IronClaw | Ry Walker Research

Key takeaways

Security-first design with WASM sandbox, credential protection, prompt injection defense, and endpoint allowlisting
Local-first architecture — all data stored in PostgreSQL with pgvector, AES-256-GCM encryption, no telemetry
Self-expanding capabilities — dynamically build WASM tools, [MCP](/research/t/mcp) protocol support, plugin architecture
Built by NEAR AI with enterprise-grade Rust implementation and Docker sandbox orchestration

FAQ

What is IronClaw?

IronClaw is a Rust-based personal AI assistant built by NEAR AI, inspired by OpenClaw but focused on privacy, security, and self-expanding capabilities.

How does IronClaw compare to ZeroClaw?

Both are Rust-based OpenClaw alternatives. IronClaw uses PostgreSQL for storage and WASM sandbox; ZeroClaw uses SQLite and is more lightweight. IronClaw has more enterprise features; ZeroClaw targets minimal hardware.

Who built IronClaw?

NEAR AI, the AI research arm of the NEAR Protocol blockchain ecosystem. Lead developer is Yuri Polushkin with 74+ commits per week.

Executive Summary

IronClaw is a security-focused Rust reimplementation of OpenClaw built by NEAR AI, the AI research arm of the NEAR Protocol ecosystem.^[1] The philosophy is simple: "Your AI assistant should work for you, not against you." All data stays local in PostgreSQL, encrypted with AES-256-GCM, with no telemetry or data harvesting.

Attribute	Value
Organization	NEAR AI
Language	Rust
License	Apache 2.0
Storage	PostgreSQL + pgvector
Status	Active development

Product Overview

IronClaw takes a different approach from most OpenClaw alternatives: instead of minimizing footprint (like ZeroClaw, NullClaw, PicoClaw), it maximizes security and self-expansion capabilities while maintaining full local control.^[2]

Key Capabilities

Capability	Description
WASM Sandbox	Untrusted tools run in isolated WebAssembly containers with capability-based permissions
Credential Protection	Secrets never exposed to tools; injected at host boundary with leak detection
Prompt Injection Defense	Pattern detection, content sanitization, policy enforcement
Self-Expanding	Dynamically build new WASM tools by describing what you need
Multi-Channel	REPL, HTTP webhooks, WASM channels (Telegram, Slack), web gateway
Docker Sandbox	Isolated container execution with per-job tokens and orchestrator/worker pattern

Architecture

┌─────────────────────────────────────────────────────┐
│                      Channels                        │
│  REPL │ HTTP │ WASM (Telegram/Slack) │ Web Gateway  │
└────────────────────────┬────────────────────────────┘
                         │
              ┌──────────▼──────────┐
              │     Agent Loop      │
              └──────────┬──────────┘
                         │
         ┌───────────────┼───────────────┐
         │               │               │
   ┌─────▼─────┐   ┌─────▼─────┐   ┌─────▼─────┐
   │ Scheduler │   │ Routines  │   │  Docker   │
   │  (jobs)   │   │  Engine   │   │ Sandbox   │
   └─────┬─────┘   └─────┬─────┘   └─────┬─────┘
         │               │               │
         └───────────────┼───────────────┘
                         │
              ┌──────────▼──────────┐
              │   Tool Registry     │
              │ Built-in, [MCP](/research/t/mcp), WASM │
              └─────────────────────┘

Technical Architecture

Security Model

IronClaw implements defense in depth with multiple security layers:^[1]

Layer	Protection
WASM Sandbox	Capability-based permissions, resource limits (memory, CPU, time)
Endpoint Allowlisting	HTTP requests only to explicitly approved hosts/paths
Credential Injection	Secrets injected at host boundary, never exposed to WASM code
Leak Detection	Scans requests and responses for secret exfiltration attempts
Rate Limiting	Per-tool request limits to prevent abuse

