Security Model
ClawDroid is designed around visible agent activity, sandboxed execution, user-controlled configuration, and explicit connected-service permissions. These controls help users understand what the agent is doing, but they do not guarantee safety.
Sandbox Limits
A sandbox reduces blast radius, but a sandboxed agent can still damage files it can access, leak information to configured providers, consume API credits, trigger connected-service actions, or produce unsafe output if misused or compromised.
Credential Handling
Only add API keys, OAuth tokens, and account credentials you are willing to use with beta software. Revoke credentials immediately if you suspect exposure. Prefer limited-scope keys and accounts where possible.
Downloads And Releases
Only download ClawDroid from the official repository or release channels you trust. Verify that a download matches the expected project source before installing it on a personal device.
Model Provider And Service Risk
Prompts, files, terminal output, screenshots, app content, and connected-service data may be sent to model providers or services you configure. Review provider settings, retention controls, account permissions, and billing limits.
Safe Use Recommendations
- Start with non-sensitive test projects before using real data.
- Back up important files before asking the agent to edit, delete, or transform them.
- Use least-privilege API keys and service permissions.
- Keep Android, WebView, dependencies, and the app updated.
- Review activity logs before trusting high-impact actions.
- Do not use the beta app for regulated, emergency, or safety-critical workflows.
Vulnerability Reports
If you find a security issue, report it through the official GitHub repository: github.com/Wraient/ClawDroid. Avoid posting exploitable secrets or private user data in public issues.
No Security Warranty
ClawDroid is provided without any warranty that it is secure, free of vulnerabilities, resistant to misuse, or suitable for your threat model. Use it at your own risk.