Security & Trust.

GhostClaw runs on your machine with full OS access. No sandbox, no container. That means trust matters more than usual. Here is exactly how we handle it.

How Skills Are Scanned

Every skill runs through an automated security scanner before installation. The scanner reads every code file in the skill package and checks each line against a pattern library. It also inspects the skill manifest for dangerous post-install commands, suspicious test scripts, and file operations targeting sensitive paths.

Critical — blocks install

  • exec() / execSync() with string interpolation (command injection)
  • eval() and new Function() (arbitrary code execution)
  • curl | sh / wget | sh pipes (remote code execution)
  • process.env near network calls (credential exfiltration)
  • Post-install commands that download and execute remote code
  • rm -rf in post-install commands
  • File operations targeting .ssh, .env, or path traversal (..)

Warning — review before install

  • Writing or deleting files at absolute/home paths
  • Importing from remote URLs
  • References to .ssh directory
  • Possible hardcoded secrets or credentials
  • Any post-install shell commands
  • Test commands that download code

Info — awareness only

  • File system write/delete operations
  • Hardcoded URLs in fetch calls
  • Child process spawning
  • Base64 decoding (potential obfuscation)
  • References to .env files
  • npm dependencies added

The verdict system: If any critical finding is detected, the skill is flagged REVIEW REQUIRED and installation is blocked until you manually inspect it. Warnings produce a CAUTION verdict — the skill installs but you see every flag. A clean scan with no criticals or warnings gives a CLEAN verdict.

The full scanner is open source: security-scan.ts — 436 lines of pattern matching, manifest inspection, and verdict logic. No black boxes.

Built-in Protections

Per-group filesystem isolation

Each agent group gets its own directory under groups/{name}/. Memory, sessions, and working files are separated. Agents cannot read or write across group boundaries. Claude's config directory is set per-group via CLAUDE_CONFIG_DIR.

Secrets management

API keys and tokens live in .env with chmod 600 permissions (owner-only read/write). The .gitignore blocks .env files from ever being committed. Secrets are passed as environment variables, never hardcoded in skill files.

Open source — full audit

Every line of GhostClaw is on GitHub under MIT licence. The security scanner, the agent runner, the skill engine — all readable. If you want to know exactly what runs on your machine, you can read it.

Community skills: official vs third-party

Official skills in ghostclaw-skills are reviewed before merge. Community-contributed skills go through PR review. Third-party skills from unknown sources still get scanned, but you should read them yourself before installing.

The Honest Trade-off

No containers. On purpose.

GhostClaw deliberately removed Docker containers from NanoClaw. The agent runs directly on your OS with real shell access, real filesystem access, and real network access. That is what makes it useful — it can actually do things on your machine.

But it also means the agent has real power. A malicious skill could, in theory, do anything your user account can do. The security scanner catches known bad patterns, but it is not a sandbox. It is a lint check, not a jail.

This is the right trade-off for a personal agent on a dedicated machine. But it means:

Review skills before installing them. Especially community or third-party skills from sources you do not know. Read the code. Check the scan report. If a skill has warnings, understand why before proceeding. The scanner gives you the information — the decision is yours.