data exfiltration to unauthorized destinations.
• Credential injection at boundaries: Secrets and API keys are never exposed directly to WASM code. Instead, the host system injects credentials at request boundaries and scans both requests and responses for potential credential leaks.
• Resource constraints: Each tool operates under strict memory, CPU, and execution time limits to prevent abuse and denial-of-service scenarios.

The execution flow follows a rigorous validation pipeline: WASM code passes through an allowlist validator, undergoes leak scanning on requests, receives credential injection from the host, executes the operation, and finally undergoes response leak scanning before results return to the WASM module. This multi-stage approach creates multiple checkpoints where malicious behavior can be detected and blocked.

Prompt Injection Defense Mechanisms

IronClaw implements comprehensive protection against prompt injection attacks, a critical vulnerability where malicious actors embed instructions in external content to manipulate AI behavior. The system processes all external content through multiple security layers before presenting it to the language model.

The defense system includes pattern-based detection algorithms that identify common injection techniques, content sanitization that escapes or removes dangerous patterns, and configurable policy rules with severity levels ranging from Block (halt execution) to Warn, Review, or Sanitize. Tool outputs are wrapped in protective contexts that clearly delineate trusted system instructions from untrusted external content, preventing confusion attacks.

Data Protection and Encryption

All user data remains local, stored in a PostgreSQL database under the user's direct control. IronClaw never transmits data to external servers for telemetry, analytics, or model training. Secrets and credentials are encrypted using AES-256-GCM and stored securely in the system keychain, accessible only through the credential injection mechanism.

The system maintains complete audit logs of all tool executions, providing transparency into what operations occurred and when. This audit trail enables users to verify that their assistant is operating as expected and detect any anomalous behavior.

Getting Started with IronClaw

Setting up IronClaw requires a few prerequisites but follows a streamlined process designed to get users operational quickly while maintaining security best practices. The project targets developers and technical users comfortable with command-line tools and database administration.

System Requirements and Dependencies

IronClaw requires Rust 1.85 or later, providing access to the latest language features and performance improvements. The database layer depends on PostgreSQL 15 or newer with the pgvector extension enabled, which provides vector similarity search capabilities essential for the hybrid memory system.

Authentication integrates with NEAR AI's infrastructure, requiring users to create an account. The setup wizard handles OAuth authentication through a browser flow, eliminating the need for manual API key management. Users interact with NEAR AI's language models through this authenticated connection, though the local-first architecture ensures conversations remain private.

Installation Process

Clone the repository from GitHub and build the project using Cargo, Rust's package manager. The compilation process produces a single self-contained binary with no runtime dependencies beyond the database connection. Running the comprehensive test suite verifies that all components function correctly in your environment.

Database initialization requires creating a dedicated PostgreSQL database and enabling the pgvector extension. The extension provides vector storage and similarity search capabilities that power IronClaw's hybrid memory retrieval system, combining traditional full-text search with semantic vector matching.

Configuration and Setup Wizard

The setup wizard simplifies initial configuration, guiding users through database connection parameters, NEAR AI authentication, and secrets encryption setup. The wizard connects to your system keychain (Keychain on macOS, Secret Service on Linux, Credential Manager on Windows) to securely store encryption keys and sensitive credentials.

All configuration settings persist to ~/.ironclaw/settings.toml, a human-readable file that can be edited for advanced customization. The wizard generates secure defaults while allowing experienced users to modify settings as needed. Once configured, IronClaw operates primarily through an interactive REPL (Read-Eval-Print Loop) interface, though additional channels can be enabled for webhook-based or messaging platform integrations.

Core Features and Capabilities

IronClaw's feature set focuses on three primary objectives: security, availability, and extensibility. Each capability is designed to enhance user control while maintaining the flexibility to adapt to diverse use cases.

Multi-Channel Communication

The system supports multiple interaction channels simultaneously, allowing users to engage through whichever interface suits their current context. The built-in REPL provides a direct command-line interface ideal for development and debugging. HTTP webhooks enable integration with external systems and automation workflows.

