Security and privacy

Review Libre Claw's key storage, approval policy, sandboxing, memory redaction, daemon locality, and audit trail.

Keys

Environment variables, OS keyring, and encrypted local fallback storage. No real provider keys are required in project files.

Permissions

Read-only tools can be allowed. Writes, shell, browser actions, git commits, downloads, and MCP tools ask first.

Sandbox

File access is restricted to the configured working directory by default, with blocked shell patterns for dangerous commands.

Memory

Credential-looking strings are redacted before memory indexing, search, or prompt injection.

Audit

Run events, tool calls, permission decisions, errors, costs, and artifacts are append-only and inspectable.

Daemon

The local API binds to localhost by default; network exposure is a deliberate operator decision.

Audit commands

Inspect
libre-claw auth status
/approvals
/tools list
/memory status
/runs
/usage

Local state

Local paths
~/.libre-claw/config.toml
~/.libre-claw/.keys
~/.libre-claw/memory.db
~/.libre-claw/runs/
~/.libre-claw/sessions/