by RikyZ90
🐕 Self-hosted security-first AI agent · 22 providers · 11 chat channels · WebUI · 3-level memory · cron · heartbeat · skills · MCP
# Add to your Claude Code skills
git clone https://github.com/RikyZ90/ShibaClawLast scanned: 5/30/2026
{
"issues": [],
"status": "PASSED",
"scannedAt": "2026-05-30T17:04:44.356Z",
"npmAuditRan": true,
"pipAuditRan": true
}ShibaClaw is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by RikyZ90. 🐕 Self-hosted security-first AI agent · 22 providers · 11 chat channels · WebUI · 3-level memory · cron · heartbeat · skills · MCP. It has 100 GitHub stars.
Yes. ShibaClaw passed SkillsLLM's automated security scan — a dependency vulnerability audit plus prompt-injection heuristics — with no high-severity issues. You can read the full report in the Security Report section on this page.
Clone the repository with "git clone https://github.com/RikyZ90/ShibaClaw" and add it to your Claude Code skills directory (see the Installation section above).
ShibaClaw is primarily written in Python. It is open-source under RikyZ90 on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh ShibaClaw against similar tools.
No comments yet. Be the first to share your thoughts!
📢 Welcome to ShibaClaw v0.4.6! This release brings:
API_REFERENCE.md to document missing REST endpoints and modernize the WebSocket protocol schema.pystray when the desktop app is minimized or hidden.ShibaClaw is a security-first AI agent for your terminal, desktop, browser and 11 other channels. Security isn’t an add-on — it's the foundation: CVE auditing at install time, prompt-injection wrapping on every tool result, SSRF/DNS-rebinding protection, shell hardening, workspace sandboxing, and bearer-token auth are all built into the core.
Have you ever spent hours fixing your AI agent instead of actually using it? ShibaClaw is built around one idea: your agent should just work — securely, reliably, and without babysitting.
Built on three pillars: Simplicity · Security · Privacy
| Feature | ShibaClaw | OpenClaw | ZeroClaw | Nanobot | Hermes Agent |
|---|---|---|---|---|---|
| Install-time CVE auditing (pip, npm, apt) | ✅ | ❌ | ❌ | ❌ | ❌ |
| Prompt-injection wrapping on every tool result | ✅ | ❌ | ❌ | ❌ | ❌ |
| SSRF + DNS-rebinding protection built-in | ✅ | ❌ | ❌ | ❌ | ❌ |
Feature comparison based on publicly available documentation as of May 2026.
Some frameworks may offer partial implementations via third-party plugins.
Also ships with: 22 providers · 11 chat channels · built-in WebUI · cron · heartbeat · MCP · ClawHub · Agent Profiles
ShibaClaw now features a fully integrated Windows Desktop Launcher built with pywebview.
It offers a seamless local experience without the need to manage background terminal windows.
If you installed via pip:
shibaclaw desktop
Or download the pre-built Windows executable directly from the latest release:
⬇ Download ShibaClaw.exe (latest)
Full release notes → github.com/RikyZ90/ShibaClaw/releases/latest
curl -fsSL https://raw.githubusercontent.com/RikyZ90/ShibaClaw/main/docker-compose.yml -o docker-compose.yml
docker compose up -d # pulls from Docker Hub
docker exec -it shibaclaw-gateway shibaclaw print-token
Open http://localhost:3000, paste the token, and follow the onboard wizard.
pip install shibaclaw
shibaclaw web --with-gateway # starts WebUI + agent engine on :3000
Open http://localhost:3000 and follow the onboard wizard.
Prefer the CLI? shibaclaw onboard runs the same guided setup from the terminal.
Defenses that are normally scattered across app glue or external proxies — in ShibaClaw they ship in the core, on by default.
Instead of simply feeding raw tool outputs back to the LLM, ShibaClaw wraps every tool result in a dynamically generated XML-like boundary with a randomized nonce (e.g., <tool_output_a1b2c3d4>).
💡 Standalone Defense: This core security mechanism (Randomized Tool Output Wrapping) has been decoupled and packaged as a standalone, zero-dependency Python library called Muzzle. You can use Muzzle to protect any agent framework (LangChain, LlamaIndex, CrewAI, AutoGen, or custom LLM loops) using this identical technique.
Why this matters: Attackers often try to prematurely close tags or inject fake system instructions inside tool outputs (like web page content). By using a randomized boundary generated per-iteration, the agent can reliably differentiate between actual system instructions and injected payloads. Furthermore, any attempt to inject the specific closing tag inside the content is automatically sanitized and escaped, ensuring the sandbox remains airtight and the original system prompt takes precedence.
Before executing any pip, npm, or apt install command, ShibaClaw intercepts the action and parses the dependencies. It runs tools like pip-audit or npm audit --json to scan for known vulnerabilities against CVE databases before applying any changes.
Why this matters: It shifts security entirely to the left. Instead of blindly blocking package managers or relying on post-install scans, it evaluates the exact dependency tree before execution. If a package contains critical/high CVEs, or if suspicious flags (like --allow-unauthenticated for apt) are detected, the installation is blocked. This allows the AI to autonomously build software without turning the host into a liability.
| Layer | What it does |
|---|---|
| 🔍 Install-time audit | Audits pip and npm before execution — blocks critical/high CVEs before they land |
| 🛡️ Prompt-injection wrapping | Wraps every tool result in a randomized <tool_output_...> boundary and sanitizes closing tags |
| 🔒 Shell hardening | 20+ deny patterns, escape normalization (\x.., \u....), internal URL detection |
| 🌐 Network guard | SSRF filtering, redirect revalidation, DNS-rebinding-safe resolution |
| 📁 Workspace sandbox | File tools and file browser locked to the configured workspace |
| 🔑 Access control | Bearer token auth, constant-time checks, channel allowlists, optional rate limiting |
| ⚡ Distributed engine | UI (≈128 MB) decoupled from agent brain (≈256 MB+) — minimal footprint per process |
Full disclosure policy and supported versions: SECURITY.md
The WebUI is built-in — no separate frontend or Node.js required.