Storage

Database: PostgreSQL 15+ with pgvector extension
Encryption: AES-256-GCM for all secrets
Memory: Hybrid search using full-text + vector with Reciprocal Rank Fusion
Workspace: Path-based filesystem for notes, logs, and context

LLM Providers

IronClaw defaults to NEAR AI but works with any OpenAI-compatible endpoint:

NEAR AI (default)
OpenRouter (300+ models)
Together AI, Fireworks AI
Ollama (local)
vLLM, LiteLLM (self-hosted)

Strengths

Security-first design — WASM sandbox, credential protection, prompt injection defense, and endpoint allowlisting provide enterprise-grade security.
Self-expanding capabilities — Describe what you need and IronClaw builds it as a WASM tool; no waiting for vendor updates.
Local-first architecture — All data in your PostgreSQL database, encrypted, with no telemetry or data harvesting.
Active development — Lead developer Yuri Polushkin commits 74+ times per week; rapid iteration.^[3]
Enterprise features — Docker sandbox orchestration, routines engine (cron, events, webhooks), web gateway with SSE/WebSocket.

Cautions

PostgreSQL requirement — Requires PostgreSQL 15+ with pgvector, unlike SQLite-based alternatives (ZeroClaw, NullClaw).
Higher resource footprint — More feature-rich than minimal alternatives; not for embedded/IoT use cases.
NEAR AI association — Default auth is NEAR AI; crypto/blockchain association may concern some users.
Newer project — Less battle-tested than OpenClaw's 160K-star ecosystem.
Complex setup — More moving parts (PostgreSQL, Docker) than single-binary alternatives.

Pricing & Licensing

Tier	Price	Includes
Open Source	Free	Full functionality, Apache 2.0 license

Licensing model: Apache 2.0 — permissive open source, commercial use allowed.

Hidden costs: PostgreSQL hosting (or local), LLM API costs (NEAR AI or BYOK).

Competitive Positioning

Direct Competitors

Competitor	Differentiation
OpenClaw	IronClaw is Rust (vs TypeScript), more security features, local PostgreSQL
ZeroClaw	Both Rust; IronClaw has more features, ZeroClaw is more minimal/lightweight
NullClaw	IronClaw uses PostgreSQL vs SQLite, more enterprise features

When to Choose IronClaw

Choose IronClaw when: Security is paramount, you want self-expanding capabilities, and PostgreSQL is acceptable.
Choose ZeroClaw when: You need minimal footprint and embedded/IoT deployment.
Choose OpenClaw when: You want maximum ecosystem and don't need Rust's security benefits.

Ideal Customer Profile

Best fit:

Security-conscious professionals handling sensitive data
Developers who want self-expanding AI capabilities
Users comfortable with PostgreSQL infrastructure
Teams wanting local-first with enterprise features

Poor fit:

Embedded/IoT deployments (use ZeroClaw/NullClaw/PicoClaw)
Users wanting zero-setup experience (use Lindy)
Those avoiding blockchain/crypto-adjacent projects

Viability Assessment

Factor	Assessment
Financial Health	Backed by NEAR Protocol ecosystem
Market Position	Niche — security-focused segment
Innovation Pace	Rapid (74+ commits/week)
Community/Ecosystem	Growing, backed by established org
Long-term Outlook	Positive for security-focused use cases

NEAR AI has resources from the broader NEAR Protocol ecosystem. IronClaw occupies a specific niche: users who want OpenClaw-level features with enterprise security.

Bottom Line

IronClaw is for users who want OpenClaw's power with enterprise-grade security. The WASM sandbox, credential protection, and local-first architecture make it ideal for professionals handling sensitive data who can accept the PostgreSQL requirement.

Recommended for: Security-conscious professionals, developers wanting self-expanding capabilities, teams with PostgreSQL infrastructure.

Not recommended for: Embedded deployments, users wanting minimal setup, those avoiding crypto-adjacent projects.

Outlook: Strong backing from NEAR AI and rapid development pace suggest continued growth in the security-focused personal agent segment.

Research by Ry Walker Research • methodology

Sources