by SafeRL-Lab
CheetahClaws: A Fast, Easy-to-Use, Production-Ready, Python-Native Personal AI Assistant for Any Model, Inspired by OpenClaw and Claude Code, Built to Work for You Autonomously 24/7.
# Add to your Claude Code skills
git clone https://github.com/SafeRL-Lab/cheetahclawsLast scanned: 5/10/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-10T06:33:21.765Z",
"semgrepRan": false,
"npmAuditRan": true,
"pipAuditRan": false
}English | 中文 | 한국어 | 日本語 | Français | Deutsch | Español | Português
curl -fsSL https://raw.githubusercontent.com/SafeRL-Lab/cheetahclaws/main/scripts/install.sh | bash
After installation:
source ~/.zshrc # macOS
# or: source ~/.bashrc # Linux
cheetahclaws # start chatting!
Other install methods: pip install | uv install | run from source | full details
$TELEGRAM_BOT_TOKEN / $SLACK_BOT_TOKEN are now the recommended way to feed bot tokens — env-supplied tokens never enter readline history or ~/.cheetahclaws/config.json; the legacy /telegram <token> <chat_id> syntax still works but prints a deprecation warning and auto-scrubs the token from in-memory history. (2) Web UI gains a double-submit CSRF cookie (ccsrf) — every POST/PUT/PATCH/DELETE must echo it via X-CSRF-Token; the bundled frontend (web/static/js/csrf.js) patches window.fetch so it's automatic. (3) terminal sessions are now JWT-owner-bound — other authenticated users can't hijack a they happen to know. (4) Bash tool hard-denylist (, fork bomb, , ) cannot be bypassed by . (5) // get a credential-path denylist by default (, , , …). (6) Plugin loader gains + ; module paths are confined to . (7) MCP server configs can no longer inject / / / etc. into subprocess env. (8) macOS daemon gains for Unix-socket peer-cred auth (was Linux-SO_PEERCRED-only before). (9) no longer persists to disk — it stays session-scoped. (10) Terminal one-time password expanded from 6 → 32 chars (~190 bits of entropy). All 2347 tests green, zero regressions. Full reference: .No comments yet. Be the first to share your thoughts!
/api/sessionsidrm -rf /mkfsdd of=/dev/sd…permission_mode=accept-allReadWriteEdit~/.ssh/id_*~/.aws/etc/shadowCHEETAHCLAWS_DISABLE_PLUGINSCHEETAHCLAWS_PLUGIN_ALLOWLISTinstall_dirLD_PRELOADPYTHONPATHDYLD_*NODE_OPTIONSgetpeereid(2)permission_mode=accept-allnotify IPC into the new bridge_supervisor.notify(kind, text) mailbox; F-4 #3 adds an on-crash restart policy with exponential backoff + jitter, configurable via agent.start(restart_policy=…, max_restarts=…, backoff_*); F-6/F-7/F-8 Phase 1 lifts the Telegram / Slack / WeChat poll loops into a feature-flagged daemon worker (CHEETAHCLAWS_ENABLE_F6/7/8) with bridges SQLite persistence + bridge.{start,stop,list,send,status} RPCs; F-6 Phase 2 adds the inbound refactor — session.send / session.reply / session.list_recent RPCs publish on the SSE bus, a slim daemon-driven worker (daemon_phase2=True) replaces the REPL-shaped supervisor; F-9 flips four conservative budget defaults under cheetahclaws serve, adds system.status + agent.resume(budget_overrides, name?) RPCs, and wires a true per-runner quota-pause hook (paused_budget IPC → quota_warn event → blocks on _resume_event → resume IPC unblocks the runner). Audit also fixed 5 real bugs found in the new code (WeChat field names, Slack cursor seeding, Telegram long-poll responsiveness, stop()/restart Timer race in _unregister, broader secret redaction). Full suite: 2347 passing, 3 skipped (env-gated live LLM tests), 0 failed. Details: RFC 0002 + docs/architecture.md §Daemon + docs/news.md.litellm/ provider follow-up to PR #119 — make litellm a real optional dep, fix ledger / streaming, wire it into the CLI / Web UI path. PR #119 shipped the adapter class but left it unreachable: litellm had landed in core deps (description said optional), no entry in top-level providers.PROVIDERS (so --model litellm/... didn't resolve through the CLI / Web UI), cost_micro hard-coded to 0, streaming dropped token counts + tool_calls. Follow-up branch (fix/litellm-provider-followup) moves the dep to pip install ".[litellm]", lazy-imports the SDK, adds the registry entry + stream_litellm generator, computes cost via litellm.completion_cost with a cost_unknown=True metadata flag on miss, reassembles streamed chunks via stream_chunk_builder (stream_options={"include_usage": True}), maps litellm.exceptions.* to ProviderInvalidRequest vs ProviderUnavailable correctly, and adds defensive tool_call parsing. Now usable for AWS Bedrock (SigV4), Azure (deployment routing), and Vertex AI (service-account JWT). +17 unit tests, +3 e2e (skipif-gated on CC_LITELLM_E2E=1). Full suite: 2222 passing, zero regressions. Details: docs/news.md.agent_runner runs as a subprocess under cc_daemon supervision (off by default). Each /agent runner can now be a python -m agent_runner --pipe child process instead of an in-process thread, so a leak / hang / OOM in one runner no longer takes down the scheduler or bridges. New: cc_daemon/runner_supervisor.py (lifecycle + 3-phase stop ≤ 5 s + crash detection), cc_daemon/runner_ipc.py (re-exports the kernel JsonLineChannel), cc_daemon/agent_methods.py (agent.start / agent.stop / agent.list / agent.status RPCs), agent_runner.py gains the --pipe entry point. Iteration + run rows land in agent_runs / agent_iterations (the F-2 tables previously left empty). POSIX-only; toggle with CHEETAHCLAWS_ENABLE_F4=1 or agent_runner_subprocess=true. +27 tests, 104/104 passing. Details: RFC 0002 + docs/news.md.--web --model X actually applies the model (#111). Details: docs/news.md.~/.cheetahclaws/. Details: docs/news.md.fix/agentic-on-every-model branch — make every model produce useful work + make /brainstorm an actual adversarial debate (9 commits, 269 new tests). Details: docs/news.md.cc_kernel/) reaches v1.0 — 27 RFCs shipped, 1771 tests passing, zero regressions on the legacy REPL/bridges path.feature/fix-f2)./draft semi-auto reply; reliability + UX hardening across the lab pipeline..env loader, ANTHROPIC_ENDPOINT corporate-proxy override, AskUserQuestion UI polish (#88, #89)cheetahclaws serve + cheetahclaws daemon {status, stop, logs, rotate-token} are real._WEB_DIR resolves via importlib.resources.files("web") so editable & non-editable installs both find static files; package-data widened to ship full web/static/ subtree. Details: docs/news.md./monitor, one-click /ssj wizard. Also including Chinese platforms: Zhihu (知乎) · Bilibili (B站) · Weibo (微博) · Rednote (小红书).