Zero Trust File Access

Secure Files for AI Agents

Give your AI agent scoped, time-limited, audited access - without exposing your filesystem.
Assume the agent machine is compromised.
End-to-end encrypted. Capability-based. No full filesystem access.

Install in seconds

curl -sSL https://clawgate.io/install.sh | sh
E2E encrypted
Signed tokens
No full FS
Audit log
Release License Zig

The Challenge

AI Agents Need Your Files

You're running OpenClaw, Claude Code, or any AI on an isolated machine. Smart. But now it needs to read your code...

NFS / SMB Mount

Full filesystem access. Agent gets pwned → you get pwned.

SSH + rsync

Credentials stored on agent machine. Same problem.

Manual Copy

Tedious. Breaks flow. Doesn't scale.

Cloud Sync

Your code on someone else's servers.

None of these assume the agent might be compromised. But it might be — prompt injection is real.

The Answer

Capability-Based Access

Grant specific paths, specific operations, for specific time. Nothing more.

Zero Trust

Assumes the agent machine is compromised. Because it might be.

Least Privilege

Grant ~/projects/app/** not "everything". Scoped access.

Time-Bounded

Tokens expire. 1 hour, 24 hours, 7 days — you choose.

Full Audit

Every operation logged with path, timestamp, and result.

ClawGate Architecture

Get Started

Up and Running in 60 Seconds

1

Install & Generate Keys

On your primary machine (laptop/workstation)

curl -sSL https://clawgate.io/install.sh | sh
clawgate keygen
2

Grant Access

Create a time-limited token for specific paths

clawgate grant --read "~/projects/**" --ttl 24h > token.txt
# Copy token.txt and public.key to agent machine
3

Start Agent

On the isolated machine (Mac Mini, VPS, container)

clawgate token add "$(cat token.txt)"
clawgate --mode agent
4

Connect

Back on your primary machine

clawgate --mode resource --connect <agent-ip>:4223

Compatibility

Works With Any Agent

Skill files for CLI-based agents. MCP server for tool-based agents.

OpenClaw

Skill file (CLI)

Claude Code

Skill file + MCP

Cursor

MCP server

OpenCode

Skill file + MCP

Codex

Skill file + MCP

Defense in Depth

Security Model

Multiple layers of protection. Assume breach at every layer.

Layer Protection
Transport X25519 + XChaCha20-Poly1305 end-to-end encryption
Forward Secrecy Fresh ephemeral keys per session
Authentication Ed25519 signed JWT capability tokens
Authorization Per-request path scope validation
Path Safety Canonicalization, symlink rejection, traversal protection
Forbidden Paths ~/.ssh, ~/.aws, ~/.gnupg — hardcoded, ungrantable
Time Limits Tokens expire, limiting blast radius
Audit Trail Every operation logged locally

Security Guarantees

Features

E2E Encryption

X25519 key exchange + XChaCha20-Poly1305. Forward secrecy per session.

Ed25519 Signed Tokens

Unforgeable capability tokens. Self-contained, no database needed.

Forbidden Paths

~/.ssh, ~/.aws, ~/.gnupg — hardcoded blocked. Always.

Hot Token Reload

Add tokens while running. No restarts. No reconnects.

Auto Reconnect

Connection drops? Reconnects automatically. Seamless.

Pure Zig, Zero Deps

Single binary. No runtime. No supply chain risk.

See it in action

Watch the Demo

Demo video coming soon

Ready to Secure Your AI Agent?

Stop exposing your entire filesystem. Start using capability-based access.

View on GitHub Quick Start →