← Back to blog

ZeroClaw Deep Dive: The Lightweight Challenger

·The Claw Wars
zeroclawrustarchitecturesecurity

TL;DR: ZeroClaw is what happens when you rebuild OpenClaw in Rust with security paranoia and edge hardware constraints. 8.8MB binary, sub-10ms startup, runs on a $10 Pi Zero, supports 23 chat platforms and 30+ LLM providers. No multi-agent support, 261 unwrap() calls waiting to crash, but it's MIT/Apache-2.0 and shockingly fast.

ZeroClaw Deep Dive

Overview

ZeroClaw is a Rust-based, ultra-lightweight autonomous AI agent runtime. Security-first, resource-efficient alternative to OpenClaw with the broadest channel and provider support of any alternative.

  • Repository: github.com/zeroclaw-labs/zeroclaw
  • Stars: 16,498
  • Language: Rust (~150K LOC, 4.8MB source)
  • Binary: 8.8MB (stripped release)
  • License: MIT + Apache 2.0
  • Created: February 13, 2026
  • Latest: v0.1.6 (Feb 22, 2026)
  • Website: zeroclawlabs.ai

Who Built It

Harvard/MIT/Sundai.Club

  • "Every Sunday, members of Sundai gather to build an entirely new A.I. product from scratch and deploy it before the end of the day"

Top Contributors

  1. chumyin (414 commits) -- based in China
  2. theonlyhennygod (167 commits) -- Argenis, Software Engineer, Cambridge MA
  3. agorevski (111 commits) -- Alex Gorevski
  4. willsarg (97 commits)
  5. fettpl (74 commits)

Funding

  • No visible corporate funding or VC
  • Pure community-driven open source
  • Sustainability concern for long-term

Architecture

Module Structure

src/
+-- agent/           # Core orchestration loop
+-- approval/        # Human-in-the-loop flows
+-- auth/            # API key management
+-- channels/        # 23 platform integrations
+-- config/          # Parsing, validation
+-- cost/            # API cost tracking
+-- cron/            # Scheduled execution
+-- daemon/          # Long-running background service
+-- doctor/          # Diagnostics
+-- gateway/         # Webhook REST API
+-- hardware/        # Edge device integrations
+-- hooks/           # Event hooks
+-- memory/          # 6 storage backends
+-- observability/   # Logging, metrics, tracing
+-- providers/       # 30+ LLM providers
+-- rag/             # PDF processing
+-- runtime/         # Native + Docker execution
+-- security/        # Access control, sandboxing
+-- service/         # systemd/OpenRC integration
+-- skillforge/      # Skill packaging
+-- tools/           # 30+ agent capabilities
+-- tunnel/          # Cloudflare, Tailscale, ngrok

Trait-Driven Swappable Design

Every core subsystem implements a Rust trait, making components interchangeable:

  • Providers trait: any LLM backend
  • Channels trait: any messaging platform
  • Memory trait: any storage backend
  • Runtime trait: native or Docker execution

Build Optimization

[profile.release]
opt-level = "z"       # Size optimization
lto = "fat"           # Link-time optimization
strip = true          # Remove debug symbols
panic = "abort"       # No unwinding
codegen-units = 1     # Maximum optimization

Key Dependencies

  • Async: tokio 1.42 (multi-threaded)
  • HTTP: reqwest 0.12 (rustls-tls), axum 0.8
  • Security: chacha20poly1305 0.10, hmac, sha2, rand
  • Storage: rusqlite 0.37 (bundled), postgres 0.19 (optional)
  • Observability: tracing, optional OpenTelemetry

Security Model

3 Autonomy Levels

LevelBehaviorUse Case
readonlyObserve and query only; no state changesAudit/monitoring
supervisedProposes actions; human approvesDefault safe mode
fullUnrestricted within security boundariesProduction autonomous

Sandboxing

Native (default):

  • Workspace-only filesystem access
  • Command allowlist enforcement
  • Path traversal protection

Docker:

[runtime]
kind = "docker"

[runtime.docker]
image = "alpine:3.20"
network = "none"              # No network
memory_limit_mb = 512
read_only_rootfs = true       # Immutable filesystem
mount_workspace = true

Landlock (Linux kernel sandbox, optional feature flag sandbox-landlock)

WASM: Not yet implemented, but architecture supports via RuntimeAdapter trait

Filesystem Protection (14 blocked directories + 4 dotfiles)

  • Blocked: /etc, /sys, /proc, /dev, /boot, /root, ~/.ssh, ~/.gnupg, ~/.aws, ~/.config
  • Blocked dotfiles: .env, .env.local, .env.production, .env.development
  • Null byte injection detection
  • Symlink escape detection (canonicalize + validate)
  • Path traversal blocking (rejects .. with workspace_only=true)

Gateway Security

  • Default bind: 127.0.0.1:42617 (localhost-only)
  • Refuses 0.0.0.0 without active tunnel
  • Pairing mechanism: 6-digit code -> bearer token exchange
  • Per-channel identity allowlists (Telegram user IDs, Discord member IDs)

Encrypted Credentials

  • Algorithm: ChaCha20-Poly1305 AEAD (new standard)
  • Storage: ~/.zeroclaw/.secret_key
  • Format: enc2: prefix (migrated from legacy XOR enc:)
  • Auth profiles: ~/.zeroclaw/auth-profiles.json (encrypted)

Network Isolation

  • No network by default
  • Tunnel integration: Cloudflare, Tailscale, ngrok, custom
  • Gateway refuses public bind without active tunnel
  • Docker network modes: none (isolated), bridge, host (dangerous)

