ClawHQ

May 16, 2026 · View on GitHub

The unified AI agent control plane. OpenClaw + OpenFang + Paperclip + Hermes, under one roof.

ClawHQ Demo

ClawHQ — The Open-Source AI Agent Control Platform

License: MIT Live Demo Docs

What's inside

ServiceWhat it does
OpenClawAgent gateway — 20+ messaging channels, skills, WebSocket, exploration mode
OpenFangAgent OS — autonomous hands, security, 27 LLM providers
PaperclipOrchestration — agent teams, org charts, cost control
HermesConversational AI — persistent memory, skills, and long-term context
DashboardClawHQ UI — unified control plane for all services

Self-host in one command

Requirements: Docker 24+, Docker Compose v2, 4 GB RAM

git clone https://github.com/ModologyStudiosLLC/clawhq-platform
cd clawhq-platform
./install.sh

Opens at http://localhost:3500.

First run: pulls pre-built images and builds the dashboard (~2–3 min). Restarts are instant.

Full setup guide: clawhqplatform.com/docs/quickstart

Manual setup

cp .env.example .env
# fill in .env
docker compose up -d

Updating

git pull
docker compose build --build-arg CLAWHQ_GIT_SHA=$(git rev-parse HEAD) dashboard
docker compose up -d

The dashboard shows a badge in the top-right corner when your running instance is behind main. See Updating ClawHQ for the full runbook.

Dashboard

14 pages covering every aspect of your agent fleet:

PageWhat it does
HomeLive agent status, metrics digest, recommendations
ChatGeneral chat shell — pick any agent from a dropdown and message it directly
TeamPer-agent chat, settings, and tool configuration
CapabilitiesWhat your agents can do
ChannelsDiscord, Slack, Telegram, WhatsApp setup
ActivityLive WebSocket event feed of agent activity
AnalyticsPer-agent token spend and cost over time
BudgetMonthly budget, provider caps, spend by agent
HealthReal-time service health with sparklines and uptime
ServicesDocker service management with SSE log streaming
OrchestrationDAG-based multi-agent workflow coordination
RoutingModel router configuration and self-learning stats
SecuritySentinel — prompt injection, PII, toxicity, rate limits
TunnelsTailscale VPN + Cloudflare Tunnel profiles
SSOWorkOS directory sync and SAML/OIDC
SettingsGeneral, agents, budget, integrations, model router, packs, notifications, API keys
DeployOne-click deploy to Railway, Render, or DigitalOcean

Key Features

Model Router — routes tasks to the right model automatically based on task type, budget, and self-learned success rates. Supports Anthropic, OpenAI, Groq, Gemini, DeepSeek, Ollama, and 20+ more providers. Falls back to cheaper models when budget threshold is reached.

Sentinel — 6-layer built-in security:

  • Prompt injection detection — blocks jailbreak attempts before they reach agents
  • PII filtering — strips emails, phone numbers, SSNs, API keys, and card numbers from inbound messages, tool outputs, and outbound channel posts. Modes: redact (default), block, log_only. High-risk types (SSN, CC, API keys) always force-block.
  • Toxicity guardrails — configurable content policy enforcement
  • Rate limiting — per-agent request and token limits
  • Seccomp sandboxing — blocks dangerous syscalls at the OS level
  • Audit logging — immutable append-only log of all configuration changes
  • Pack vetting — every pack upload is checked for hardcoded secrets, dangerous tools without hitl, and schema compliance before it is stored; third-party packs face stricter rules (publisher identity, contact required, external URLs are a hard fail)

Platform Security — defence-in-depth across the full stack:

  • Authentication middleware — all API routes require a valid WorkOS session; returns 401 JSON (no browser redirect)
  • Credentials encrypted at rest — integration tokens stored with AES-256-GCM, keyed from BETTER_AUTH_SECRET
  • Rate limiting — 200 req/min standard, 20 req/min on sensitive routes (keys, bridge, packs)
  • Bridge HMAC — Paperclip → dashboard bridge verified with SHA-256 HMAC (CLAWHQ_BRIDGE_SECRET)
  • Body size cap — 1 MB enforced at both Caddy and middleware layers
  • CORS lockdown — Access-Control-Allow-Origin locked to CLAWHQ_DOMAIN

MCP Integrations — connect agents to external tools in one click:

  • Tier 1: Filesystem, Memory, PostgreSQL, Brave Search
  • Tier 2: GitHub, Slack, Notion, Linear, Google Drive

Exploration Mode — per-session read-only mode for OpenClaw agents. /explore on filters all mutating tools (write, exec, bash, message, etc.) from the agent's available tool list without changing any config.

Cost Controls — per-agent token budgets, monthly spending caps, provider-level caps, budget threshold alerts via Slack webhook.

Per-tool analytics — every tool call is timed and recorded (success/failure, duration). GET /api/tool-stats returns the last 24h of per-tool success rates sorted by error count. Surfaced in the analytics dashboard alongside token spend.

