Story

Carapace is an open-source personal AI assistant gateway written in Rust. It connects to Anthropic, OpenAI, Ollama, Gemini, and Bedrock, and works through Discord, Telegram, Signal, Slack, and webhooks. Apache-2.0 licensed.

I started building it after the January 2026 OpenClaw security disclosures — 42K exposed instances on Shodan (78% still unpatched), 3 CVEs with public exploits, 341+ malicious skills on ClawHub (Snyk found 36% of all skills have security flaws), 1-click RCE via the Control UI, plaintext credentials harvestable by commodity infostealers. The problems weren't bugs; they were architecture decisions — open by default, no signing, full host privileges, secrets in JSON files. The February wave from Kaspersky, Palo Alto, Snyk, and SecurityScorecard made it worse, not better.

Carapace takes the opposite defaults: localhost-only binding, fail-closed auth, OS keychain credential storage, Ed25519-signed WASM plugins with capability sandboxing, prompt guard with exec approval, SSRF/DNS-rebinding defense. The security comparison doc walks through each OpenClaw vulnerability and how Carapace handles it: https://github.com/puremachinery/carapace/blob/master/docs/s...

This is a preview release — Discord works end-to-end, ~5,000 tests pass, but the Control UI frontend isn't built yet and subprocess sandboxing isn't fully wired. The security architecture is real; the polish isn't.