Key takeaways
- Roughly doubled from 16K to ~32K GitHub stars between late February and June 2026, riding the post-OpenClaw-security-crisis demand for hardened alternatives
- Security-first: supervised autonomy by default, OS-level sandboxes (Landlock, Bubblewrap, Seatbelt, Docker), and cryptographic tool receipts on every action
- Single Rust binary (~6.6MB minimal kernel) with no runtime dependencies — idles around 4MB RAM with sub-10ms cold starts
- Shipping steadily: v0.7.4, v0.7.5, and two v0.8.0 betas released between May and June 2026, with commits landing daily
FAQ
How does ZeroClaw compare to OpenClaw on security?
ZeroClaw defaults to supervised autonomy — medium-risk operations require approval and high-risk ones are blocked — with workspace boundaries, command policy, OS-level sandboxes, and cryptographic tool receipts. OpenClaw's permissive default posture was at the center of the early-2026 CVE-2026-25253 and ClawHavoc incidents.
What hardware can run ZeroClaw?
Any $10 ARM/RISC-V/x86 board. It idles around 4MB RAM with sub-10ms cold starts, and the Peripheral trait exposes GPIO/I2C/SPI/USB on Raspberry Pi, STM32, Arduino, and ESP32.
Who built ZeroClaw?
Students and members from Harvard, MIT, and Sundai.Club communities, now organized as ZeroClaw Labs. Funding is not publicly disclosed; the project is free and open source under MIT OR Apache-2.0.
Overview
ZeroClaw is a security-first Rust AI agent runtime built by students from Harvard, MIT, and the Sundai.Club community, now organized as ZeroClaw Labs.[1] The project prioritizes security, efficiency, and portability — a single binary that runs on $10 hardware while talking to ~20 LLM providers and 30+ channels.[2]
As of June 2026, the repo sits at roughly 31.9K GitHub stars with 4.7K forks — about double its late-February count.[1] The OpenClaw security crisis (CVE-2026-25253 plus the ClawHavoc malicious-skills campaign) pushed security-conscious users toward hardened alternatives, and ZeroClaw's deny-by-default posture made it a fixture of post-crisis "OpenClaw alternatives" coverage.[3]
Funding is not publicly disclosed. The project is free and open source under MIT OR Apache-2.0.
Key Stats (as of June 11, 2026)
| Metric | Value |
|---|---|
| GitHub Stars | ~31.9K |
| Forks | ~4.7K |
| Language | Rust |
| Binary Size | ~6.6MB minimal kernel (3.4–8.8MB by feature set) |
| RAM Usage | ~4MB idle |
| Startup | Under 10ms |
| Latest Stable | v0.7.5 (May 2026); v0.8.0 in beta |
| License | MIT OR Apache-2.0 |
| Created | February 13, 2026 |
Benchmark vs Alternatives
Launch-era comparison published by the project:
| OpenClaw | NanoBot | PicoClaw | ZeroClaw | |
|---|---|---|---|---|
| Language | TypeScript | Python | Go | Rust |
| RAM | 1GB+ | 100MB+ | Under 10MB | Under 5MB |
| Startup (0.8GHz) | 500s+ | 30s+ | Under 1s | Under 10ms |
| Binary | ~28MB | N/A | ~8MB | ~8.8MB |
| Hardware Cost | $599 Mac | ~$50 SBC | $10 board | $10 board |
Independent testing broadly confirms the efficiency claims — LumaDock measured ZeroClaw idling at ~3.9MB RAM with cold starts under 10ms, versus "hundreds of megabytes" for OpenClaw.[4]
Installation
# One-line installer (prebuilt binary or source build)
curl -fsSL https://raw.githubusercontent.com/zeroclaw-labs/zeroclaw/master/install.sh | bash
# Or clone and run
git clone https://github.com/zeroclaw-labs/zeroclaw.git
cd zeroclaw
./install.sh
# Minimal kernel only (~6.6MB)
./install.sh --minimal
# One-shot setup: pick a provider, write a working config
zeroclaw quickstart
# Interactive chat
zeroclaw agent -a <alias>
# Run always-on as a system service
zeroclaw service install
zeroclaw service start
Pre-built binaries cover Linux (x86_64, aarch64, armv7, musl), macOS (x86_64, aarch64), Windows (x86_64), and Android (aarch64), with platform guides for FreeBSD, NixOS, and Docker.[1]
Security Features
| Feature | Description |
|---|---|
| Supervised Autonomy | Default mode: medium-risk ops require approval, high-risk blocked |
| OS-Level Sandboxes | Landlock, Bubblewrap, Seatbelt, or Docker isolation |
| Tool Receipts | Cryptographic receipts on every agent action |
| Command Policy | Explicit allowlist-based command control |
| Workspace Scoping | Workspace boundaries with forbidden-path protection |
| Gateway Pairing | Localhost-bound gateway with one-time pairing codes |
A "YOLO mode" escape hatch exists for trusted dev environments.[2]
Channel Support
ZeroClaw now ships 30+ channel adapters — CLI, Telegram, Discord, Slack, iMessage, Matrix, WhatsApp, email, voice, and webhooks all deliver into the same agent loop.[1] IDE/editor integration arrives via the Agent Client Protocol (JSON-RPC 2.0 over stdio).
