ShibaClaw

Feature comparison based on publicly available documentation as of May 2026.
Some frameworks may offer partial implementations via third-party plugins.

Also ships with: 22 providers · 11 chat channels · built-in WebUI · cron · heartbeat · MCP · ClawHub · Agent Profiles

Native Desktop App (Windows) 🖥️

ShibaClaw now features a fully integrated Windows Desktop Launcher built with pywebview. It offers a seamless local experience without the need to manage background terminal windows.

• System Tray Integration: Close the window to minimize ShibaClaw silently into the system tray. Right-click the Shiba icon to re-open the UI, access workspace logs, visit the website, or gracefully quit the engine.
• Auto-Login: When using the Desktop Launcher locally, WebUI authentication is bypassed by default for a smoother local-first experience.
• Embedded WebUI: No need to open your own browser; the WebUI runs inside a dedicated native window frame.
• Portable & Lightweight: Packaged as a single standalone folder using PyInstaller to run instantly without requiring Python on the host machine.

If you installed via pip:

shibaclaw desktop

Or download the pre-built Windows executable directly from the latest release:

⬇ Download ShibaClaw.exe (latest)
Full release notes → github.com/RikyZ90/ShibaClaw/releases/latest

Quick Start

Docker

curl -fsSL https://raw.githubusercontent.com/RikyZ90/ShibaClaw/main/docker-compose.yml -o docker-compose.yml
docker compose up -d     # pulls from Docker Hub
docker exec -it shibaclaw-gateway shibaclaw print-token

Open http://localhost:3000, paste the token, and follow the onboard wizard.

pip

pip install shibaclaw
shibaclaw web --with-gateway   # starts WebUI + agent engine on :3000

Open http://localhost:3000 and follow the onboard wizard. Prefer the CLI? shibaclaw onboard runs the same guided setup from the terminal.

Security, Built In

Defenses that are normally scattered across app glue or external proxies — in ShibaClaw they ship in the core, on by default.

🛡️ Prompt-Injection Wrapping (Tool Sandboxing)

Instead of simply feeding raw tool outputs back to the LLM, ShibaClaw wraps every tool result in a dynamically generated XML-like boundary with a randomized nonce (e.g., <tool_output_a1b2c3d4>). Why this matters: Attackers often try to prematurely close tags or inject fake system instructions inside tool outputs (like web page content). By using a randomized boundary generated per-iteration, the agent can reliably differentiate between actual system instructions and injected payloads. Furthermore, any attempt to inject the specific closing tag inside the content is automatically sanitized and escaped, ensuring the sandbox remains airtight and the original system prompt takes precedence.

🔍 Install-Time Package Autoscan

Before executing any pip, npm, or apt install command, ShibaClaw intercepts the action and parses the dependencies. It runs tools like pip-audit or npm audit --json to scan for known vulnerabilities against CVE databases before applying any changes. Why this matters: It shifts security entirely to the left. Instead of blindly blocking package managers or relying on post-install scans, it evaluates the exact dependency tree before execution. If a package contains critical/high CVEs, or if suspicious flags (like --allow-unauthenticated for apt) are detected, the installation is blocked. This allows the AI to autonomously build software without turning the host into a liability.

Security Layers Overview

| Layer | What it does | |---|---| | 🔍 Install-time audit | Audits pip and npm before execution — blocks critical/high CVEs before they land | | 🛡️ Prompt-injection wrapping | Wraps every tool result in a randomized <tool_output_...> boundary and sanitizes closing tags | | 🔒 Shell hardening | 20+ deny patterns, escape normalization (\x.., \u....), internal URL detection | | 🌐 Network guard | SSRF filtering, redirect revalidation, DNS-rebinding-safe resolution | | 📁 Workspace sandbox | File tools and file browser locked to the configured workspace | | 🔑 Access control | Bearer token auth, constant-time checks, channel allowlists, optional rate limiting | | ⚡ Distributed engine | UI (≈128 MB) decoupled from agent brain (≈256 MB+) — minimal footprint per process |

Full disclosure policy and supported versions: SECURITY.md

WebUI

The WebUI is built-in — no separate frontend or Node.js required.

• Chat — multi-session conversations with live streaming of tool calls, thinking blocks, elapsed time, and per-session model switching from the chat footer
• Cross-provider model search — one searchable picker merges models from all configured providers, shows provider labels, and switches the live runtime provider when you change the session model
• Agent Profiles — switch personas per session (Hacker, Builder, Planner, Reviewer) with dynamic avatars
• File browser — browse, view, and edit workspace files in-browser (sandboxed to workspace)
• Voice — speech-to-text via OpenAI-compatible audio APIs and browser-native TTS
• Settings — configure default session model, memory / consolidation model, providers, tools, MCP servers, channels, skills, and OAuth from a single panel
• Onboard wizard — guided first-time setup: pick a provider, enter API key or start OAuth, choose a model
• Context viewer — inspect the full system prompt and token usage breakdown
• Gateway monitor — health check and one-click restart
• OAuth flows — GitHub Copilot, OpenAI Codex, and OpenRouter can all be configured from the settings modal; OpenRouter stores the returned API key directly into provider settings
• Hardened rendering — chat Markdown escapes raw HTML, file names render through safe DOM nodes, and expired auth returns cleanly to login without reconnect loops
• Auto-update — checks GitHub releases every 12h, notifies in the UI and on all active channels
• Notification Center (WIP) — bell icon with unread badge, real-time WebSocket push, per-notification deep-link to the related session; covers heartbeat, cron, agent responses, and update alerts
• Responsive — works on desktop and mobile

⚡ Dy