Channels (23 Total)

High Maturity

  • Telegram: Full-featured, mention-only mode, file attachments, vision, allowlist binding
  • Discord: Rich embeds, member ID allowlisting, webhook integration
  • Slack: Thread support (known bug: re-replies to old messages)
  • CLI: Interactive and single-message modes
  • Webhook: Gateway API with pairing, bearer tokens

Medium Maturity

  • WhatsApp: Dual mode (Web QR + Meta Business API), media in progress
  • Matrix: E2EE support (feature flag)
  • Lark/Feishu: Rich-text, draft throttling, mention-only groups
  • Signal: Basic (PIN verification gate requested)
  • iMessage: macOS-only, experimental

Available but Less Documented

  • Email, DingTalk, QQ, Nostr, IRC, Mattermost, Nextcloud Talk, ClawdTalk, Linq

Providers (30+)

Cloud

OpenAI, Anthropic, Google Gemini, Mistral, xAI/Grok, Groq, Together.ai, Replicate, Hugging Face, OpenRouter, AWS Bedrock, Azure OpenAI, SambaNova, Zhipu (GLM), Minimax, Telnyx

Local/Self-Hosted

Ollama (buggy: ignores api_url), llama-server, vLLM, Osaurus (macOS MLX)

Custom

  • OpenAI-compatible: custom:https://your-api.com
  • Anthropic-compatible: anthropic-custom:https://your-api.com

Features

  • Reliable wrapper: automatic retries, exponential backoff, fallback providers, circuit breaker
  • Model routing: capability-based, load balancing, cost optimization
  • Vision support: OpenAI, Anthropic, Gemini
  • Thinking models: Gemini 2.0 Thinking, DeepSeek R1 (reasoning suppression)

Memory System (6 Backends)

BackendTypeUse Case
sqlite (default)Hybrid vector + FTS5Zero-config, local
postgresRemote DBMulti-instance, production
markdownFile-basedHuman-readable, git-versioned
lucidExternal serviceEnterprise RAG
noneNo-opStateless agents
customExtensibleImplement Memory trait
  • Vector: cosine similarity via embeddings (OpenAI or custom)
  • Keyword: FTS5 with BM25 scoring
  • Merge: weighted (0.7 vector + 0.3 keyword), re-ranked
  • Embeddings: OpenAI text-embedding-3-small/large or custom endpoint

Features

  • Memory hygiene: duplicate detection, stale cleanup, PII scrubbing
  • Response cache: configurable TTL
  • Chunking: 512 tokens default, 50 token overlap, sentence boundary preservation
  • Snapshot/export system

Migration from OpenClaw

zeroclaw migrate openclaw [--source <path>] [--dry-run]

Carries Over

  • Identity files (IDENTITY.md, SOUL.md, USER.md)
  • Memory (converted to SQLite hybrid search, embeddings regenerated)
  • API keys (re-encrypted with ChaCha20-Poly1305)
  • Provider and model preferences

Does Not Carry Over

  • Node.js dependencies, custom JavaScript tools
  • OpenClaw's internal state database
  • Multi-agent orchestration config
  • Custom plugins, webhook formats

Performance

MetricZeroClawOpenClaw
Startup (0.8GHz)<10ms>500s
RAM (idle)~7MB~394MB
RAM (active)~8MB~1.52GB
Binary8.8MB~28MB
Min hardware cost$10 (Pi Zero)$599 (Mac Mini)

Verified on: Raspberry Pi 3B+ (~15ms startup, ~6MB RAM), Pi Zero W (~25ms, ~8MB), $10 Orange Pi Zero LTS.

Multi-Agent: NOT SUPPORTED

ZeroClaw is a single-agent runtime. No native support for:

  • Subagent spawning
  • Agent-to-agent communication
  • Task queuing for multiple agents
  • Team orchestration
  • Delegation or handoff patterns

Available Workarounds

  • Cron system for autonomous task execution
  • Daemon mode for long-running service
  • Multiple instances sharing same PostgreSQL/SQLite backend (no coordination primitives)
  • External orchestrator sending tasks via webhook

Known Issues

Critical Bugs

  • Issue #1343: Slack keeps replying to old messages
  • Issue #1327: Kimi 2.5 incompatible
  • Issue #1304: Ollama ignores api_url, always uses localhost
  • Issue #1302: autonomy.allowed_commands = ["*"] doesn't work as documented
  • Issue #1298: Shell commands blocked despite level=full

Code Quality

  • 261 .unwrap() calls across 80 files (Issue #440) -- any unexpected error crashes runtime
  • Config file permissions not set to 0600 on Unix (Issue #1345)
  • No OpenAPI spec for gateway
  • No criterion benchmarks for regression detection

Security Warnings

  • Impersonation scams: zeroclaw.org, zeroclaw.net are FAKE
  • Only official: github.com/zeroclaw-labs/zeroclaw and zeroclawlabs.ai

What's Missing vs OpenClaw

  • Multi-agent orchestration
  • Web dashboard
  • WebFetch tool (proposed in Issue #1262)
  • Some Composio integrations broken (Issue #1153)
  • No OpenAPI/Swagger spec
  • No criterion benchmarks

Community

  • 700+ commits in 9 days (~77/day)
  • 7 releases: v0.1.0 through v0.1.6
  • 61 open issues, 30+ open PRs
  • Telegram groups: @zeroclawlabs, @zeroclawlabs_cn, @zeroclawlabs_ru
  • Reddit: r/zeroclawlabs
  • Contributor Covenant 2.1 Code of Conduct
  • CLA: automatic dual-license grant (MIT + Apache 2.0)