Perhaps most uniquely, IronClaw implements WASM-based channels that run in the same security sandbox as tools. This architecture allows community developers to build custom integrations for platforms like Telegram, Slack, Discord, or any other communication system without compromising security. Channels execute with the same capability-based restrictions as tools, preventing malicious channel implementations from exfiltrating data or accessing unauthorized resources.

Heartbeat and Background Execution

IronClaw includes a heartbeat system that enables proactive background execution. Unlike reactive assistants that only respond to direct prompts, the heartbeat mechanism allows scheduling of monitoring tasks, maintenance operations, and periodic checks. Users can configure the assistant to monitor specific conditions, send notifications when events occur, or perform routine administrative tasks without manual intervention.

The parallel job scheduler manages multiple concurrent requests, each isolated in its own context to prevent interference. This architecture allows the assistant to handle a background monitoring task while simultaneously responding to an interactive user query, all with appropriate resource allocation and prioritization.

Self-Expanding Tool Ecosystem

One of IronClaw's most powerful features is dynamic tool building. Users can describe functionality they need in natural language, and the system generates a WebAssembly tool to provide that capability. This self-expanding approach eliminates waiting for vendor updates or plugin marketplace approvals—if you can describe what you need, IronClaw can build it.

The tool registry maintains three categories of capabilities: built-in tools compiled into the core system, Model Context Protocol (MCP) servers that provide standardized external integrations, and WASM sandbox tools that run in isolated environments. The MCP protocol support enables connection to a growing ecosystem of pre-built tool servers, expanding capabilities without custom development.

Users can drop new WASM tools into the system without restarting the assistant. The hot-reload capability recognizes new tools and makes them immediately available, supporting rapid iteration during development and testing.

Hybrid Memory and Search

IronClaw implements a sophisticated memory system that combines traditional full-text search with vector-based semantic similarity using Reciprocal Rank Fusion. This hybrid approach retrieves contextually relevant information more effectively than either method alone, understanding both exact keyword matches and conceptual relationships.

The workspace filesystem provides flexible path-based storage for notes, logs, conversation history, and arbitrary context. Users can organize information hierarchically and reference it in future conversations, building a persistent knowledge base that grows over time. Identity files maintain consistent personality traits and user preferences across sessions, ensuring the assistant remembers your communication style, preferred tools, and standing instructions.

Community and Development Ecosystem

IronClaw operates under dual licensing (Apache 2.0 and MIT), providing maximum flexibility for both open-source and commercial use cases. This permissive licensing encourages community contributions and derivative projects while protecting contributors through patent grants and liability limitations.

OpenClaw Heritage and Relationship

The project explicitly acknowledges its inspiration from OpenClaw, a TypeScript-based AI assistant framework. IronClaw represents not a fork but a philosophical reimplementation in Rust, making different architectural choices while pursuing similar goals. The project maintains a detailed feature parity document tracking which OpenClaw capabilities have been implemented, adapted, or intentionally diverged.

Key architectural differences reflect Rust's strengths: native performance without runtime overhead, memory safety guarantees that prevent entire classes of vulnerabilities, and compilation to a single self-contained binary. The WASM sandbox approach contrasts with Docker-based isolation, offering lighter-weight security with finer-grained capability controls. PostgreSQL replaces SQLite as the persistence layer, providing production-ready scalability and concurrent access patterns.

Development Practices and Contribution

The project maintains high code quality standards through comprehensive testing, linting, and formatting requirements. The codebase includes unit tests, integration tests, and security-focused test scenarios that verify sandbox isolation and credential protection mechanisms. Contributors can run the full test suite locally before submitting pull requests, ensuring changes don't introduce regressions.

The repository structure separates concerns clearly: core agent logic lives in src/, WASM channel implementations in channels-src/, tools in tools-src/, and interface definitions in wit/ using the WebAssembly Component Model. This organization makes it straightforward to contribute to specific subsystems without understanding the entire codebase.

Documentation includes architecture overviews, security design rationale, and contribution guidelines. The project provides example configurations, Docker setups for development environments, and migration scripts for database schema evolution. Claude-specific integration documentation (CLAUDE.md) and agent behavior guidelines (AGENTS.md) help developers understand how IronClaw interacts with different language models.

