IronClaw is a security-first reimplementation of OpenClaw by Near AI, designed around the principle that untrusted tools should never have direct access to the host system. Every tool that IronClaw executes runs inside an isolated WebAssembly container, providing hardware-level sandboxing without the overhead of full virtual machines. Tool capabilities must be explicitly granted — nothing is permitted by default.
The security model is comprehensive: capability-based permissions control what each tool can access, endpoint allowlisting restricts network calls to pre-approved destinations, credential injection provides secrets to tools without exposing them in environment variables or config files, and leak detection monitors for unauthorized data exfiltration. Rate limiting is built in at the tool level, preventing runaway agents from exhausting quotas or budgets. For the highest-trust deployments, IronClaw supports Trusted Execution Environments (TEE) for cryptographic attestation of agent behavior.
IronClaw runs on Linux and macOS across both ARM and x86 architectures, making it deployable on everything from Apple Silicon development machines to AWS Graviton servers. It’s actively maintained by Near AI and targets enterprise and regulated-environment deployments where OpenClaw’s default trust model is insufficiently restrictive. In the security tooling landscape alongside SecureClaw and ClawSec, IronClaw takes the most radical approach — rebuilding the entire execution model from first principles rather than adding security layers to an existing runtime.
Frequently Asked Questions
How does IronClaw’s WebAssembly sandboxing work?
IronClaw runs every tool inside an isolated WebAssembly (WASM) container. When you invoke a tool, IronClaw compiles or loads the tool into a WASM sandbox where it cannot access the host filesystem, network, or process space unless you explicitly grant those capabilities. This is hardware-level isolation without the overhead of full virtual machines — WASM sandboxes start in microseconds.
What is IronClaw’s capability-based permission model?
In IronClaw, tools start with zero permissions. You must explicitly grant each capability: filesystem read/write, network access to specific endpoints, environment variable access, and so on. This is opposite to most OpenClaw implementations where tools inherit your user’s full system permissions by default. The result is that a compromised or malicious skill cannot escalate beyond what you’ve explicitly permitted.
Does IronClaw support Trusted Execution Environments (TEEs)?
Yes. For the highest-assurance deployments — regulated industries, healthcare, finance — IronClaw supports TEE attestation. This provides cryptographic proof that the agent is running the expected code in the expected environment, useful for compliance audits and supply chain security verification.
How does IronClaw compare to NemoClaw and Carapace?
All three target security-conscious enterprise deployments. IronClaw (Near AI) takes the most radical approach by rebuilding execution from scratch with WASM. NemoClaw (NVIDIA) adds policy-based YAML sandboxing to OpenClaw. Carapace was built specifically to address the January 2026 CVEs with fail-closed auth and signed plugins. IronClaw is the right choice when you need provable tool isolation; the others are better for policy-based governance.