An AI agent that
works while you're working

ArmorClaw handles your inbox, drafts replies, manages files, and automates tasks while your Mac is running. Message it from Telegram and it reports back. Files the agent reads or writes are scoped to one folder you choose. Browser actions and email access have their own boundaries.

Download for macOS Free for 30 days. No credit card required.

We wanted an agent that actually did things

Most AI tools are chat windows. You open them when you have time, ask a question, get an answer. That's useful, but it's not leverage. Leverage is an agent that works through your backlog on a schedule. That sends you a summary before you get back to your desk. That handles the repetitive stuff without you having to remember to ask.

ArmorClaw runs on your own machine, so your client conversations and business data don't live on someone else's server. The file skill is confined to a single folder you pick during setup. It can't reach your Desktop, your other apps, or anything outside that boundary. Other parts of the agent (browser automation, email access) have separate boundaries we describe at /security. You get the automation without handing over full keys to your computer.

We built it for the professional who doesn't have an engineering team. Real estate agents who need to stay on top of a pipeline. Financial advisors who can't afford to let anything slip. Freelancers who bill by the hour and need to spend it on the right things.

How it works for you

Works from your phone

Text ArmorClaw on Telegram and it gets to work. Triage your inbox, draft a follow-up, look something up. Every morning it sends you a briefing without being asked — what came in, what's ahead, what needs a decision.

Token transparency

Every task shows the exact AI cost in dollars. Set a monthly cap and ArmorClaw stops before you hit it. No surprise bills. If you run Ollama locally, your cost is zero — ArmorClaw tracks that too.

You approve the irreversible stuff

ArmorClaw drafts emails and queues up actions — it doesn't send until you say so. A plain-English dashboard shows every task it ran and every permission it used. If something doesn't look right, you have 60 seconds to undo it.

Running in 15 minutes

A step-by-step setup wizard. No terminal, no config files, no engineering team required. Connect your email account, choose your files folder, and link Telegram. It's running before you finish your coffee.

Hardened on top of OpenClaw

ArmorClaw is built on OpenClaw, the open-source agent runtime. OpenClaw is powerful and flexible — designed for engineers building their own agents. ArmorClaw is what you get when you wrap it in the security layer, approval flow, and setup wizard that make it deployable by someone who's never opened a terminal.

Two-layer injection filter

An outbound filter screens every tool call the agent tries to make — instruction-override patterns, system-prompt references, and encoded payloads are blocked, logged, and rejected. A separate LLM-driven classifier scores every piece of content the agent reads (web pages, email, files, bash output) for injection risk; the model sees both the framed content and a system-level warning. Neither layer is perfect — don't point the agent at content you wouldn't trust with your account credentials. Full threat model at /security.

Permission manifests

Every skill declares what it can access — read email, write files, control the browser — and is blocked at load time if it tries to exceed that. No runtime privilege escalation.

The agent stays in one folder

The file skill is scoped to one folder you choose during setup. It cannot read or write outside that folder. Path traversal attempts are rejected and logged. Browser, email, and network access have separate boundaries documented at /security.

Plain-English audit log

Every action the agent has taken, with timestamp, skill name, outcome, and duration — in a searchable dashboard. Export to CSV anytime. Every entry is signed with HMAC-SHA256 and chained by hash of the previous entry — tampering produces a verification failure you can see in the dashboard. No telemetry leaves your machine.

You choose where your conversations go

ArmorClaw doesn't lock you into one AI provider. During setup, you pick the one that fits your priorities.

Local

Ollama

Runs a model on your own hardware. Nothing leaves your computer. No API key. No cost. The most private option available.

Cloud

Anthropic (Claude)

Powerful cloud AI. Conversations go directly from your computer to Anthropic's servers. You bring your own API key and pay Anthropic directly.

Cloud

OpenAI (GPT)

Powerful cloud AI. Conversations go directly from your computer to OpenAI's servers. You bring your own API key and pay OpenAI directly.

A few things to know before you delegate

AI agents are capable and occasionally wrong. Here's what you should keep in mind going in.

Your Mac has to be running

ArmorClaw runs on your computer. Scheduled tasks, morning briefings, and Telegram messages all require the Mac to be on and the app to be open. If the machine sleeps, the agent stops.

Cloud providers still see your prompts

If you pick Anthropic or OpenAI, the text of your conversations goes to their servers. That's inherent to using cloud AI. For total privacy, run Ollama locally — then nothing leaves your machine.

Start with low-stakes work

Give the agent simple tasks first — inbox triage, research, drafts — before delegating anything with real consequences. Build trust by reviewing what it did, not by assuming it was right.

Approvals only work if you read

ArmorClaw drafts emails and queues up actions, asking before sending or committing. That safety net only works if you actually read what's in front of you — not reflexively tap approve.

Don't point it at untrusted content

The injection filter catches common attacks, but no filter is perfect. Don't let the agent process emails, files, or web pages from sources you wouldn't trust with your account credentials.

Set a token budget

Autonomous agents can get expensive fast if something loops. ArmorClaw's budget cap hard-stops the AI provider when you hit your limit — use it. $20/month is the default; tune it to what you're comfortable with.

What 0.3.0 delivers

A four-month internal security overhaul closes the gaps we flagged earlier this year. The 0.3.0 release ships the full set: real protection against indirect prompt injection, a tamper-evident audit log, literal approval prompts, and a hard-blocking browser allowlist. The full threat model — what we protect against, what's partial, and what's out of scope — lives at /security.

Source-tagged inputs

Every input the agent reads carries a permanent provenance tag (typed by you, read from a file, fetched from the web, output from a shell command). Untrusted content is wrapped in <external-content> framing before it reaches the model.

Indirect-injection classifier

An LLM-driven classifier scores untrusted content for prompt-injection risk on every turn. High-scoring content triggers a system-level warning to the model so it treats the content as data, not instruction.

Signed, tamper-evident audit log

Each audit log entry is signed with HMAC-SHA256 and chained by SHA-256 of the previous serialised line. Tampering produces a verification failure visible in the dashboard and via the export tool.

Literal approval prompts

Approval prompts render the tool name and parameters as JSON. The agent cannot describe an action one way and execute another — what you approve is what runs.

Browser domain allowlist

Browser navigation is gated by a user-managed allowlist. Non-allowlisted domains are hard-blocked and logged. Loopback and private-network addresses are always blocked even if explicitly listed — DNS-rebinding defence.

Threat model at /security

A full threat model and "what we protect against" table at /security — listing what 0.3.0 addresses, what's partial, and what's explicitly out of scope. Security disclosures including our audit status live there too.

Simple pricing

One plan. Everything included. Cancel anytime.

$19.99 / month
Reopening with our 0.3.0 release
Includes: email triage and drafting, file management, browser automation, daily briefings, scheduled recipes, one-tap undo, full audit trail, token transparency dashboard, Telegram integration, and every update we ship. You bring your own API key or run a free local model.

FREE TRIAL + AUTO-RENEWAL NOTICE: Your free trial ends 30 days after signup. Unless you cancel before then, you authorize ArmorClaw to charge $19.99 plus applicable taxes on that date and every month thereafter until canceled. Cancel anytime in Settings. Terms of Service