Libre Claw

Local-first agent security model

How Libre Claw handles API keys, shell approvals, browser tools, memory redaction, sandboxing, daemon locality, and auditable run logs.

Default posture

Libre Claw assumes agent actions should be visible, reversible, and local.

Every side effect asks first. Every tool call is logged. Every run is replayable. The daemon binds to localhost by default, and provider keys never need to live in project files.

Credential storage

API keys are read from environment variables, OS keyring, or encrypted local fallback storage under ~/.libre-claw/.keys.

Tool approvals

File writes, edits, shell commands, browser actions, git commits, downloads, and MCP calls ask before running.

Sandbox policy

Dangerous shell patterns are blocked. File access is restricted to the configured working directory by default.

Memory redaction

Credential-looking strings are redacted before memory indexing or prompt injection.

Run audit trail

Append-only JSONL event logs make every tool call, approval, and decision inspectable after the fact.

Daemon locality

The daemon and dashboard bind to localhost by default. Remote access requires explicit configuration.

Useful commands

Security commands
libre-claw auth status
/approvals
/memory status
/tools list
/runs

Where local state lives

Local paths
~/.libre-claw/config.toml
~/.libre-claw/.keys
~/.libre-claw/memory.db
~/.libre-claw/runs/
~/.libre-claw/sessions/