Pre‑Alpha — Do not install in production yet
The AI Firewall for Secure Autonomous Agents
Sheriff Claw lets you use powerful AI agents without giving them access to your secrets or your system.
It is a safe, controlled alternative to Open Claw, built for people who want real AI power without losing control, privacy, or security.
Sheriff Claw is built around three non‑negotiable guarantees:
Your system is never exposed to the public internet.
- No open ports
- No inbound access
- No random scanning or drive‑by attacks
If someone doesn’t already have access to your Telegram account or your device, they cannot even see you exist.
Your AI agent can never read your passwords, API keys, or tokens.
- No secrets in environment variables
- No plaintext config files
- No prompt injection attacks
Even if the AI is manipulated, jailbroken, or hallucinating — it has nothing to steal.
The AI cannot run arbitrary commands.
- It can only access services you explicitly approve
- It cannot execute random system actions
- It cannot “hallucinate” permissions
You are always in control. The AI works for you, not instead of you.
Sheriff Claw is the first true AI firewall.
It sits between:
- Your AI agent (smart, powerful, untrusted)
- Your system and secrets (trusted, protected)
The AI never touches raw secrets or devices directly. Everything goes through the Sheriff.
Think of it like this:
- The AI is the worker
- The Sheriff is the security guard
- You are the boss
Sheriff Claw uses two separate communication channels:
- A private Telegram channel
- Talks only to the Sheriff program running on your device
- Handles passwords, approvals, and permissions
The Sheriff is not an AI. It is a strict, deterministic security program.
-
A separate Telegram channel
-
Where you talk to your AI agent
-
Used for tasks like:
- Research
- Writing code
- Automation
- Planning
The AI cannot access the Sheriff channel.
Goal: Post a daily tweet about trending news.
-
You tell the AI: "Check the news and post the top story every morning."
-
The AI realizes it needs an X (Twitter) token.
-
The Sheriff messages you privately: "The AI needs an X token. Please provide it."
-
You enter the token securely.
-
The Sheriff encrypts and stores it.
-
The AI sends tweet text to the Sheriff.
-
The Sheriff signs and posts the tweet.
✅ Result:
- The tweet is posted
- The AI never saw the token
- Nothing sensitive was exposed
- No social engineering: The Sheriff cannot be tricked — it is not an AI
- No prompt injection: The AI has zero access to secrets
- No persistence risk: Secrets disappear after reboot until you unlock
- Written entirely in Python
- Each component runs as an isolated service
- Clear boundaries between responsibilities
-
Every service has a debug implementation
-
Used for:
- Unit tests
- Integration tests
- Deterministic simulations
Production code never mixes with test logic.
-
Encrypted SQLite database
-
Stores:
- Secrets
- Configs
- Permissions
Critical security property:
- The master password is never stored
- It exists only in RAM
- After reboot, the system is locked
Even with root access, an attacker gets nothing.
Sheriff Claw only communicates via:
- Telegram channels
- Local device communication
Telegram supports inline HTML apps. Sheriff Claw uses them for secure secret entry:
- Sheriff sends an HTML password form
- You enter a secret
- JavaScript encrypts it using the agent’s public key
- Encrypted data is sent back via Telegram
No third‑party services. No plaintext transmission. True end‑to‑end encryption.
curl -fsSL https://raw.githubusercontent.com/Gazman-Dev/sheriffclaw/main/install.sh | bashThe installer:
- Downloads Sheriff Claw
- Guides initial setup
- Connects Telegram channels
Start an interactive session:
sheriff-ctl chatRouting rules:
- Messages starting with
/→ Sheriff - Everything else → AI agent
Examples:
/status/ yes I agreewhat should I automate next?
Sheriff Claw gives you real AI power — on your terms. 🤠