Provider Support
- Ollama — Local models
- OpenRouter — Access to all major models
- Anthropic — Claude direct
- OpenAI — Including Codex subscription auth
- ~20 cloud providers — With fallback chains and routing when a provider flakes
Architecture
User → Channel (30+) / Gateway (REST/WS) / ACP → ZeroClaw Runtime → Sandbox → LLM Provider
↓
Memory (SQLite + FTS5 + Vector)
Trait-driven design — Core systems (providers, channels, tools, memory, tunnels, peripherals) are Rust traits, making everything swappable.
Hybrid memory — SQLite with FTS5 full-text search plus vector cosine similarity for semantic retrieval.
SOP engine — Event-triggered Standard Operating Procedures (MQTT, webhook, cron, peripheral) with approval gates and resumable runs.
Strengths
- Security-First — Supervised autonomy, OS sandboxes, tool receipts, workspace scoping
- Extreme Efficiency — ~4MB idle RAM, sub-10ms startup, verified by independent testing[4]
- Active Development — Four releases between May and early June 2026; commits landing daily as of June 11[1]
- Portable — Single binary across ARM, x86, RISC-V, plus GPIO/I2C/SPI on embedded boards
- No Lock-In — OpenAI-compatible plus pluggable custom endpoints
- Migration Path — Imports OpenClaw data
- Active Community — Discord, Telegram, Reddit, and multilingual docs
Weaknesses / Considerations
- Young Project — Launched February 13, 2026; still pre-1.0 (v0.8.0 in beta)
- Security Gaps in Practice — LumaDock found modules like PromptGuard and LeakDetector exist but "aren't wired into the production response pipeline yet"[4]
- Rust Build Time — Source compilation requires 2-4GB RAM (prebuilt binaries avoid this)
- Smaller Ecosystem — Far fewer integrations than OpenClaw's 1,000+ SaaS connections; thinner docs in places[4]
- Impersonation Issues — The project has warned about fake domains and unauthorized forks
What Developers Say
From the Show HN for James Library, a multi-agent research lab built on ZeroClaw:[5]
"ZeroClaw's pure Rust implementation provided exactly the zero-overhead foundation the project required... Because they solved the core runtime execution so elegantly, I was able to spend my time building the higher-level orchestration on top of it." — cwoodyard, Hacker News
Not everyone is impressed by the differentiation. In a thread comparing the Claw-ecosystem agents, one commenter dismissed it as simply:[6]
"ZeroClaw: Claw But In Rust" — tao_oat, Hacker News
The broader sentiment in that thread was cautious — commenters noted the Claw forks are "popping up way too fast" for quality software and recommended strict access controls (virtual cards, restricted accounts) regardless of which runtime you pick.[6]
Who Built It
Students and members from Harvard, MIT, and the Sundai.Club community, now operating as ZeroClaw Labs with an official site and hosted docs.[7] The project maintains communities in English, Chinese, Russian, Japanese, French, and Vietnamese.
Ideal User
- Security-conscious deployments requiring isolation, approval gates, and audit receipts
- Edge/embedded systems with under 10MB RAM available
- Hardware projects — Raspberry Pi, STM32, Arduino, ESP32 via the Peripheral trait
- Rust developers wanting to contribute or customize
- Privacy-focused individuals who need data to stay local
Bottom Line
ZeroClaw is what you run when OpenClaw's security model keeps you up at night — and after the January-February 2026 CVE and ClawHavoc episodes, a lot more people are losing sleep. Stars roughly doubled to ~32K between late February and June 2026, and the project graduated from student hack to organized lab with hosted docs, daily commits, and a steady release cadence heading toward v0.8.0.
The efficiency numbers hold up under independent testing — about 4MB idle RAM and sub-10ms startup means this genuinely runs on $10 hardware. The security architecture (supervised autonomy, OS-level sandboxes, tool receipts) is the most considered in the Claw ecosystem, though reviewers note some advertised modules aren't fully wired into the production pipeline yet.
The caveats are maturity and ecosystem depth. It's still pre-1.0, documentation is thin in places, and OpenClaw's integration catalog remains far larger. For security-critical deployments or edge hardware, ZeroClaw is the strongest option in the ecosystem. For maximum integrations, OpenClaw still wins on breadth.
Sources
- [1] ZeroClaw GitHub Repository
- [2] ZeroClaw Documentation
- [3] OpenClaw's security crisis: ClawHavoc analysis — Ruh.ai
- [4] ZeroClaw vs OpenClaw for self-hosted AI agents — LumaDock
- [5] Show HN: James Library — Local multi-agent research lab (built on ZeroClaw)
- [6] Has anyone used OpenClaw / NanoClaw / PicoClaw / ZeroClaw? — Hacker News
- [7] ZeroClaw Labs Official Site