Carapace
puremachinery/carapace
A security-hardened personal AI assistant written in Rust that directly addresses the January 2026 OpenClaw vulnerability disclosures. It trades broader feature coverage for defense-in-depth: Ed25519-signed WASM plugins, OS-level subprocess sandboxing, and encrypted secret storage via OS credential stores.
Why choose Carapace over OpenClaw?
Quick recommendation layer first, deeper analysis second. Use this before diving into metrics and architecture details.
- Safer default posture than OpenClaw for security-conscious deployments.
- Runs far leaner than OpenClaw on constrained hardware and low-cost hosts.
- Keeps more of the workflow local, reducing cloud dependency and data exposure.
- Still less proven than OpenClaw in maturity, docs depth, or production mileage.
- Efficiency usually comes with narrower scope, fewer integrations, or rougher ergonomics.
- Security-sensitive self-hosters
- Builders who want local-first AI workflows
- Teams needing shared agent workflows
- You only want battle-tested projects with a long public track record
- You care more about broad integrations than minimal footprint
Limited evidence available. Use the primary sources before making a production decision.
AI decision layer last reviewed Apr 20, 2026. Helpful, but still inference-heavy enough to double-check primary sources.
Source window: GitHub metadata, README, recent commits, latest release, Reddit, Brave search
Community Pulse
Security Radar
How it's evaluated
Isolation from host OS. 10 = Fully virtualized (Docker/Wasm); 1 = Direct local execution.
Safety of external connections. 10 = End-to-end encrypted/Scoped; 1 = Plaintext/Broad access.
Traffic control. 10 = Air-gapped/Offline-first; 1 = Unrestricted internet access.
Privacy level. 10 = Zero telemetry/Zero tracking; 1 = Extensive logging/reporting.
Command safety. 10 = No unsupervised shell; 1 = Raw, unmonitored shell access.
Security radar summary for Carapace.
- Carapace: Sandboxing 9 of 10, API Security 9 of 10, Network Isolation 9 of 10, Telemetry Safety 8 of 10, Shell Protection 8 of 10.
Evaluation Scale: 10 = Maximum Safety / 1 = High Risk
Star Growth (2026)
Star history summary.
- carapace: 104 recorded points. From 2 stars on 2026-01-01 to 43 on 2026-04-21.
ClawVerse News
Latest articles and global buzz
Trending Mentions
Technical Showdowns
Carapace is a security-focused, open-source personal AI assistant written in Rust, explicitly positioned as a hardened alternative to OpenClaw/ClawDBot. It runs locally on your machine and supports multiple messaging channels including Signal, Telegram, Discord, Slack, webhooks, and console. The project directly addresses the major vulnerability classes disclosed in the January 2026 OpenClaw security report, implementing defenses like localhost-only binding by default, CSRF-protected control endpoints, OS credential store integration (Keychain/Keyutils/Credential Manager) with AES-256-GCM fallback, and Ed25519 signature verification for its WASM plugin runtime.
The architecture prioritizes security over feature parity. While OpenClaw offers broader channel coverage (WhatsApp, iMessage, Matrix), companion apps, browser control, and multi-agent routing, Carapace focuses on a hardened core with strict capability sandboxing, resource limits for plugins, prompt injection guards with inbound classifiers, and OS-level subprocess sandboxing on macOS/Linux/Windows. Multi-node clustering is partially implemented. The project supports Anthropic, OpenAI, Ollama, Google Gemini, AWS Bedrock, and Venice AI as LLM providers, with streaming, tool dispatch, and cancellation support.
Recent commit activity shows active development with documentation refreshes, CI workflow hardening, dependency updates (including security-patched aws-lc-rs), and test infrastructure improvements. The maintainers emphasize verified stable paths with explicit documentation of partial and in-progress features. The v0.1.0 stable release is marked as ready for real use on verified paths, making it suitable for security-conscious users who need a local AI assistant with strong isolation guarantees.