Powerful AI โ built for you, built with you, built securely. Local-first personal AI assistant.
Project description
๐ฆ๐ค DuckClaw
Powerful AI โ built for you, built with you, built securely. Local-first personal AI assistant with a 4-tier permission engine.
The Problem
Local AI assistants are powerful โ but most of them are built to be capable first and safe second.
- ๐ Broad permissions by default โ agents act before asking
- ๐ฆ No skill verification โ third-party extensions run with full process privileges
- ๐ธ $30โ150/month in API costs with no controls
- ๐งฉ Complex setup โ Node.js, build tools, platform-specific dependencies
- ๐ต๏ธ No audit trail โ you can't see what it did or why
- ๐ Prompt injection โ web pages and emails can manipulate your assistant
The Solution
pip install duckclaw
duckclaw setup # 2-minute guided wizard
duckclaw start # opens localhost:8741
That's it. No Node.js. No WSL2. No build tools.
What's Different
| Common Problem | DuckClaw Solution |
|---|---|
| Agents act without asking | 4-tier Permission Engine (SAFE / NOTIFY / ASK / BLOCK) |
| No preview before actions | Action Preview Mode โ see exactly what happens before it happens |
| No audit trail | Full audit log โ every action logged, searchable, exportable |
| Unverified third-party skills | Sandboxed skill execution + SHA-256 integrity verification |
| Prompt injection vulnerable | Context isolation โ trusted instructions vs untrusted data |
| Complex multi-tool setup | Pure Python โ pip install and done |
| No cost controls | Cost tracking per conversation, budget alerts |
Feature Coverage
14 fully implemented ยท 6 partial ยท 6 post-MVP
๐๏ธ Vision & Screen
| Feature | Status | Notes | File |
|---|---|---|---|
| Screenshot Capture | โ | ASK-tier approval + LLM vision analysis | skills/screen_capture.py |
| Camera Capture | โ ๏ธ | Photo only โ video capture not yet supported | skills/camera.py |
| Media Understanding (Vision) | โ ๏ธ | Images sent to cloud LLM โ no local PII scan or LLaVA yet | skills/screen_capture.py |
๐ Browser & Web
| Feature | Status | Notes | File |
|---|---|---|---|
| Browser Automation | โ | Playwright: navigate, click, fill forms, extract text, screenshot | skills/web_browser.py |
| Web Search | โ ๏ธ | DuckDuckGo (free) โ Brave Search / SearXNG not yet added | skills/web_search.py |
๐ฌ Messaging
| Feature | Status | Notes | File |
|---|---|---|---|
| Telegram | โ | Full + inline approve/deny buttons | bridges/telegram_bridge.py |
| Discord | โ | Slash commands + button components for approvals | bridges/discord_bridge.py |
| โ | Post-MVP (Month 2) | โ | |
| Slack / Signal / iMessage / Teams | โ | Post-MVP | โ |
๐ง Intelligence & Memory
| Feature | Status | Notes | File |
|---|---|---|---|
| Persistent Memory | โ | SQLite facts + ChromaDB semantic search, viewable/deletable in dashboard | memory/store.py |
| Multi-Model Support | โ ๏ธ | 100+ models via LiteLLM, cost tracking โ smart routing by task complexity not yet added | llm/router.py |
| Context Engine (Plugin Interface) | โ | Lifecycle hooks (bootstrap, ingest, compact) โ Post-MVP (Month 2) | โ |
โ๏ธ Automation & Skills
| Feature | Status | Notes | File |
|---|---|---|---|
| Shell Execution | โ | Blocklist for dangerous commands + NOTIFY/ASK tiers | skills/shell_runner.py |
| File System Access | โ | Scoped allowlist + hardcoded credential blocklist | skills/file_manager.py |
| Proactive Background Tasks | โ | APScheduler: cron, reminders, morning briefs โ defaults to NOTIFY | skills/scheduler.py |
| Skill & Plugin System | โ ๏ธ | SHA-256 verify + permission declarations โ no external marketplace yet | skills/registry.py |
| Code Sandbox (Python/JS exec) | โ | Sprint 4 candidate | โ |
| Self-Improving / Skill Creation | โ | Post-MVP (Month 2) โ draft-state review flow planned | โ |
