IronClaw vs OpenClaw — Which Should You Run?
IronClaw and OpenClaw share the same gateway architecture, the same model providers, and the same 53 official skills. Everything that differs between them is about security posture: how much you trust installed skills by default, how much the sandbox enforces at the OS level, and how strictly channels filter who can reach your agent. This guide helps you decide which is right for you — and how to move between them.
The Decision in One Sentence
Run OpenClaw if you're a developer or home user who values flexibility and a fast setup. Run IronClaw if your agent will handle credentials, production infrastructure, financial data, or anything where a compromised agent causes real harm.
Full Comparison Table
| Feature | OpenClaw | IronClaw |
|---|---|---|
| Install time | Under 10 minutes | 15–20 minutes |
| Config complexity | Low — most things work by default | Medium — must configure allowlist before using skills |
| Sandbox default | Permissive — skills can call any URL, access any path | Strict — deny-by-default at syscall level |
| Skill allowlist | Optional — all installed skills run | Mandatory — skills inert until allowlisted |
| Network control | No enforcement — skills can reach any host | Per-skill host:port allowlist, block at kernel |
| Filesystem control | Workspace + any path the agent is given | Per-skill scoped subdirectories; other paths blocked |
| Shell access | Allowed if skill requests it | Blocked by default; requires explicit grant + confirmation |
| Env var access | All env vars accessible to all skills | Per-skill named var grants; wildcards rejected |
| Channel policy | open is a valid dmPolicy option | open rejected at validation; allowlist required |
| Audit logging | Optional | Mandatory — gateway won't start without it |
| Injection defense | Model-level only (prompt) | Built-in pattern scanner + content tagging layer |
| Rate limiting | Not built in | Built in, on by default (30 msg/hr per user) |
| Skill ecosystem | 53 official + 13,700+ community | 53 official (community skills work but need extra care) |
| Skills crosslink | Full access to OpenClaw skill registry | Same registry — same install commands |
| Auto-suspend on violations | Not built in | Built in, configurable |
| API cost | Same as IronClaw | Same as OpenClaw |
| License | MIT (fully free) | MIT core; advanced audit tooling commercial |
| Port | 18789 | 18790 (can run alongside OpenClaw) |
When to Choose OpenClaw
- You're building a home assistant for everyday tasks: reminders, weather, notes, light automation
- You want to experiment quickly with community skills and don't want allowlisting friction
- Your agent doesn't touch credentials, financial accounts, or production systems
- You're the only person who can reach the agent (no shared channels or group chats)
- You're learning how agent frameworks work and want the simplest path
OpenClaw with the Security Hardening guide applied gets you 80% of IronClaw's protection with none of the mandatory friction. For most home users, that's the right balance.
When to Choose IronClaw
- Your agent has access to SSH keys, API tokens, or cloud credentials
- Your agent manages production infrastructure (servers, databases, CI/CD)
- You run the agent in a group chat or give access to people other than yourself
- You're in a regulated industry where you need an audit trail of agent actions
- You want supply-chain attack protection — a compromised skill update can't run without your re-approval
- You want OS-level enforcement rather than depending solely on the model's judgment
The Friction That IronClaw Adds — Honestly
IronClaw is not harder to use day-to-day once it's set up. The friction is front-loaded:
- Initial setup: 15–20 minutes instead of under 10
- Each new skill: requires two commands instead of one (
install+allowlist add) plus thinking about what network grants to give - Debugging: when a skill breaks, check the audit log for violations before debugging the skill itself — adds one step
- Channel setup: you must find and specify your numeric user ID; there's no "allow anyone" shortcut
After initial setup, a typical day of use is identical. The allowlist overhead is felt once per skill, not per session.
Can They Run Side by Side?
Yes. IronClaw uses port 18790, OpenClaw uses 18789. They have separate config directories, separate workspaces, and separate audit logs. A common setup: run OpenClaw for experimentation and skill development, run IronClaw for production use with your live credentials and channels.
# OpenClaw — development/experimentation
openclaw gateway # port 18789
# IronClaw — production with real credentials
ironclaw gateway # port 18790
# They're independent and don't interfereMigrating from OpenClaw to IronClaw
Moving from OpenClaw to IronClaw is a one-way migration in practice — the configs aren't compatible. Use this checklist:
Step 1 — Install IronClaw alongside OpenClaw
npm install -g ironclaw
ironclaw onboard # creates fresh config at ~/.ironclaw/Step 2 — Inventory your OpenClaw skills
openclaw skill list
# Write down which skills you actually use day-to-dayStep 3 — Use audit-only mode to discover required grants
# Set IronClaw to audit-only temporarily (logs everything, blocks nothing)
ironclaw config set security.sandbox.mode "audit-only"
ironclaw gateway
# Install your skills
ironclaw skill install github himalaya weather
# Use each skill normally for a few days
# Check what the audit log shows each skill actually needs
ironclaw audit show --filter NETWORK_BLOCK,FILESYSTEM_BLOCKStep 4 — Write the allowlist entries
# For each skill, add the grants you discovered from the audit log
ironclaw allowlist add github \
--network "api.github.com:443,github.com:443,raw.githubusercontent.com:443" \
--env "GITHUB_TOKEN"
ironclaw allowlist add himalaya \
--network "imap.gmail.com:993,smtp.gmail.com:587"
ironclaw allowlist add weather \
--network "api.open-meteo.com:443,geocoding-api.open-meteo.com:443"Step 5 — Switch sandbox to strict and verify
ironclaw config set security.sandbox.mode "strict"
ironclaw gateway restart
# Test each skill — anything that breaks shows up in:
ironclaw audit tail --filter ALLOWLIST_VIOLATION,NETWORK_BLOCKStep 6 — Update channels and copy SOUL.md workspace
# Copy workspace files to IronClaw's workspace
cp ~/.openclaw/workspace/SOUL.md ~/.ironclaw/workspace/SOUL.md
cp ~/.openclaw/workspace/MEMORY.md ~/.ironclaw/workspace/MEMORY.md
# etc.
# Configure channels in ironclaw.json (must use allowlist dmPolicy)
ironclaw config set channels.telegram.enabled true
ironclaw config set channels.telegram.botToken '"${TELEGRAM_BOT_TOKEN}"'
ironclaw config set channels.telegram.dmPolicy '"allowlist"'
ironclaw config set channels.telegram.allowFrom '["YOUR_USER_ID"]'Step 7 — Stop OpenClaw and run IronClaw
openclaw gateway stop
ironclaw gateway
# Verify health
curl http://127.0.0.1:18790/healthDon't uninstall OpenClaw immediately. If you discover a skill that's awkward to get working in IronClaw's sandbox, you can test it in OpenClaw and use the audit log to understand exactly what it needs before writing the allowlist entry. The two installations don't interfere.
Migrating Back to OpenClaw
Your IronClaw workspace files (SOUL.md, MEMORY.md, AGENTS.md etc.) copy directly to OpenClaw's workspace — the format is identical. Skills installed by IronClaw are compatible with OpenClaw and vice versa. The only thing that doesn't transfer is the allowlist itself (OpenClaw doesn't use one) and the audit log.
← Back to IronClaw hub · See also: IronClaw Quick Start · OpenClaw Security Hardening · OpenClaw Quick Start