Future Development and Roadmap

While the repository doesn't include a formal published roadmap, several development directions emerge from the architecture and feature set. The project's current state suggests active development with recent commits and an evolving feature matrix tracking OpenClaw parity.

Expanding Channel Ecosystem

The WASM channel architecture creates opportunities for community-contributed integrations with popular communication platforms. As more developers build Telegram, Slack, Discord, Matrix, and other channels, IronClaw will become accessible through users' preferred interfaces. The security sandbox ensures these community contributions can't compromise user data even if poorly implemented or malicious.

Enhanced Tool Marketplace

The dynamic tool building capability could evolve into a community marketplace where users share useful WASM tools. Combined with the sandbox security model, this would enable safe experimentation with community-contributed tools without the trust requirements that plague traditional plugin ecosystems. Digital signatures and reputation systems could help users evaluate tool reliability before installation.

Advanced Memory and Context Management

The hybrid search foundation supports sophisticated context management strategies. Future development might include automatic context summarization for long conversations, hierarchical memory structures that separate short-term working memory from long-term knowledge, and context windowing algorithms that intelligently select the most relevant information for each query. The vector search capability enables semantic deduplication and conflict detection across the knowledge base.

Multi-Model Support and Optimization

While currently integrated with NEAR AI's infrastructure, the architecture could support multiple language model providers. Users might select different models for different tasks—fast, inexpensive models for simple queries and routing decisions, more capable models for complex reasoning. Local model support through Ollama, llama.cpp, or similar runtimes would enable fully offline operation for privacy-critical scenarios.

Federated and Collaborative Features

The local-first architecture could extend to support secure sharing and collaboration without centralizing data. Users might selectively share workspace sections, delegate tasks to trusted assistants running on other machines, or participate in federated knowledge networks. The security model would need extension to support trust attestation and encrypted multi-party computation, but the foundation of isolated execution and explicit capabilities provides a strong starting point.

Privacy and Security Implications

IronClaw's design philosophy carries significant implications for the broader AI ecosystem. By demonstrating that privacy, security, and capability can coexist, the project challenges the assumption that effective AI assistants must collect user data or operate as opaque black boxes.

The WASM sandbox approach proves particularly relevant as AI systems gain autonomy and tool-using capabilities. Traditional approaches grant AI unrestricted system access, hoping that prompt engineering and model alignment prevent misuse. IronClaw inverts this model: assume tools might behave maliciously and enforce restrictions at the platform level. This defense-in-depth approach remains effective even if prompt injection techniques evolve or language models exhibit unexpected behaviors.

Credential protection mechanisms address a critical vulnerability in AI tool use. Many AI systems pass API keys and secrets directly to tools or even expose them in prompts, creating numerous exfiltration opportunities. IronClaw's boundary injection approach ensures credentials exist only in the trusted host environment, never entering the WASM sandbox or language model context. Leak detection provides an additional safety net, catching attempts to embed credentials in HTTP requests or return values.

The local-first data model respects user sovereignty in ways cloud-based assistants cannot match. Users maintain complete control over their data, can audit exactly what information is stored, and can delete or export everything without depending on vendor cooperation. This architecture inherently complies with privacy regulations like GDPR and CCPA since user data never leaves the user's direct control.

Conclusion: A New Paradigm for AI Assistants

IronClaw represents more than a technical project—it's a statement about how AI assistants should operate. By prioritizing user control, transparent operations, and defense-in-depth security, the project charts a path toward AI systems users can genuinely trust with sensitive personal and professional information.

The Rust implementation provides a solid foundation for performance and safety, while the modular architecture ensures the project can evolve as the AI ecosystem develops. The WASM sandbox proves that security and extensibility aren't opposing forces, and the local-first approach shows that effective AI assistance doesn't require data centralization.

For developers concerned about AI privacy, security professionals evaluating AI tool risks, or users seeking alternatives to corporate AI platforms, IronClaw offers a compelling option. The project's active development and thoughtful architecture suggest a maturing effort with potential to influence broader AI assistant design patterns.

Project source: IronClaw on GitHub