IronClaw: Security-Hardened AI Agent by a Transformer Co-Author
A Rust reimplementation of OpenClaw by Illia Polosukhin, co-author of "Attention Is All You Need." 12k stars. WASM sandbox per tool, AES-256-GCM encrypted credential vaults, TEE support, and cryptographic verification of all inputs, outputs, and state.
By Jose Nobile | 2026-04-20 | 14 min read
Table of Contents
What Is IronClaw?
IronClaw is a security-focused Rust reimplementation of the OpenClaw AI agent framework, developed by Illia Polosukhin and the NEAR AI team. Polosukhin is one of the eight co-authors of the 2017 paper "Attention Is All You Need," which introduced the Transformer architecture that underpins modern large language models. With 12k stars on GitHub and dual-licensed under Apache-2.0 and MIT, IronClaw brings enterprise-grade security to the AI agent space. The latest release is v0.25.0 (April 11, 2026), featuring extensible deployment profiles, a commitments system for personal AI assistants, native Composio tool integration for third-party apps, and gateway frontend extraction with a widget system.
The core thesis of IronClaw is that AI agents handling sensitive data -- credentials, financial information, personal communications -- need the same security rigor as banking software. Every tool runs in its own WASM sandbox, credentials are stored in AES-256-GCM encrypted vaults, and all inputs, outputs, and state transitions are cryptographically signed for auditability.
This security-first approach comes from NEAR AI's background in blockchain infrastructure, where adversarial environments and zero-trust architectures are the norm. IronClaw applies these principles to AI agent systems: assume every tool, every LLM response, and every user input could be malicious, and build defenses accordingly.
Security Model
WASM Sandbox Per Tool
Every tool execution runs inside its own WebAssembly sandbox with a dedicated memory space, CPU time limit, and restricted system call surface. A compromised tool cannot access other tools' memory, the host file system, or the network unless explicitly granted. The WASM runtime (Wasmtime) provides near-native performance with hardware-enforced isolation.
Encrypted Credential Vaults (AES-256-GCM)
All credentials (API keys, tokens, passwords) are stored in an encrypted vault using AES-256-GCM authenticated encryption. Credentials are never exposed to the agent or tools in plaintext. Instead, the host boundary injects credentials into tool WASM instances at execution time, and the credential values are zeroed from memory immediately after the API call completes.
Per-Tool Credential Injection
Each tool declares which credentials it needs in its manifest. At execution time, the host boundary validates the request, retrieves the credential from the vault, decrypts it, injects it into the WASM instance's linear memory, and wipes it after execution. Tools never see credentials they did not declare, and the agent loop never has access to any credentials at all.
Trusted Execution Environment Support
IronClaw can run inside Intel SGX or AMD SEV Trusted Execution Environments, where the entire agent process is protected from the host operating system. This means even a compromised OS or hypervisor cannot access the agent's memory, credentials, or conversation data. TEE support is optional and requires compatible hardware.
22 Credential Leak Regex Patterns
IronClaw scans all outgoing messages, tool outputs, and LLM responses for credential leaks using 22 regex patterns covering AWS keys, GitHub tokens, Stripe keys, JWTs, private keys, database connection strings, and more. If a credential pattern is detected, the output is blocked and an alert is generated. This prevents accidental exposure of secrets through LLM hallucinations or tool output.
Cryptographic Verification
Every input, output, and state transition in IronClaw is cryptographically signed using Ed25519. This creates an immutable audit trail: you can verify that a specific tool produced a specific output given a specific input, and that no intermediate state was tampered with. This is particularly valuable for compliance-sensitive deployments in finance, healthcare, and legal domains.
IronClaw's security model is the most comprehensive in the OpenClaw ecosystem. The combination of WASM sandboxing, encrypted vaults, credential injection at the host boundary, and cryptographic verification creates defense-in-depth that no other alternative offers. The trade-off is operational complexity -- deploying IronClaw requires understanding its security primitives.
Architecture
PostgreSQL 15+ with pgvector
IronClaw uses PostgreSQL 15+ with the pgvector extension for hybrid memory storage. Conversation history, tool execution logs, and semantic memory are stored in the same database. Hybrid search combines vector similarity (cosine distance) with keyword matching using Reciprocal Rank Fusion for retrieval quality that exceeds either approach alone.
