← Back to research
·7 min read·opensource

ZeroClaw

ZeroClaw is a security-first Rust AI agent runtime that runs on $10 hardware in a few MB of RAM. Now at ~32K GitHub stars with OS-level sandboxing, tool receipts, and 30+ channels.

Key takeaways

  • Roughly doubled from 16K to ~32K GitHub stars between late February and June 2026, riding the post-OpenClaw-security-crisis demand for hardened alternatives
  • Security-first: supervised autonomy by default, OS-level sandboxes (Landlock, Bubblewrap, Seatbelt, Docker), and cryptographic tool receipts on every action
  • Single Rust binary (~6.6MB minimal kernel) with no runtime dependencies — idles around 4MB RAM with sub-10ms cold starts
  • Shipping steadily: v0.7.4, v0.7.5, and two v0.8.0 betas released between May and June 2026, with commits landing daily

FAQ

How does ZeroClaw compare to OpenClaw on security?

ZeroClaw defaults to supervised autonomy — medium-risk operations require approval and high-risk ones are blocked — with workspace boundaries, command policy, OS-level sandboxes, and cryptographic tool receipts. OpenClaw's permissive default posture was at the center of the early-2026 CVE-2026-25253 and ClawHavoc incidents.

What hardware can run ZeroClaw?

Any $10 ARM/RISC-V/x86 board. It idles around 4MB RAM with sub-10ms cold starts, and the Peripheral trait exposes GPIO/I2C/SPI/USB on Raspberry Pi, STM32, Arduino, and ESP32.

Who built ZeroClaw?

Students and members from Harvard, MIT, and Sundai.Club communities, now organized as ZeroClaw Labs. Funding is not publicly disclosed; the project is free and open source under MIT OR Apache-2.0.

Overview

ZeroClaw is a security-first Rust AI agent runtime built by students from Harvard, MIT, and the Sundai.Club community, now organized as ZeroClaw Labs.[1] The project prioritizes security, efficiency, and portability — a single binary that runs on $10 hardware while talking to ~20 LLM providers and 30+ channels.[2]

As of June 2026, the repo sits at roughly 31.9K GitHub stars with 4.7K forks — about double its late-February count.[1] The OpenClaw security crisis (CVE-2026-25253 plus the ClawHavoc malicious-skills campaign) pushed security-conscious users toward hardened alternatives, and ZeroClaw's deny-by-default posture made it a fixture of post-crisis "OpenClaw alternatives" coverage.[3]

Funding is not publicly disclosed. The project is free and open source under MIT OR Apache-2.0.

Key Stats (as of June 11, 2026)

MetricValue
GitHub Stars~31.9K
Forks~4.7K
LanguageRust
Binary Size~6.6MB minimal kernel (3.4–8.8MB by feature set)
RAM Usage~4MB idle
StartupUnder 10ms
Latest Stablev0.7.5 (May 2026); v0.8.0 in beta
LicenseMIT OR Apache-2.0
CreatedFebruary 13, 2026

Benchmark vs Alternatives

Launch-era comparison published by the project:

OpenClawNanoBotPicoClawZeroClaw
LanguageTypeScriptPythonGoRust
RAM1GB+100MB+Under 10MBUnder 5MB
Startup (0.8GHz)500s+30s+Under 1sUnder 10ms
Binary~28MBN/A~8MB~8.8MB
Hardware Cost$599 Mac~$50 SBC$10 board$10 board

Independent testing broadly confirms the efficiency claims — LumaDock measured ZeroClaw idling at ~3.9MB RAM with cold starts under 10ms, versus "hundreds of megabytes" for OpenClaw.[4]

Installation

# One-line installer (prebuilt binary or source build)
curl -fsSL https://raw.githubusercontent.com/zeroclaw-labs/zeroclaw/master/install.sh | bash

# Or clone and run
git clone https://github.com/zeroclaw-labs/zeroclaw.git
cd zeroclaw
./install.sh

# Minimal kernel only (~6.6MB)
./install.sh --minimal

# One-shot setup: pick a provider, write a working config
zeroclaw quickstart

# Interactive chat
zeroclaw agent -a <alias>

# Run always-on as a system service
zeroclaw service install
zeroclaw service start

Pre-built binaries cover Linux (x86_64, aarch64, armv7, musl), macOS (x86_64, aarch64), Windows (x86_64), and Android (aarch64), with platform guides for FreeBSD, NixOS, and Docker.[1]

Security Features

FeatureDescription
Supervised AutonomyDefault mode: medium-risk ops require approval, high-risk blocked
OS-Level SandboxesLandlock, Bubblewrap, Seatbelt, or Docker isolation
Tool ReceiptsCryptographic receipts on every agent action
Command PolicyExplicit allowlist-based command control
Workspace ScopingWorkspace boundaries with forbidden-path protection
Gateway PairingLocalhost-bound gateway with one-time pairing codes

A "YOLO mode" escape hatch exists for trusted dev environments.[2]

Channel Support

ZeroClaw now ships 30+ channel adapters — CLI, Telegram, Discord, Slack, iMessage, Matrix, WhatsApp, email, voice, and webhooks all deliver into the same agent loop.[1] IDE/editor integration arrives via the Agent Client Protocol (JSON-RPC 2.0 over stdio).