๐๏ธ Voice
| Feature | Status | Notes | File |
|---|---|---|---|
| Voice Mode | โ | Post-MVP (Month 3) โ Whisper STT + Piper TTS planned | โ |
๐ก๏ธ Security & Trust
| Feature | Status | Notes | File |
|---|---|---|---|
| Permission Engine (4-tier) | โ | SAFE/NOTIFY/ASK/BLOCK โ per-skill, configurable, conservative defaults | permissions/engine.py |
| Audit Preview Mode | โ | ActionPreview before every ASK action โ approve/deny on all platforms | permissions/engine.py |
| Full Audit Log | โ | Every action logged, searchable, filterable, exportable JSON/CSV | permissions/engine.py |
| Prompt Injection Defense | โ | Context isolation + dual-pass output scanning + audit logging of signals | security/context_isolation.py |
| Sandboxed Skill Execution | โ ๏ธ | SHA-256 + permissions declared โ OS-level subprocess isolation not yet enforced | skills/base.py |
| Web Dashboard | โ | Chat, memory, audit log, settings @ localhost:8741 | dashboard/ |
| One Command Install | โ | pip install duckclaw && duckclaw start โ pure Python, no Node.js |
pyproject.toml |
Coming in Sprint 4
- ๐ฆ PyPI publish (
pip install duckclaw) - ๐งช Test suite (pytest โ permissions, memory, skills)
- ๐ Full documentation
- ๐ฌ Demo video
- ๐ OS-level subprocess sandboxing (enforced CPU/memory limits)
Permission System
Every action DuckClaw takes is classified into one of four tiers:
| Tier | Color | Examples | Behavior |
|---|---|---|---|
| SAFE | ๐ข | Answer questions, read memory | Auto-approved, silent |
| NOTIFY | ๐ต | Browse web, read files | Auto-approved, user informed |
| ASK | ๐ก | Screenshots, send messages, run commands | Requires explicit approval |
| BLOCK | ๐ด | Delete system files, access credentials | Never allowed |
You: "Take a screenshot and analyze it"
DuckClaw: โ ๏ธ Permission Required
Action: Take a screenshot of your screen
Risk: ๐ข Low | โ Reversible
[โ Deny] [โ Approve]
Quick Start
# Install
pip install duckclaw
# Configure (guided wizard)
duckclaw setup
# Start
duckclaw start
# Or just chat in terminal
duckclaw chat
Requirements: Python 3.11+. That's it.
Architecture
Message โ Orchestrator โ Permission Engine โ Action
โ โ
LLM Router Audit Log
โ
Memory Store
(SQLite + ChromaDB)
Dashboard at localhost:8741 โ Chat, Memory, Audit Log, Settings.
Config
DuckClaw uses ~/.duckclaw/duckclaw.yaml. See duckclaw.yaml.example for all options.
Default model: Claude Haiku (fast, cheap).
Free alternative: Gemini 2.0 Flash (set during duckclaw setup).
Roadmap
See ROADMAP.md for the full 30-day plan.
30 days โ 27 features โ GitHub launch.
Contributing
DuckClaw is MIT licensed and built in public. Issues, PRs, and ideas welcome.
AI assistance you can actually trust โ because it works with you, not around you.
โญ Star this repo if you believe AI assistants should ask before they act.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
duckclaw-0.1.2.tar.gz
(77.9 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
duckclaw-0.1.2-py3-none-any.whl
(73.7 kB
view details)
File details
Details for the file duckclaw-0.1.2.tar.gz.
File metadata
- Download URL: duckclaw-0.1.2.tar.gz
- Upload date:
- Size: 77.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
705e1fe3ec25eea7922b82119425bf559f9382c359c42545c7795b3cf535f9a4
|
|
| MD5 |
1e2c2b312453b361131e155e075c053c
|
|
| BLAKE2b-256 |
ca6e864da9f7171524097236365de6109b0cf23ef37a418a96951af70f0ae6d3
|
File details
Details for the file duckclaw-0.1.2-py3-none-any.whl.
File metadata
- Download URL: duckclaw-0.1.2-py3-none-any.whl
- Upload date:
- Size: 73.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5619e0c3f5dc90295c6268d812474c914de66f50800f2f9a29ba18140c4ab743
|
|
| MD5 |
df5748bb37af5f1f1df2278d1dc6d889
|
|
| BLAKE2b-256 |
cf05bea102e86115eac41bffa8a5955ecfc20bed0cb6f4642f69c2e625cdc2ec
|
