Key takeaways
- "OpenClaw rebuilt for security" — zero local code execution; all tool runs happen in remote sandboxes that terminate after each task
- Composio brokers OAuth for 1,000+ tools (Gmail, GitHub, Slack, Notion), so no raw API keys or tokens are stored on disk or handed to the agent
- One-command Vercel deploy (`npx @composio/trustclaw deploy`) with Postgres + pgvector long-term memory and web/Telegram surfaces
- Backed by Composio, the funded MCP-integration company — corporate sponsorship cuts both ways as adoption strategy and lock-in concern
FAQ
What is TrustClaw?
TrustClaw is an open-source, self-hostable 24/7 personal AI agent from Composio, built on OpenClaw's ideas but rebuilt from scratch so that all code execution happens in remote sandboxes and credentials never touch the host machine.
How much does TrustClaw cost?
The software is free under the MIT license. Running it requires Vercel hosting (free Hobby tier with cron and timeout limits), a Postgres database with pgvector, and a free Composio API key; LLM usage is billed through Vercel AI Gateway.
How does TrustClaw execute code safely?
Unlike OpenClaw, which runs code on your machine, TrustClaw gives the agent no shell access at all — tools execute in remote sandboxes that are destroyed after the task completes, and OAuth tokens are managed by Composio rather than stored locally.
How is TrustClaw different from IronClaw?
Both are security-focused OpenClaw alternatives, but IronClaw is a local-first Rust binary with a WASM sandbox, while TrustClaw is a TypeScript/Next.js app that outsources execution to remote sandboxes and credentials to Composio's managed OAuth.
Executive Summary
TrustClaw is Composio's answer to the OpenClaw security crisis: a TypeScript personal agent that keeps OpenClaw's "24/7 assistant in your chat app" premise but rebuilds the trust model from scratch. The agent has no shell access, all tool execution happens in remote sandboxes that terminate after each task, and OAuth tokens for 1,000+ integrations are brokered by Composio rather than stored on disk.[1] The pitch is explicit — Composio published "OpenClaw is a Security Nightmare Dressed Up as a Daydream" and shipped TrustClaw as the remedy.[2]
The timing is not subtle. OpenClaw's CVE-2026-25253 (CVSS 8.8) exposed how its plugin architecture gave skills "broad access to the host system without meaningful sandboxing," and the GhostClaw incident saw a trojanized npm package impersonate OpenClaw for seven days before removal, while the ClawHub registry's 5,700+ community skills became a supply-chain worry.[3] TrustClaw, created May 5, 2026, has reached 826 stars and 190 forks in its first month — modest next to OpenClaw's ecosystem, but with a corporate sponsor rather than a volunteer maintainer.[1]
| Attribute | Value |
|---|---|
| Company | Composio (funded MCP-integration company) |
| Created | May 5, 2026 |
| GitHub Stars | 826 (as of June 2026) |
| Forks | 190 |
| Language | TypeScript |
| License | MIT |
Product Overview
TrustClaw is a self-hostable personal agent you talk to through a Next.js web dashboard or a Telegram bot. It remembers context long-term in Postgres with pgvector, runs recurring work on cron schedules, and reaches Gmail, GitHub, Slack, Notion, and 1,000+ other apps through Composio's OAuth-gated tool catalog.[1] A hosted version is available at trustclaw.app for users who don't want to self-host.[4]
Key Capabilities
| Capability | Description |
|---|---|
| Remote sandboxed execution | All code runs in remote sandboxes that terminate after task completion — zero local code execution |
| Managed OAuth | Composio brokers the full token lifecycle for 1,000+ tools; no raw API keys handed to the agent |
| Scoped access | Per-agent scopes limit what each integration can touch, shrinking the threat surface |
| Vector memory | Long-term memory in Postgres + pgvector with three-layer context management (pruning, memory flush, summarization) |
| Scheduled tasks | Cron-based recurring automation |
| Authentication | Username/password via Better Auth |
Product Surfaces
| Surface | Description | Availability |
|---|---|---|
| Web dashboard | Next.js 15 / React 19 chat UI | Self-hosted or trustclaw.app |
| Telegram bot | Full agent access from chat | Self-hosted |
| Cron runtime | Scheduled background tasks | Self-hosted (Vercel cron) |
Technical Architecture
TrustClaw is a Vercel-native deployment: a one-click template or a single CLI command provisions the app, with Postgres, a Better Auth secret, and a free Composio API key as the prerequisites.[1]
