
ShibaClaw is a loyal, intelligent, and lightweight personal AI assistant framework — built to serve and protect your digital workspace.
The only AI agent framework combining extreme multi-layer security (Structural Tool Output Wrapping against Prompt Injection + Smart Install Guard with live CVE scanning before every package install) with minimal token consumption, keeping your costs low without sacrificing power.
🛡️ Built-in Security: Protected against Indirect Prompt Injection via Structural Randomized Wrapping and strict per-session security policies.
v0.0.19 is out! � Voice I/O: Full Speech-to-Text pipeline (OpenAI-compatible, Groq/Whisper) with browser-native TTS, VAD, and a dedicated Voice & Audio settings section. ⌨️ Smart Settings: Model field now has history tracking and autocomplete; Provider field is a smart dropdown showing only configured providers (API key, local, or OAuth). 🧹 Cleanup: Dead code and redundant comments removed from speech and socket modules.
shibaclaw web). The health check and heartbeat services now correctly fall back to the local agent instance when a separate gateway process is not present.shibaclaw onboard now drives a single guided setup flow across CLI and WebUI: provider detection, OAuth handoff, model selection, template refresh, and optional channel setup.USER.md, operational context lives in memory/MEMORY.md, and the new memory_search tool ranks HISTORY.md entries by recency, importance, and relevance.pip / docker upgrade commands.pip install shibaclaw. Docker images are published automatically on every release to ghcr.io/rikyz90/shibaclaw.USER.md and operational context in memory/MEMORY.md without any interruption.pip, npm, apt, ...) are intercepted and audited for CVEs before execution. Critical/high severity packages are blocked with a full report; clean packages install freely.openai, anthropic) for leaner images and stricter control. GitHub Copilot OAuth rewritten with raw async device flow for stable background token refresh. Shell tool hardened against $(), backticks, piped shells (curl | bash), and process substitution. Gateway restart endpoint secured with token-based auth.USER.md and operational context in memory/MEMORY.md, ensuring no "scent" is lost even in long sessions.Like the most devoted guard dog, ShibaClaw is trained to obey only its master. Thanks to its advanced Tool Output Wrapping system, the framework is hardened against Indirect Prompt Injection attacks. It treats external data from websites, files, or tools as literal information—never as new instructions. Your orders are final; to ShibaClaw, external noise is just a squirrel 🐿️.
When the agent attempts to run a package installation command, ShibaClaw no longer blindly blocks it. Instead, it intercepts the command, audits the packages for known vulnerabilities (CVEs), and only proceeds if the risk is acceptable.
ExecTool recognizes install commands for pip, npm, yarn, pnpm, apt, dnf/yum, and brew.pip install ...) → pip-audit --format json checks against the OSV/PyPA advisory database.npm install ...) → npm audit --json checks against the npm security advisory database.apt/dnf) → Safety flags (e.g. --allow-unauthenticated, --nogpgcheck) are checked; repository-level security is assumed.critical or high vulnerabilities → install is blocked and the agent receives a full CVE report.medium or low vulnerabilities → install proceeds with a warning appended to the output.pip-audit not installed), the install is allowed with a warning rather than blocked.Destructive operations (
pip uninstall,npm remove,apt-get remove,apt-get purge) remain unconditionally blocked.
In config.json under tools.exec:
{
"tools": {
"exec": {
"installAudit": true,
"installAuditTimeout": 120,
"installAuditBlockSeverity": "high"
}
}
}
| Option | Default | Description |
|---|---|---|
installAudit |
true |
Enable/disable vulnerability scanning for installs |
installAuditTimeout |
120 |
Seconds to wait for audit tools before falling back |
installAuditBlockSeverity |
"high" |
Minimum severity to block: critical, high, medium, low |
ShibaClaw won't wait for your session to end or the context window to fill to remember important details. With Proactive Learning, the agent periodically "sniffs" the recent conversation in the background to extract profile facts and project context.
USER.md, while environment details and project status are merged into memory/MEMORY.md._schedule_background. You can continue chatting without any interruption.In config.json under agents.defaults:
{
"agents": {
"defaults": {
"learning_enabled": true,
"learning_interval": 10
}
}
}
| Option | Default | Description |
|---|---|---|
learning_enabled |
true |
Enable periodic background fact extraction |
learning_interval |
10 |
Number of messages between learning pulses |
Ready to hunt? Choose your path:
# Optional: define a fixed WebUI token before startup
# .env and add SHIBACLAW_AUTH_TOKEN in your docker-compose
# SHIBACLAW_AUTH_TOKEN=your-secret-token
docker compose up -d --build # gateway + webUI
docker exec -it shibaclaw-gateway shibaclaw onboard # first-time setup or login via WebUI
🔒 Security Note: By default, the app is bound to
localhost(via127.0.0.1:3000:3000). - Remote Access (Recommended): Use an SSH tunnel (e.g.,ssh -L 3000:127.0.0.1:3000 user@host). - Direct LAN Access: Change127.0.0.1:3000:3000to3000:3000indocker-compose.yml. Open http://localhost:3000 — to get your access token, runshibaclaw print-tokenand paste it in the login screen.
If SHIBACLAW_AUTH_TOKEN is set in your shell or .env, that value is used as the WebUI token and takes precedence over the auto-generated auth_token file.
pip install shibaclaw
shibaclaw onboard # first-time setup
shibaclaw web --port 3000 # start the WebUI (agent runs in-process)
� Standalone Mode: In bare-metal mode,
shibaclaw webruns the agent brain internally. You don't need to run a separateshibaclaw gatewayunless you want to bridge other channels (Telegram, Discord, etc.) while the WebUI is down.�🔒 Security Note: By default, the app binds to
localhost. - Remote Access (Recommended): Use an SSH tunnel (e.g.,ssh -L 3000:127.0.0.1:3000 user@host). - Direct LAN Access: Runshibaclaw web --host 0.0.0.0 --port 3000.
Optional fixed token:
export SHIBACLAW_AUTH_TOKEN=your-secret-token
shibaclaw web --port 3000
Install from source:
pip install .(develop/edge builds)
See the full Easy Deploy Guide for detailed instructions and troubleshooting.
<img src="assets/we
$ claude mcp add ShibaClaw \
-- python -m otcore.mcp_server <graph>