← Back to research
·7 min read·opensource

IronClaw

IronClaw is a security-focused Rust reimplementation of OpenClaw by NEAR AI, featuring WASM sandboxing, credential protection, and local-first data storage in PostgreSQL. At 12.4K GitHub stars as of June 2026, it is one of the most visible security-first responses to the OpenClaw security crisis.

Key takeaways

  • Security-first design with WASM sandbox, credential protection, prompt injection defense, and endpoint allowlisting
  • Local-first architecture — all data stored in PostgreSQL with pgvector, AES-256-GCM encryption, no telemetry
  • Self-expanding capabilities — dynamically build WASM tools, [MCP](/research/t/mcp) protocol support, plugin architecture
  • Built by NEAR AI with enterprise-grade Rust implementation and Docker sandbox orchestration
  • Momentum surged after the January 2026 OpenClaw security crisis — 12.4K stars and a steady release cadence (v0.29.1, June 2026), though some developers question the depth of its security claims

FAQ

What is IronClaw?

IronClaw is a Rust-based personal AI assistant built by NEAR AI, inspired by OpenClaw but focused on privacy, security, and self-expanding capabilities.

How does IronClaw compare to ZeroClaw?

Both are Rust-based OpenClaw alternatives. IronClaw uses PostgreSQL for storage and WASM sandbox; ZeroClaw uses SQLite and is more lightweight. IronClaw has more enterprise features; ZeroClaw targets minimal hardware.

Who built IronClaw?

NEAR AI, the AI research arm of the NEAR Protocol blockchain ecosystem. Contributors include NEAR co-founder Illia Polosukhin, with daily commit activity from a multi-person core team as of June 2026.

Executive Summary

IronClaw is a security-focused Rust reimplementation of OpenClaw built by NEAR AI, the AI research arm of the NEAR Protocol ecosystem.[1] The philosophy is simple: "Your AI assistant should work for you, not against you." All data stays local in PostgreSQL, encrypted with AES-256-GCM, with no telemetry or data harvesting.

The January–February 2026 OpenClaw security crisis — the actively exploited CVE-2026-25253 token-theft RCE[2] and the ClawHavoc malicious-skill campaign — validated IronClaw's premise and accelerated its adoption. As of June 11, 2026 the repo has grown from 2.7K to 12.4K stars, ships releases roughly weekly (v0.29.1 on June 3, 2026), and saw commits the same day this profile was checked.[1]

AttributeValue
OrganizationNEAR AI
LanguageRust
LicenseApache 2.0
StoragePostgreSQL + pgvector
GitHub stars12.4K (June 2026)
Latest releasev0.29.1 (June 3, 2026)
StatusActive development

Product Overview

IronClaw takes a different approach from most OpenClaw alternatives: instead of minimizing footprint (like ZeroClaw, NullClaw, PicoClaw), it maximizes security and self-expansion capabilities while maintaining full local control.[3] Crypto-industry press framed it early on as the most serious rival to OpenClaw itself.[4]

Key Capabilities

CapabilityDescription
WASM SandboxUntrusted tools run in isolated WebAssembly containers with capability-based permissions
Credential ProtectionSecrets never exposed to tools; injected at host boundary with leak detection
Prompt Injection DefensePattern detection, content sanitization, policy enforcement
Self-ExpandingDynamically build new WASM tools by describing what you need
Multi-ChannelREPL, HTTP webhooks, WASM channels (Telegram, Slack), web gateway
Docker SandboxIsolated container execution with per-job tokens and orchestrator/worker pattern

Architecture

┌─────────────────────────────────────────────────────┐
│                      Channels                        │
│  REPL │ HTTP │ WASM (Telegram/Slack) │ Web Gateway  │
└────────────────────────┬────────────────────────────┘
                         │
              ┌──────────▼──────────┐
              │     Agent Loop      │
              └──────────┬──────────┘
                         │
         ┌───────────────┼───────────────┐
         │               │               │
   ┌─────▼─────┐   ┌─────▼─────┐   ┌─────▼─────┐
   │ Scheduler │   │ Routines  │   │  Docker   │
   │  (jobs)   │   │  Engine   │   │ Sandbox   │
   └─────┬─────┘   └─────┬─────┘   └─────┬─────┘
         │               │               │
         └───────────────┼───────────────┘
                         │
              ┌──────────▼──────────┐
              │   Tool Registry     │
              │ Built-in, [MCP](/research/t/mcp), WASM │
              └─────────────────────┘

Technical Architecture

Security Model

IronClaw implements defense in depth with multiple security layers:[1]

LayerProtection
WASM SandboxCapability-based permissions, resource limits (memory, CPU, time)
Endpoint AllowlistingHTTP requests only to explicitly approved hosts/paths
Credential InjectionSecrets injected at host boundary, never exposed to WASM code
Leak DetectionScans requests and responses for secret exfiltration attempts
Rate LimitingPer-tool request limits to prevent abuse

Storage

  • Database: PostgreSQL 15+ with pgvector extension
  • Encryption: AES-256-GCM for all secrets
  • Memory: Hybrid search using full-text + vector with Reciprocal Rank Fusion
  • Workspace: Path-based filesystem for notes, logs, and context

LLM Providers

IronClaw defaults to NEAR AI but works with any OpenAI-compatible endpoint:

  • NEAR AI (default)
  • OpenRouter (300+ models)
  • Together AI, Fireworks AI
  • Ollama (local)
  • vLLM, LiteLLM (self-hosted)

Strengths

  • Security-first design — WASM sandbox, credential protection, prompt injection defense, and endpoint allowlisting provide enterprise-grade security.
  • Self-expanding capabilities — Describe what you need and IronClaw builds it as a WASM tool; no waiting for vendor updates.
  • Local-first architecture — All data in your PostgreSQL database, encrypted, with no telemetry or data harvesting.
  • Active development — Roughly weekly releases (v0.23.0 through v0.29.1 between late March and early June 2026), daily commits from a multi-person core team including NEAR co-founder Illia Polosukhin, and 1,400+ forks.[1]
  • Easy install path — Prebuilt binaries for macOS, Linux, and Windows via shell/PowerShell installers, plus an npm package, lower the barrier versus building from source.[1]
  • Enterprise features — Docker sandbox orchestration, routines engine (cron, events, webhooks), web gateway with SSE/WebSocket.

Cautions

  • PostgreSQL requirement — Requires PostgreSQL 15+ with pgvector, unlike SQLite-based alternatives (ZeroClaw, NullClaw).
  • Higher resource footprint — More feature-rich than minimal alternatives; not for embedded/IoT use cases.
  • NEAR AI association — Default auth is NEAR AI; crypto/blockchain association may concern some users.
  • Newer project — Less battle-tested than OpenClaw's 160K-star ecosystem.
  • Complex setup — More moving parts (PostgreSQL, Docker) than single-binary alternatives, though prebuilt installers have softened this.
  • Skeptical security reception — The Hacker News launch discussion questioned whether the security claims are backed by clear threat modeling, with commenters calling parts of it "vibe-designed security."[5]

What Developers Say

The Hacker News launch thread (149 points, 69 comments, February 2026) was mixed-to-skeptical, with security engineers probing the threat model:[5]

"I'm getting tired of these vibe-designed security things... What is sandboxed from what?" — amluto

"What prevents it from editing a different file due to a prompt injection attack?" — amluto

"It's buggy vibecoded software. Bring your Claude code with you to get it working" — MarkMarine

"We need more sandboxes and more granular sandboxes... fine-grained WASM components" — spankalee

Third-party comparisons are more favorable: FlowHunt's June 2026 review concluded "IronClaw has arguably the most sophisticated security architecture of the three: memory-safe runtime in Rust, WASM isolation per tool, secure credential injection, prompt injection detection, and layered defenses where compromising one layer doesn't cascade to the next."[6]


Pricing & Licensing

TierPriceIncludes
Open SourceFreeFull functionality, Apache 2.0 license

Licensing model: Apache 2.0 — permissive open source, commercial use allowed.

Hidden costs: PostgreSQL hosting (or local), LLM API costs (NEAR AI or BYOK).


Competitive Positioning

Direct Competitors

CompetitorDifferentiation
OpenClawIronClaw is Rust (vs TypeScript), more security features, local PostgreSQL
ZeroClawBoth Rust; IronClaw has more features, ZeroClaw is more minimal/lightweight
NullClawIronClaw uses PostgreSQL vs SQLite, more enterprise features

When to Choose IronClaw

  • Choose IronClaw when: Security is paramount, you want self-expanding capabilities, and PostgreSQL is acceptable.
  • Choose ZeroClaw when: You need minimal footprint and embedded/IoT deployment.
  • Choose OpenClaw when: You want maximum ecosystem and don't need Rust's security benefits.

Ideal Customer Profile

Best fit:

  • Security-conscious professionals handling sensitive data
  • Developers who want self-expanding AI capabilities
  • Users comfortable with PostgreSQL infrastructure
  • Teams wanting local-first with enterprise features

Poor fit:

  • Embedded/IoT deployments (use ZeroClaw/NullClaw/PicoClaw)
  • Users wanting zero-setup experience (use Lindy)
  • Those avoiding blockchain/crypto-adjacent projects

Viability Assessment

FactorAssessment
Financial HealthBacked by NEAR Protocol ecosystem (no separate funding publicly disclosed)
Market PositionLeading security-focused OpenClaw alternative
Innovation PaceRapid — weekly releases, daily commits (June 2026)
Community/Ecosystem12.4K stars, 1,400+ forks, backed by established org
Long-term OutlookPositive for security-focused use cases

NEAR AI has resources from the broader NEAR Protocol ecosystem; no separate IronClaw funding has been publicly disclosed. IronClaw occupies a specific niche — users who want OpenClaw-level features with enterprise security — and the OpenClaw security crisis turned that niche into one of the fastest-growing segments of the ecosystem.[1]


Bottom Line

IronClaw is for users who want OpenClaw's power with enterprise-grade security. The WASM sandbox, credential protection, and local-first architecture make it ideal for professionals handling sensitive data who can accept the PostgreSQL requirement.

Recommended for: Security-conscious professionals, developers wanting self-expanding capabilities, teams with PostgreSQL infrastructure.

Not recommended for: Embedded deployments, users wanting minimal setup, those avoiding crypto-adjacent projects.

Outlook: Strong backing from NEAR AI, a 4.6x star jump since February 2026, and a weekly release cadence make IronClaw the most credible security-first OpenClaw alternative as of June 2026 — though it still needs to answer the threat-modeling skepticism from security engineers.


Research by Ry Walker Research • methodology