SecureClaw

Get running in 60 seconds

curl -sL https://secureclaw-website.pages.dev/releases/latest/secureclaw-linux-amd64 -o secureclaw
chmod +x secureclaw
./secureclaw onboard

Then ./secureclaw start and open localhost:18789.

curl -sL https://secureclaw-website.pages.dev/releases/latest/secureclaw-darwin-arm64 -o secureclaw
chmod +x secureclaw
xattr -d com.apple.quarantine secureclaw
./secureclaw onboard

The xattr step removes macOS Gatekeeper quarantine on the unsigned binary. Then ./secureclaw start and open localhost:18789.

SecureClaw requires WSL2 on Windows. Open your WSL2 terminal and run:

curl -sL https://secureclaw-website.pages.dev/releases/latest/secureclaw-linux-amd64 -o secureclaw
chmod +x secureclaw
./secureclaw onboard

Don't have WSL2? Run wsl --install in PowerShell first. Then ./secureclaw start and open localhost:18789.

The wizard sets up your provider, API key, vault password, and AI personality. Need help? Check the wiki.

Security at a glance

BLAKE3 binary attestation — hashes itself on every startup, checks two independent sources before unlocking anything
2-source verification — both a Cloudflare Worker and this website must confirm the hash. Compromise one, the other still blocks it
age-encrypted vault — credentials encrypted at rest, vault key cryptographically bound to attestation
Tool Call Authorization Tokens — isolated policy engine authorizes every tool call, immune to prompt injection
No telemetry — no phone home, no tracking. Only outbound calls are attestation on startup

Want the full breakdown? See how it works.

What is SecureClaw?

Get running in 60 seconds

Verify your binary

Security at a glance