Multi-Component Architecture
IronClaw runs as four coordinated components: the agent loop (LLM interaction and tool dispatch), the scheduler (cron jobs and event triggers), the orchestrator (multi-agent coordination and task decomposition), and the web gateway (HTTP/WebSocket API and channel adapters). Each component can scale independently.
Reciprocal Rank Fusion Search
The memory system combines vector similarity search (pgvector) with full-text keyword search (tsvector) using Reciprocal Rank Fusion. This means queries find results that are both semantically similar and keyword-relevant, avoiding the failure modes of pure vector search (missing exact matches) and pure keyword search (missing semantically related content).
Rust + Tokio Async Runtime
Built on Rust with the Tokio async runtime for high-concurrency, low-latency operation. The agent can handle hundreds of concurrent conversations with minimal resource usage. Rust's ownership model prevents data races at compile time, which is critical for a security-focused system where concurrent access to credentials must be tightly controlled.
The multi-component architecture differs from ZeroClaw's single-binary approach and Nanobot's single-process design. IronClaw is designed for teams and organizations, not solo developers. The operational overhead of running four components is justified by the security guarantees and independent scalability each component provides.
Features
Cron-Scheduled Routines
Define recurring tasks using cron expressions or interval-based schedules. Routines can chain multiple tool executions, include conditional logic, and produce outputs that are sent to configured channels. The scheduler runs as a separate component with its own failure recovery and retry logic.
Event Triggers
Define triggers that fire when specific events occur: a new message in a watched channel, a webhook payload matching a pattern, a file change in a monitored directory, or a database row update. Triggers can invoke any tool or routine, enabling reactive agent behavior without polling.
Webhook Handlers
The web gateway exposes configurable webhook endpoints that accept HTTP requests from external services (GitHub, Stripe, monitoring tools). Each webhook handler validates the request signature, extracts the payload, and routes it to the appropriate agent routine. This enables two-way integration with any service that supports webhooks.
Cryptographic I/O Verification
Every input to and output from IronClaw is signed with Ed25519. The cryptographic chain covers user messages, LLM responses, tool inputs, tool outputs, and state transitions. This creates a tamper-evident audit log that can be independently verified by third parties -- essential for regulated industries.
Known Bugs
IronClaw's security focus makes its bugs particularly noteworthy. The following are the most significant open issues as of April 2026. The two CRITICAL issues are security-related and should be evaluated carefully before deploying in environments where approval workflows are critical:
#1485: Cross-Channel Approval Thread Hijacking
When an agent runs across multiple channels (e.g., Telegram and Discord), an approval request sent to one channel can be responded to from the other channel by a different user. This means a user with access to the Discord channel could approve actions that were intended for review by a Telegram admin. The root cause is that approval threads are keyed by agent ID rather than channel + user ID. A fix is in review.
#1486: TOCTOU Race in Approval Thread
A time-of-check-to-time-of-use (TOCTOU) race condition exists in the approval workflow. Between the moment a user approves an action and the moment the action executes, the underlying parameters can be modified by a concurrent request. This could allow an attacker to get approval for a benign action and then swap in a malicious one. The fix requires atomic approval-and-execute semantics.
#1249: Telegram Logic Bloats ExtensionManager
Telegram-specific message formatting, inline keyboard handling, and media processing logic has leaked into the core ExtensionManager, increasing its size and complexity. This makes the ExtensionManager harder to maintain and test. The planned fix is to extract all Telegram-specific logic into a dedicated channel adapter module.
#1248: Hardcoded Channel Logic Violates Architecture
Several core modules contain hardcoded channel-specific logic (Telegram message limits, Discord embed formatting, Slack thread IDs) that should be abstracted behind the channel adapter interface. This violates IronClaw's stated architecture principle of channel-agnostic core logic and makes adding new channels more difficult than it should be.
#1078: Agent Fallback Calls routine_delete Without Name
When the agent's fallback error handler attempts to clean up a failed routine, it calls routine_delete without passing the routine name parameter. This results in a no-op (the delete silently fails) rather than the intended cleanup. Failed routines accumulate in the scheduler until manually removed. The fix is a one-line parameter addition.
The two CRITICAL bugs (#1485 and #1486) are serious because they undermine the approval workflow -- a core security feature. If your deployment relies on human-in-the-loop approval for sensitive actions, evaluate these issues carefully. The IronClaw team has acknowledged both as P0 priority. The MEDIUM and LOW issues are architectural quality concerns that do not affect security or functionality for most users.