npx @composio/trustclaw deploy
LLM calls route through Vercel AI Gateway, so no model API keys are stored locally; the agent loop is a tRPC backend (prepareAgentRun → ToolLoopAgent) with optional Redis for resumable streams.[1]
Key Technical Details
| Aspect | Detail |
|---|---|
| Deployment | One-command Vercel deploy or local Node.js + Postgres/pgvector |
| Model(s) | Claude via Vercel AI Gateway (no direct API keys) |
| Integrations | 1,000+ OAuth tools via Composio SDK |
| Open Source | MIT license, TypeScript (~98% of codebase) |
Strengths
- Security model addresses real, documented failures — managed OAuth, scoped access, and remote sandboxes map directly onto the credential-storage, blast-radius, and local-execution problems exposed by CVE-2026-25253 and the GhostClaw/ClawHub incidents.[2][3]
- Zero local code execution — the agent has no shell access; a prompt injection cannot wipe your machine because nothing runs on it.[1]
- Largest tool surface in the category — 1,000+ OAuth integrations out of the box via Composio, versus the DIY skill-wiring of most OpenClaw alternatives.[1]
- Lowest-friction deploy in the category — a Vercel template button or one CLI command, versus Rust toolchains or Docker orchestration for IronClaw/ZeroClaw.[1]
- Corporate backing — Composio is a funded company with the integration catalog as its core business, not a side project.[2]
Cautions
- Vendor-driven project — TrustClaw exists to funnel users toward Composio's tool broker; the security argument and the business model are the same document.[2]
- Trust shifts, it doesn't disappear — "no tokens on disk" means Composio holds your OAuth grants and Vercel AI Gateway sees your model traffic; this trades local risk for third-party dependency.[1]
- Free-tier operational limits — on Vercel's Hobby plan, cron jobs run only once per day and functions time out at 300 seconds (800s requires Pro).[1]
- Small, young community — 826 stars and 190 forks one month in, versus OpenClaw's six-figure star count; little independent security review yet.[1]
- Fewer surfaces than siblings — web and Telegram only; no Discord, Slack, iMessage, or WhatsApp channels like ZeroClaw offers.[1]
What Developers Say
Independent community discussion is thin as of June 2026 — the project's only direct Hacker News submission drew 2 points and zero comments, so the quotes below come from adjacent threads rather than a substantive launch discussion. That silence is itself a data point for a one-month-old project.[5]
"Should have said this was a fear to promote a b2b sass 'TrustClaw'" — an HN commenter, on Composio's OpenClaw security post[5]
Supports "all leading frameworks OpenClaw, NanoClaw, ZeroClaw, TrustClaw, Nanobot and PicoClaw" — an HN commenter describing an agent-monitoring tool, an early sign TrustClaw is being slotted into the category[5]
The first quote captures the dominant skeptical read: TrustClaw's marketing leans on fear of OpenClaw's CVEs to sell Composio's platform.[5]
Pricing & Licensing
| Tier | Price | Includes |
|---|---|---|
| Open Source | Free | Full codebase, MIT license, self-host anywhere |
| Hosted (trustclaw.app) | Pricing not publicly listed | Managed deployment by Composio |
Licensing model: MIT — permissive open source, commercial use allowed.[1]
Hidden costs: Vercel hosting (Pro needed for sub-daily cron and 800s timeouts), Postgres hosting, LLM usage via Vercel AI Gateway, and Composio plan limits beyond the free API key.[1]
Competitive Positioning
TrustClaw is one of several security-motivated rebuilds — Composio's own alternatives roundup positions it alongside the Rust rewrites.[6]
Direct Competitors
| Competitor | Differentiation |
|---|---|
| OpenClaw | TrustClaw removes local execution entirely and brokers credentials; OpenClaw has the vastly larger ecosystem and skill registry |
| IronClaw | IronClaw is local-first Rust with a WASM sandbox and encrypted local Postgres; TrustClaw outsources execution and OAuth to remote services |
| ZeroClaw | ZeroClaw targets minimal hardware (sub-5MB RAM, single binary); TrustClaw targets zero-ops cloud deploys with a far bigger tool catalog |
TrustClaw is also a strategic on-ramp for Composio — the agent is a reference customer for the company's 1,000+-tool OAuth broker.[2]
When to Choose TrustClaw Over Alternatives
- Choose TrustClaw when: you want OpenClaw-style assistance with no code touching your machine, broad SaaS integrations, and a one-command cloud deploy.
