Runs locally on your Mac, Windows, or Linux,
with no separate sandbox machine and no cloud-hosted agent.
Wraps the agent in a five-container sandbox,
so the bot, its tools, and its skills stay isolated from your files.
Checks every skill against 87 attack patterns, including 16 for prompt injection,
before it is allowed into the sandbox.
Autonomous agents pull skills from public registries.
An independent audit of one of those registries found that a large share were malicious.
An autonomous CLI agent is a powerful tool.
These are the layers we put around it.
None of them is bulletproof on its own; together they raise the cost of a successful attack.
The agent runs inside a sandbox on your computer that's designed to prevent it from reading your personal files, accessing your passwords, or installing anything outside the sandbox. Your API keys are held by a separate proxy container, so the agent itself never sees them.
Skills come from ClawHub, a third-party registry. Before any skill is installed into the sandbox, it goes through a vetting pipeline: lint, pattern scan, structural verification, and a test run. The scan checks 87 attack patterns, including 16 for prompt injection, all mapped to MITRE ATT&CK and run against every file in the skill bundle. Skills that fail are blocked from installation. The pipeline is not automatic and must be run explicitly, and patterns the scanner does not recognize yet can still slip through.
Every website the agent tries to reach is checked against an allowlist. Unapproved requests are blocked and logged. You can review what the agent did on the network from inside the app.
OpenTrApp bundles two of the three modules we originally planned.
The third, an agent-social shield, is optional and its full build-out is deferred;
see "What's not in this release" further down.
An autonomous CLI agent runs inside a sandbox container that's designed to limit what it can do. Your API keys are held by a separate proxy container, so the agent itself never sees them. OpenTrApp ships pre-wired for OpenClaw today, and the perimeter is designed to extend to other CLI agents over time.
Learn about OpenClawSkills come from ClawHub, a third-party registry. Before installation into the sandbox, each skill goes through an explicit vetting pipeline that checks 87 attack patterns, including 16 for prompt injection, all mapped to MITRE ATT&CK and checked against every file in the skill bundle. The pipeline has to be run, and it is not automatic. Patterns the scanner does not know yet can still slip through.
Visit ClawHubHow the vetting pipeline works
Compatible CLI agents
OpenTrApp's perimeter is agent-agnostic: any autonomous CLI agent that runs as a long-lived process with a configurable HTTP proxy and an allowlist-able outbound surface can plug in. We ship pre-wired for one today; here are agents we know of that are candidates for future integration.
If you'd like to see your agent listed, open an issue on the repo with a pointer to the runtime's documentation. Adding the integration would be in scope for a contributor's first pull request.
No terminal required.
The setup wizard checks everything for you.
Grab the installer for your OS. The setup wizard checks your computer and walks you through anything that's missing.
Enter your API key and Telegram bot token. The setup wizard walks you through creating both, which takes about two minutes. Your keys stay on your machine.
Start, stop, and monitor the agent from the app. The 24 sandbox checks run automatically on startup. Every outbound request is logged so you can review what the agent did on the network.
These are the principles every design and product decision in this project is evaluated against.
Written down because the alternative, leaving them implicit, is how projects drift.
The perimeter exists because autonomous agents are powerful and powerful tools fail in expensive ways. Every architectural choice is evaluated against its containment effect first, convenience second. Defaults err on the restrictive side and are documented when they do.
We can't make running an autonomous agent absolutely safe. We can raise the cost of compromise via defense-in-depth and be open about the gaps that remain. The threat model names them; the whitepaper explains them. We never claim more.
The perimeter isn't coupled to any single CLI agent. The reference deployment is OpenClaw because OpenClaw exists today; the architecture is designed to extend to others. Contributions that broaden compatibility are welcomed.
No tracking, no telemetry, no proprietary blobs. Every dependency, every container layer, every external request is documentable from the source tree. The build is reproducible from a single recipe.
MIT-licensed and developed in the open. Security research findings, hardening recipes, and threat-model deltas land in the repo where everyone running an autonomous CLI agent can benefit, not in private channels.
Built from source in GitHub Actions on every release.
The Tauri auto-updater signs each build with our updater key, but we do not have OS-level code-signing certificates yet,
so macOS Gatekeeper and Windows SmartScreen will warn you on first launch.
That's expected, not a sign of tampering.
When the installer opens, click "More info" in the lower-left of the dialog, then click "Run anyway". You will only see this once.
After opening the .dmg, right-click (or Control-click) the app icon and choose Open. Click Open again in the confirmation dialog. You will only see this once.
Requires Podman or Docker (free). The setup wizard will check this for you.
Free Windows code signing for OpenTrApp is provided by the SignPath Foundation's program for open-source projects (rollout in progress; see our code-signing policy).
What this is. OpenTrApp is the desktop wrapper one open-source contributor built so that running an autonomous CLI agent on a personal computer doesn't require the user to wire up five containers, a proxy, an egress filter, a skill scanner, and a Telegram bridge by hand. There's no team behind it, no company, no funding, no business model. It's a side project shared because we hope it's useful to people who want to explore autonomous CLI agents more safely than running them raw on their main machine.
What this isn't. It isn't a finished, audited security product. It isn't a guarantee. It isn't a replacement for thinking before you give an autonomous agent access to your machine. The agent is genuinely powerful and genuinely hard to fully control. That is an open research problem the whole AI-safety community is working on. What we did is build the smallest cell we could think of around it, and document honestly what that cell does and doesn't catch.
This is experimental software. OpenTrApp is a young project that wraps an autonomous AI agent in a security perimeter on your personal computer. It is provided as is, without warranty of any kind. The authors take no responsibility for any damage to your computer, your data, or anything else that may result from running it.
No one can fully control an autonomous AI agent. That is the open research problem the whole industry is working on. What OpenTrApp does is give it the smallest cell we could build: a five-container sandbox, an allowlist gateway, no host filesystem access, and no host network access. We're doing the best we honestly can with today's tools, and we're transparent about the limits. If absolute security matters for your situation, this isn't the tool for you.
Recommended setup path: we strongly suggest using an AI coding assistant (such as Claude Code) to walk you through the install. The setup wizard is friendly, but if anything goes wrong on your specific machine, having an AI pair programmer next to you while you read the logs is the smoothest path. The product is built by someone who codes alongside AI every day; it's the same workflow we'd recommend for setting it up.
What's not in this release. OpenTrApp was originally
designed around three modules. The third, an agent-social shield, treats an
agent's social feed as untrusted input and vets it before the agent reads it.
Its original target, the Moltbook network, was retired after Meta acquired
Moltbook in March 2026, and a read-only Bluesky (AT Protocol) adapter has
since shipped. The shield is optional and off by default, and its full
build-out is deferred until the other modules are complete. The code lives at
workloads/social/. We're independent open-source researchers
documenting what we observed; we can't control what corporations buy.
Open source, MIT-licensed. OpenTrApp is a gift to the community. There is no paid tier, no telemetry, no upsell. The MIT License lets you use, modify, redistribute, and even sell derivative works of this code, and all we ask in return is the attribution the license already requires (keep the copyright notice). If this is useful to you, a star on GitHub or a mention when you talk about it is the only thanks we're looking for.
For the technical detail on what this protects against (and what it doesn't), see docs/trifecta.md in the repo.