Escalation on failure — when all LLM fallbacks are exhausted or an agent hits the max iterations limit, OpenFang fires a Slack and/or Discord webhook immediately. Set CLAWHQ_SLACK_WEBHOOK / CLAWHQ_DISCORD_WEBHOOK in your .env to enable.

API Keys — generate scoped chq_* API keys for embedding ClawHQ agents in your own products. Keys are stored as SHA-256 hashes; plaintext shown only once on creation.

Update Checker — the dashboard header compares your deployed commit SHA against main via GitHub API and shows what's changed.

Agent Packs

Pre-configured agent bundles. Install in one command, ready to work.

Free packs

PackWhat it does
Data AnalystCSV, JSON, and database → charts, tables, and statistical summaries
Weekly BriefingFriday morning digest of Slack, GitHub, Linear, and email
Content EngineDraft LinkedIn, Twitter, newsletters, and blog outlines from raw notes
Reddit IntelWeekly Reddit monitoring — sentiment analysis, competitor mentions, Discord reports
Code ReviewPaste code or name a file — severity-rated review (Critical/Warning/Suggestion) in any channel
Paid Ads ManagerGoogle, Meta, LinkedIn, Twitter/X campaigns — copy, targeting, creative briefs, ROAS/CPA
Support BuilderRough notes and tickets → polished FAQ pages and help articles, gap analysis
Pro packs ($9/mo)clawhqplatform.com/packs
PackWhat it does
Creator Suite12-agent content system — scripting, scheduling, repurposing, analytics
Proposal GeneratorClient proposals and SOWs with scope, pricing tables, T&Cs, kill fee, change orders
Competitor IntelHelmer's 7 Powers teardowns — vulnerability map, attack brief, quarterly re-audit diffs
ReskillingWorkforce augmentation and AI reskilling programs — 6 agents, 5 packs, 4 workflows
Trades LibraryField service and skilled trades — estimates, scheduling, job completion
Landing Foundry9-agent landing page pipeline — copy, design brief, A/B variants, SEO
Coding AgentsCode review, incident response, sprint planning, PR triage
Executive AssistantCalendar, inbox triage, travel, meeting prep, and expense tracking
Deal RoomProspect research, personalized outreach, pre-call briefings, CRM logging

MSP & Enterprise packsclawhqplatform.com/packs

PackWhat it doesPrice
MSP ManagementMulti-tenant client monitoring, white-label reporting, SLA tracking, onboarding automation$49/mo
GRC Assessment PackSOC 2, ISO 27001, NIST CSF, HIPAA, PCI-DSS gap analysis, evidence collection, policy drafting$149/mo
Federal Compliance PackFedRAMP SSP drafting, CMMC Level 2 assessment, POA&M management, ATO tracking, StateRAMP$199/mo

Install from the dashboard: Settings → Packs, or copy a YAML file to ~/.clawhq/packs/ and restart Paperclip.

Architecture

clawhq-platform/
├── apps/
│   └── dashboard/      Next.js 15 control plane
├── services/
│   ├── openclaw/       Agent gateway (TypeScript)
│   ├── openfang/       Agent OS (Rust)
│   ├── paperclip/      Orchestration (TypeScript)
│   └── hermes/         Conversational AI + memory (Python)
├── packs/              Agent pack YAML definitions
├── guides/             Mintlify documentation source
├── templates/          Community agent templates
├── docker-compose.yml
├── install.sh
└── .env.example

Roadmap

StatusItem
ShippedUsage/cost analytics, audit log, budget alerts, API key management, update checker
ShippedMCP Tier 1 + Tier 2 integrations (Filesystem, Postgres, GitHub, Slack, Notion, Linear, Drive)
ShippedModel router with task-type detection, budget fallback, and self-learning
ShippedAgent health notifications, Tailscale + Cloudflare Tunnel profiles
ShippedAuth middleware, AES-256-GCM credential encryption, rate limiting, HMAC bridge, CORS
ShippedPII filter — redacts/blocks PII across inbound messages, tool outputs, and channel posts
ShippedPer-tool error tracking — success rate, avg duration, error count per tool via /api/tool-stats
ShippedEscalation-on-failure — Slack/Discord webhook when all LLM fallbacks exhausted
ShippedTeam management / RBAC — admin/member/viewer roles, invite by email, seat limits, license tiers
PlannedPWA — installable dashboard on iOS/Android, responsive sidebar, offline fallback

Enterprise

Pro and Enterprise features — RBAC, member management, SSO (WorkOS), and audit log export — are provided by the clawhq-enterprise private overlay. The overlay replaces the open-source stubs in this repo with the full implementations.

PlanFeaturesPrice
Free (this repo)3 agents, 1 user, all OSS featuresFree forever
Pro25 agents, 5 members, audit logContact us
EnterpriseUnlimited agents + members, RBAC, SSO, white-labelContact us

Contact hello@clawhqplatform.com for Pro and Enterprise access.

Community

  • Docs — guides, reference, agent templates
  • Discussions — ideas, Q&A, show and tell
  • Contributing — submit templates, report bugs, open PRs

License

MIT — see LICENSE