- Choose IronClaw when: data must stay local and you'd rather audit a sandbox than trust a third-party broker.
- Choose OpenClaw when: ecosystem breadth matters more than the hardened trust model.
Ideal Customer Profile
Best fit:
- Users spooked by CVE-2026-25253/GhostClaw who still want a personal agent
- Teams already on Vercel and comfortable with managed services
- People who need deep Gmail/Slack/Notion/GitHub automation without wiring OAuth themselves
- TypeScript developers who want to extend a Next.js codebase
Poor fit:
- Local-first or air-gapped users (use IronClaw)
- Edge/embedded deployments (use ZeroClaw)
- Anyone unwilling to route credentials and model traffic through Composio and Vercel
Viability Assessment
| Factor | Assessment |
|---|---|
| Financial Health | Backed by Composio, a funded MCP-integration company |
| Market Position | New entrant; smallest community among major OpenClaw alternatives |
| Innovation Pace | Active — created May 2026, pushed within the last week as of June 2026 |
| Community/Ecosystem | Early (826 stars, 190 forks); leverages Composio's existing 1,000+ tool catalog |
| Long-term Outlook | Tied to Composio's business; survives as long as the broker does |
TrustClaw's viability is effectively Composio's viability. That makes it better resourced than most volunteer rebuilds, but it also means the project's incentives point at the sponsor's platform — a structure community skeptics have already called out.[5]
Bottom Line
TrustClaw is the cleanest articulation yet of the post-CVE thesis: personal agents should never execute code on your machine or hold your tokens. The remote-sandbox plus managed-OAuth design genuinely eliminates the failure modes that burned OpenClaw users, and the one-command Vercel deploy makes it the easiest secure option to actually stand up. The cost is dependence — on Composio for credentials, on Vercel for runtime — and a community too small to have pressure-tested any of it.
Recommended for: Vercel-comfortable users who want OpenClaw's utility without local execution risk, and teams needing broad OAuth-gated SaaS automation fast.
Not recommended for: Local-first privacy purists, embedded deployments, or anyone wary of a vendor-sponsored security narrative.
Outlook: Composio's funding and integration moat give TrustClaw staying power, but it must convert OpenClaw's frightened users faster than the Rust rewrites do to escape "marketing vehicle" status.
Research by Ry Walker Research • methodology
Sources
- [1] TrustClaw GitHub Repository
- [2] Composio: OpenClaw is a Security Nightmare Dressed Up as a Daydream
- [3] ClawTrackr: OpenClaw Security Timeline — CVE, GhostClaw Malware
- [4] TrustClaw by Composio (hosted app)
- [5] TrustClaw mentions on Hacker News (Algolia search)
- [6] Composio: 10 Best OpenClaw Alternatives in 2026