ShibaClaw 🐕
Security-first AI agent with built-in WebUI, native provider support, and hardened tools.
version
PyPI Downloads
python
license
Ask DeepWiki
📢 Welcome to ShibaClaw v0.2.0! This release adds cross-provider model search, true per-session model routing, a redesigned model-first settings flow, and OpenRouter OAuth directly in the WebUI.
See the Changelog for details.
ShibaClaw is a security-first AI agent for your terminal, your browser, and across 11 channels.
Security isn't glue code — it's the foundation: CVE auditing at install time, prompt-injection wrapping on every tool result, SSRF/DNS-rebinding protection, shell hardening, workspace sandboxing, and bearer-token auth are all built into the core.
22 providers · 11 chat channels · built-in WebUI · 3-level proactive memory · cron · heartbeat · skills · MCP
Quick Start
Docker
curl -fsSL https://raw.githubusercontent.com/RikyZ90/ShibaClaw/main/docker-compose.yml -o docker-compose.yml
docker compose up -d # pulls from Docker Hub automatically
docker exec -it shibaclaw-gateway shibaclaw print-token Open http://localhost:3000 , paste the token, and follow the onboard wizard.
pip
pip install shibaclaw
shibaclaw web --with-gateway # starts WebUI + agent engine on :3000 Open http://localhost:3000 and follow the onboard wizard.
Prefer the CLI? shibaclaw onboard runs the same guided setup from the terminal.
Security, Built In
Defenses that are normally scattered across app glue or external proxies — in ShibaClaw they ship in the core, on by default.
🛡️ Prompt-Injection Wrapping (Tool Sandboxing)
Instead of simply feeding raw tool outputs back to the LLM, ShibaClaw wraps every tool result in a dynamically generated XML-like boundary with a randomized nonce (e.g., <tool_output_a1b2c3d4>).
Why this matters: Attackers often try to prematurely close tags or inject fake system instructions inside tool outputs (like web page content). By using a randomized boundary generated per-iteration, the agent can reliably differentiate between actual system instructions and injected payloads. Furthermore, any attempt to inject the specific closing tag inside the content is automatically sanitized and escaped, ensuring the sandbox remains airtight and the original system prompt takes precedence.
🔍 Install-Time Package Autoscan
Before executing any pip, npm, or apt install command, ShibaClaw intercepts the action and parses the dependencies. It runs tools like pip-audit or npm audit --json to scan for known vulnerabilities against CVE databases before applying any changes.
Why this matters: It shifts security entirely to the left. Instead of blindly blocking package managers or relying on post-install scans, it evaluates the exact dependency tree before execution. If a package contains critical/high CVEs, or if suspicious flags (like --allow-unauthenticated for apt) are detected, the installation is blocked. This allows the AI to autonomously build software without turning the host into a liability.
Security Layers Overview
| Layer |
What it does |
| 🔍 Install-time audit |
Audits pip and npm before execution — blocks critical/high CVEs before they land |
| 🛡️ Prompt-injection wrapping |
Wraps every tool result in a randomized <tool_output_...> boundary and sanitizes closing tags |
| 🔒 Shell hardening |
20+ deny patterns, escape normalization (\x.., \u....), internal URL detection |
| 🌐 Network guard |
SSRF filtering, redirect revalidation, DNS-rebinding-safe resolution |
| 📁 Workspace sandbox |
File tools and file browser locked to the configured workspace |
| 🔑 Access control |
Bearer token auth, constant-time checks, channel allowlists, optional rate limiting |
| ⚡ Distributed engine |
UI (≈128 MB) decoupled from agent brain (≈256 MB+) — minimal footprint per process |
|