Make every AI Agent call
Observable · Blockable · Explainable
ClawHeart Desktop is a local-first AI security gateway. Three monitoring tiers × 8-layer in-depth defense, with credentials stored 100 % on your machine.
Wire security straight into the Agent flow
Six tool pages cover runtime audit, skill governance, Agent takeover and credential vaulting. All data stays on your machine.
Real-time Monitoring
Request stream, intercept events, token usage and budget alerts in one view. Everything persists to local SQLite.
80 Security Audits
File permissions, credential leaks, MCP config, Agent behavior, skill supply chain — 8 categories scanned offline, no LLM required.
Skill Backup & Audit
Wildcard-scan ~/.<agent>/skills/, run SkillGuard rule set to score, one-click zip backup with history.
Auto Agent Discovery
Native support for Claude Code / Codex / Cursor / Continue / OpenClaw and 8+ agents. Hermes / Gemini / OpenEva / OpenCode caught by wildcard.
Central Credential Vault
API keys live 100 % in OS Keychain. Agents only see sk-claw-xxx virtual keys; the real one is resolved at runtime.
One-click Agent Override
A 4-step wizard — scan → dry-run → apply — flips every Agent's base_url to ClawHeart. Atomic rollback supported.
Coverage you can scale, switchable per scenario
Not a one-size-fits-all model. From zero-touch app layer to kernel-grade isolation, any tier can be combined or used alone.
Endpoint Mapping
A local reverse proxy listens on 127.0.0.1:19112. Point OPENAI_BASE_URL / ANTHROPIC_BASE_URL at it — no CA cert, no system config.
- 5 mainstream protocols normalized
- Per-tool granularity
- Agent one-click override wizard
System Proxy
hudsucker MITM + self-signed CA (rcgen) covers every process that honors the system proxy. CA auto-install for macOS / Linux / Windows.
- Audit all system HTTPS egress
- Cert auto-written to trust store
- Single switch replaces per-tool config
Sandbox Isolation
`clawheart sandbox -- <command>` wraps the target process and constrains its network egress via OS sandbox primitives. TLS pinning can't escape.
- macOS sandbox-exec
- Linux Landlock + seccomp
- Windows AppContainer (v2.1)
Trust grounded in code you can read
Not "trust us" — open-source code, local-first architecture, and fail-closed defaults you can verify.
Local-first · Zero cloud
Intercept events, scan history, token usage — every byte stays in local SQLite. No login, no internet.
Credential Safety
API keys live 100 % in the OS keychain (macOS Security Framework / Linux gnome-keyring / Windows Credential Manager). DB and logs only see masked values.
Tauri 2 Native
Rust core + WebView frontend. Binary < 30 MB, startup < 200 ms, memory < 100 MB. No Electron baggage.
Open Source · Auditable
Apache 2.0. Rust backend + React frontend fully open. Every security rule is viewable, customizable and disable-able in Settings → Security Rules.
Pick the right build for your system
Download links sync live with GitHub Releases. Click any time — you always get the newest.
macOS · Apple Silicon
M1 / M2 / M3 / M4
macOS · Intel
Intel x86_64
Windows · x64
Windows 10 / 11 (64-bit)
Quick Start
- 1Install the package for your platform. macOS: drag to Applications. Windows: double-click setup.exe.
- 2First launch guides you through choosing a monitoring tier (tier1 endpoint mapping is recommended).
- 3In your Agent framework or SDK, set the base URL to
http://127.0.0.1:19112/v1, or let the Agent one-click override wizard configure it automatically.