Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/openagen/zeroclaw/llms.txt

Use this file to discover all available pages before exploring further.

ZeroClaw enforces security at every layer — not just the sandbox. It passes all items from the community security checklist, covering network exposure, authentication, filesystem access, and inbound message control.

Security checklist

#ItemStatusHow
1Gateway not publicly exposedBinds 127.0.0.1 by default. Refuses 0.0.0.0 without a tunnel or explicit allow_public_bind = true.
2Pairing required6-digit one-time code on startup. Exchange via POST /pair for a bearer token. All /webhook requests require Authorization: Bearer <token>.
3Filesystem scoped (no /)workspace_only = true by default. 14 system dirs + 4 sensitive dotfiles blocked. Null byte injection blocked. Symlink escape detection via canonicalization and resolved-path workspace checks in file read/write tools.
4Access via tunnel onlyGateway refuses public bind without an active tunnel. Supports Tailscale, Cloudflare, ngrok, or any custom tunnel.
Run your own scan to verify: nmap -p 1-65535 <your-host> — ZeroClaw binds to localhost only, so nothing is exposed unless you explicitly configure a tunnel.

Channel allowlists

Inbound sender policy is deny-by-default across all channels:
  • Empty allowlist — deny all inbound messages
  • "*" — allow all (explicit opt-in)
  • Any other value — exact-match allowlist
This keeps accidental exposure low. Recommended low-friction setup for each channel:
ChannelAllowlist value
TelegramYour @username (without @) or your numeric user ID
DiscordYour Discord user ID
SlackYour Slack member ID (starts with U)
MattermostYour Mattermost user ID
NostrYour sender public key (hex or npub)
Use "*" only for temporary open testing. It disables inbound filtering entirely.

Telegram operator-approval flow

When allowed_users is empty, unauthorized senders receive a hint with a copyable operator command. The operator runs the command locally, then the user retries.
1

Start with deny-by-default

Set [channels_config.telegram].allowed_users = [] before starting the agent.
2

Receive the approval hint

An unauthorized user gets a message with the exact command to run:
zeroclaw channel bind-telegram <IDENTITY>
3

Operator approves

Run the command locally to add the identity to the allowlist.
4

User retries

The user sends their message again and is now authorized.
If you need a one-shot manual approval: 
zeroclaw channel bind-telegram 123456789
If you are unsure which identity to add, send one message to your bot, read the warning log to see the exact sender identity, then add that value to the allowlist. If you see ignoring message from unauthorized user in logs, rerun channel setup only: 
zeroclaw onboard --channels-only

Encrypted secrets

API keys and credentials are encrypted at rest using a local key file when [secrets].encrypt = true (the default): 
[secrets]
encrypt = true
When enabled, any api_key value stored in config is encrypted before being written to disk. The key file never leaves the local machine.

Build docs developers (and LLMs) love

Get started for freeTalk to us