Carapace Review: Rust fail-closed OpenClaw alternative
Pure Machinery
Rust agent with opposite defaults to early-2026 OpenClaw disclosures — for security engineers PoCing fail-closed designs; small ecosystem, Control UI still preview.
Review updated: June 14, 2026 · Methodology version aligned with BestClaw rankings
BestClaw composite (28 dimensions)
#21 Unified ranking this cycle
Overview
Carapace (puremachinery/carapace, Apache-2.0) is Pure Machinery's Rust personal AI gateway after OpenClaw's early-2026 security wave: Matrix/Signal/Telegram/Discord/Slack/webhooks/console plus many model providers.
The wedge is opposite defaults: no token/password → deny all connections; bind 127.0.0.1 by default; secrets in OS keychains; Skills require Ed25519 signatures in WASM capability sandboxes; subprocesses use Seatbelt/Landlock/AppContainer — unsupported paths fail closed.
Authors call it a preview (Discord E2E works, ~5k tests pass; Control UI frontend and subprocess sandbox wiring incomplete). BestClaw scores Security 9.0, Ecosystem 4.5 — architecture is coherent, marketplace still early. Security-engineer shortlist, not an OpenClaw feature replacement.
Compare with IronClaw and NanoClaw on A/B comparison — all security-first, different plugin models and channel maturity.
At a glance
- Shape
- Rust binary gateway; localhost by default; Apache-2.0
- Auth
- Fail-closed without token/password; CSRF on control UI
- Plugins
- Ed25519-signed WASM with deny-by-default capabilities
- Secrets
- OS keychain/keyutils/credential manager + encrypted fallback
- Process sandbox
- macOS Seatbelt / Linux Landlock / Windows AppContainer+Job
- Channels/models
- Signal/Telegram/Discord/Slack/Matrix; many cloud + local models
- Best for
- Security researchers/engineers wanting explainable fail-closed defaults
- Risk focus
- Preview gaps; publisher trust lists are operational work; tiny vs OpenClaw ecosystem
Pros & cons
Pros
- Public security-comparison doc maps OpenClaw vulnerability classes — auditable.
- Fail-closed + localhost defaults remove accidental wide-open instances.
- Ed25519 + WASM capabilities directly answer Skill supply-chain crises.
- Multi-OS subprocess sandbox direction is correct (author notes wiring incomplete).
- Prompt guard + exec approval + SSRF/DNS stack is comparatively complete.
Cons
- Preview: Control UI and subprocess sandbox not fully wired — PoC current commits.
- Ecosystem 4.5 — stars/community/Skill catalog trail IronClaw/OpenClaw.
- Publisher trust lists need ops — not consumer install-and-forget.
- Feature/channel polish lags OpenClaw mainline.
- Not the fastest path to business features.
Capabilities (honest breakdown)
Fail-closed auth
No credentials → deny; avoids OpenClaw-class open defaults.
Signed WASM plugins
Ed25519 + capability sandbox; unsigned won't run — curate publishers.
OS subprocess sandbox
Seatbelt/Landlock/AppContainer; unsupported paths fail closed.
Multi-channel gateway
Signal/Telegram/Discord etc.; Discord E2E — verify others per release notes.
Multi-model routing
Anthropic/OpenAI/Ollama/Gemini/Vertex/Bedrock; local CLI hooks supported.
Security — read this before go-live
Even with safer defaults, preview go-live requires:
- Publisher lists — trust internal or official Ed25519 publishers only.
- Bind mode — stay localhost; LAN/tailnet needs mTLS + firewall.
- Sandbox coverage — verify subprocess probes pass on target OS.
- Exec approval — keep human gates on risky shell.
- Upgrades — read preview notes; pin commits before production PoC.
Bottom line
Carapace enters at 6.9 as a coherent security architecture, small ecosystem Rust sample (Security 9.0). Security-team PoCs; for breadth see OpenClaw, for WASM production see IronClaw — decide via A/B comparison and the leaderboard.
Scores and rankings follow the published BestClaw methodology; editorial and partnership placements, if any, are labeled separately and do not change numeric conclusions.
Reviews & ratings
Star ratings and review text on this page are independent of BestClaw methodology scores and leaderboard placement.
User ratings come from submissions reviewed on this page; they do not change the methodology score (6.9 / 10) or leaderboard logic.