MonoClaw

Trust & Safety

Security means clear boundaries.

MonoClaw does not sell magic safety. It gives you a managed local runtime with verified provisioning, scoped subprocesses, explicit access control, and approval points where risky host actions are involved.

Managed Mac boundary

A local runtime you can reason about.

MonoClaw is installed on the customer Mac as a local runtime with its own profile, session state, memory files, bundled assets, and optional sidecar tools. Anything beyond that boundary, from hosted models to MCP servers, is a setup choice instead of a hidden dependency.

Customer Mac boundary

MonoClaw runtime
Local profile
Configured tools
Local

Credential boundaries

Secrets are scoped, filtered, and redacted.

Runtime secrets live in the profile environment while non-secret settings stay in config. Terminal subprocesses and MCP servers receive filtered environments by default, MCP error text is sanitized, and secret redaction is on unless an operator explicitly disables it.

Config and .env
Default redaction
Filtered env
Explicit MCP env

Command and workflow review

Host actions meet approval boundaries.

On host-capable backends, catastrophic commands hit a hardline floor before approval mode or YOLO can bypass them. Recoverable but risky commands can trigger review in normal modes. Container and cloud backends use different assumptions, so this page calls that boundary out.

Host floor

Hardline blocklist runs first

Normal mode

Risky commands can ask for approval

Allow
Review
Block

Access controls are explicit.

Gateway and dashboard access are configured surfaces, not public endpoints.

Controls in the runtime

  • Gateway platform allowlists and pairing decide who can talk to Mona.
  • Telegram approval callbacks check that the acting user is authorized.
  • The local dashboard uses a fresh session token for sensitive API calls.
  • Dashboard CORS and Host-header checks are limited to localhost-style access.

Boundaries to understand

  • Allow-all flags are operator choices, not the default customer promise.
  • Webhook and Home Assistant events rely on their own authentication paths.
  • MCP servers can receive explicit environment variables when configured.
  • Connected providers and channels keep their own security terms.

Safety floor and caveats.

Honest boundaries beat absolute slogans

MonoClaw combines default safeguards with operator-controlled modes. That is useful, but it should be described precisely.

  1. 01Hardline host safeguards block destructive filesystem roots, raw device writes, fork bombs, and shutdown-style commands.
  2. 02Dangerous but recoverable commands can require approval in CLI, gateway, or ask flows.
  3. 03YOLO and approvals-off intentionally reduce prompts; they do not remove the host hardline floor.
  4. 04Container and cloud terminal backends bypass host command guards because they run outside the host filesystem boundary.
  5. 05Secret redaction is pattern-based. It reduces accidental exposure but should not be treated as a formal data-loss-prevention guarantee.

Model and data flow

Your data does not need to leave the Mac for routine use. Cloud inference only happens when you configure a hosted provider such as OpenRouter.

Stays with the installed runtime

  • Session history and searchable runtime state
  • File-backed memory, profile configuration, and local secrets
  • Bundled runtime assets and skills payload on disk
  • Gemma model sidecar files when installed on the provisioning medium

Leaves only when you opt in

  • If you configure OpenRouter or another hosted provider, Mona sends the prompt needed for inference and receives the model response back on your Mac.
  • Your local memory store, channel settings, files, and secrets are not sent wholesale; only context included in the prompt leaves the device.

OpenRouter states that it disassociates sampled inputs from user IDs for analytics and does not sell personal data. Each underlying model provider still has its own data handling terms, so choose providers that match your risk tolerance.

MonoClaw's additional layer

  • Routine memory and summaries should avoid passwords, card numbers, government IDs, and medical data unless you explicitly place that context in the conversation.
  • Secret redaction and filtered subprocess environments reduce accidental leakage before tool output or connected services re-enter the conversation.
  • Conversation content is summarized for continuity instead of relying on a cloud account as the system of record.

The biggest security risks are still usually phishing emails, weak passwords, and unpatched software. MonoClaw is built for that real-world threat surface with host command boundaries, filtered subprocess environments, default secret redaction, approval points, and a locally installed runtime you control.

Security questions?

Contact Us