Provider Support

  • Ollama — Local models
  • OpenRouter — Access to all major models
  • Anthropic — Claude direct
  • OpenAI — Including Codex subscription auth
  • ~20 cloud providers — With fallback chains and routing when a provider flakes

Architecture

User → Channel (30+) / Gateway (REST/WS) / ACP → ZeroClaw Runtime → Sandbox → LLM Provider
                              ↓
                  Memory (SQLite + FTS5 + Vector)

Trait-driven design — Core systems (providers, channels, tools, memory, tunnels, peripherals) are Rust traits, making everything swappable.

Hybrid memory — SQLite with FTS5 full-text search plus vector cosine similarity for semantic retrieval.

SOP engine — Event-triggered Standard Operating Procedures (MQTT, webhook, cron, peripheral) with approval gates and resumable runs.

Strengths

  • Security-First — Supervised autonomy, OS sandboxes, tool receipts, workspace scoping
  • Extreme Efficiency — ~4MB idle RAM, sub-10ms startup, verified by independent testing[4]
  • Active Development — Four releases between May and early June 2026; commits landing daily as of June 11[1]
  • Portable — Single binary across ARM, x86, RISC-V, plus GPIO/I2C/SPI on embedded boards
  • No Lock-In — OpenAI-compatible plus pluggable custom endpoints
  • Migration Path — Imports OpenClaw data
  • Active Community — Discord, Telegram, Reddit, and multilingual docs

Weaknesses / Considerations

  • Young Project — Launched February 13, 2026; still pre-1.0 (v0.8.0 in beta)
  • Security Gaps in Practice — LumaDock found modules like PromptGuard and LeakDetector exist but "aren't wired into the production response pipeline yet"[4]
  • Rust Build Time — Source compilation requires 2-4GB RAM (prebuilt binaries avoid this)
  • Smaller Ecosystem — Far fewer integrations than OpenClaw's 1,000+ SaaS connections; thinner docs in places[4]
  • Impersonation Issues — The project has warned about fake domains and unauthorized forks

What Developers Say

From the Show HN for James Library, a multi-agent research lab built on ZeroClaw:[5]

"ZeroClaw's pure Rust implementation provided exactly the zero-overhead foundation the project required... Because they solved the core runtime execution so elegantly, I was able to spend my time building the higher-level orchestration on top of it." — cwoodyard, Hacker News

Not everyone is impressed by the differentiation. In a thread comparing the Claw-ecosystem agents, one commenter dismissed it as simply:[6]

"ZeroClaw: Claw But In Rust" — tao_oat, Hacker News

The broader sentiment in that thread was cautious — commenters noted the Claw forks are "popping up way too fast" for quality software and recommended strict access controls (virtual cards, restricted accounts) regardless of which runtime you pick.[6]

Who Built It

Students and members from Harvard, MIT, and the Sundai.Club community, now operating as ZeroClaw Labs with an official site and hosted docs.[7] The project maintains communities in English, Chinese, Russian, Japanese, French, and Vietnamese.

Ideal User

  • Security-conscious deployments requiring isolation, approval gates, and audit receipts
  • Edge/embedded systems with under 10MB RAM available
  • Hardware projects — Raspberry Pi, STM32, Arduino, ESP32 via the Peripheral trait
  • Rust developers wanting to contribute or customize
  • Privacy-focused individuals who need data to stay local

Bottom Line

ZeroClaw is what you run when OpenClaw's security model keeps you up at night — and after the January-February 2026 CVE and ClawHavoc episodes, a lot more people are losing sleep. Stars roughly doubled to ~32K between late February and June 2026, and the project graduated from student hack to organized lab with hosted docs, daily commits, and a steady release cadence heading toward v0.8.0.

The efficiency numbers hold up under independent testing — about 4MB idle RAM and sub-10ms startup means this genuinely runs on $10 hardware. The security architecture (supervised autonomy, OS-level sandboxes, tool receipts) is the most considered in the Claw ecosystem, though reviewers note some advertised modules aren't fully wired into the production pipeline yet.

The caveats are maturity and ecosystem depth. It's still pre-1.0, documentation is thin in places, and OpenClaw's integration catalog remains far larger. For security-critical deployments or edge hardware, ZeroClaw is the strongest option in the ecosystem. For maximum integrations, OpenClaw still wins on breadth.