Blog / Security Comparison
SmallClaw 与 OpenClaw 的安全性对比 SmallClaw vs OpenClaw Security Comparison
这篇文章比较 SmallClaw 和 OpenClaw 在平台攻击面、macOS 系统安全、iCloud 同步、skills 外来内容、LLM 上下文约束和权限执行边界上的安全策略。两者都在让 LLM 参与真实工作,但对风险的处理方式并不一样。 This article compares SmallClaw and OpenClaw across platform attack surface, macOS system security, iCloud sync, external skills, LLM context constraints, and permission / execution boundaries. Both systems bring LLMs into real work, but they handle risk differently.
Copyright © 2026 Smallsoft Pty Ltd. All rights reserved. Copyright © 2026 Smallsoft Pty Ltd. All rights reserved.
概述 Overview
SmallClaw 和 OpenClaw 都在做“让 LLM 参与真实工作”的事,但两者对安全的侧重点并不一样。SmallClaw 更偏向 macOS 本地桌面应用的安全治理,OpenClaw 更偏向通用 agent / runtime 平台的隔离与运行边界。 SmallClaw and OpenClaw both try to bring LLMs into real work, but their security priorities differ. SmallClaw leans toward security governance for a native macOS desktop app, while OpenClaw leans toward isolation and runtime boundaries in a more general agent platform.
如果把安全拆成几个主要方面来看,可以得到一个比较清晰的结论:SmallClaw 更强调“入口收口、上下文收口、技能收口”,OpenClaw 更强调“运行隔离、安装治理、执行边界”。这不是谁绝对更安全,而是两者对风险的处理方式不同。 If we break security into a few major dimensions, the difference becomes clear: SmallClaw emphasizes “tighter entry points, tighter context, and tighter skill scope,” while OpenClaw emphasizes “runtime isolation, installation governance, and execution boundaries.” This is not about one being absolutely safer; it is about different ways of handling risk.
1. 平台与攻击面 1. Platform and Attack Surface
SmallClaw 是原生 macOS 桌面应用,安全设计天然围绕 Apple 的系统能力展开。它依托 macOS App Sandbox 和 entitlements,依托 Apple Events / TCC / Keychain / iCloud 等系统级服务,不需要用户先搭 Node、CLI、包管理器或额外运行时,这会明显减少常见的环境复杂度和供应链暴露面。 SmallClaw is a native macOS desktop app, so its security design naturally builds on Apple’s system capabilities. It relies on macOS App Sandbox and entitlements, plus Apple Events / TCC / Keychain / iCloud system services. Users do not need to set up Node, CLI tools, package managers, or extra runtimes first, which reduces environmental complexity and supply-chain exposure.
OpenClaw 则更像一个跨场景的 agent 工具链,能力更通用,运行面也更宽。它更强调 sandbox runtime、安装、更新、插件扫描和 load-time filtering,也更适合多环境、多运行时、多代理结构。从纯粹的“攻击面收敛”角度看,SmallClaw 因为平台更专注,通常更容易控制。 OpenClaw looks more like a cross-scenario agent toolchain with broader capabilities and a wider runtime surface. It emphasizes sandbox runtime, installation, updates, plugin scanning, and load-time filtering, and it fits multi-environment, multi-runtime, multi-agent structures better. From a pure attack-surface-contraction perspective, SmallClaw is usually easier to control because the platform is more focused.
2. 与 macOS 系统安全机制的对接 2. Integration with macOS Security Mechanisms
SmallClaw 的安全不是自建一套孤立体系,而是直接对接 macOS 的系统级安全模型。主要包括 App Sandbox 和 entitlements、Apple Events / Automation / TCC、Keychain 存储敏感凭据、用户选择式文件访问,以及审计日志和本地执行轨迹。 SmallClaw does not build a separate isolated security system; it connects directly to macOS system-level security models. This includes App Sandbox and entitlements, Apple Events / Automation / TCC, Keychain-based secret storage, user-selected file access, and audit logs with local execution traces.
这意味着 SmallClaw 的很多安全边界并不是“应用自己说了算”,而是由 macOS 本身提供基础约束。OpenClaw 也会借助操作系统和容器 / 沙箱能力,但它的安全叙事更偏平台化和运行时化,而不是单纯依赖一个桌面 App 的系统级集成。 That means many of SmallClaw’s boundaries are not decided only by the app itself, but are constrained by macOS at the platform level. OpenClaw also uses operating-system and container / sandbox capabilities, but its security story is more platform-oriented and runtime-oriented rather than based on a deeply integrated desktop app.
3. iCloud 与数据同步 3. iCloud and Data Sync
SmallClaw 的同步策略同样是建立在 Apple 的系统级服务之上,而不是自建同步后端。它使用 iCloud / ubiquity container 这类 Apple 提供的能力来同步部分数据,例如 Sessions、LLM Usage 和 Runtime Events。 SmallClaw’s sync strategy is also built on Apple system services rather than a custom sync backend. It uses Apple-provided capabilities such as iCloud / ubiquity containers to sync selected data, including Sessions, LLM Usage, and Runtime Events.
与此同时,敏感信息并不会跟着同步,例如 API keys 和 channel tokens 仍然留在本地,并通过 Keychain 管理。这样做有两个直接收益:减少自建同步系统带来的复杂性,把迁移、同步和跨设备可用性放在 Apple 的系统级服务上处理。 At the same time, sensitive information does not sync, such as API keys and channel tokens, which remain local and are managed through Keychain. This has two direct benefits: it reduces the complexity of building a sync system from scratch, and it places migration, sync, and cross-device availability on Apple’s system services.
4. Skills 与外来内容 4. Skills and External Content
SmallClaw 对外来 skill 的态度更偏“先审后用”。核心规则是:外来 skill 默认进入 pendingReview,只有 approved + enabled 才能进入注入链路;如果已批准的外来 skill 文件内容变化,会重新回到 pendingReview。也就是说,SmallClaw 不把 skill 当成“加载即信任”的东西,而是把它当成需要持续治理的输入。 SmallClaw takes a “review first, then use” approach to external skills. The core rules are: external skills enter pendingReview by default, only approved + enabled skills can enter the injection path, and if an approved external skill changes on disk, it returns to pendingReview. In other words, SmallClaw does not treat skills as “trusted on load”; it treats them as inputs that need ongoing governance.
OpenClaw 也把第三方 skills / plugins 当作不可信内容,并提供安装扫描、加载过滤和 sandbox 约束,但它更像一套通用平台上的防线组合。SmallClaw 的特点是把 skill 这个入口收得更紧。 OpenClaw also treats third-party skills / plugins as untrusted content and provides install scanning, load filtering, and sandbox constraints, but that feels more like a set of defenses on a general platform. SmallClaw’s defining trait is that it keeps the skill entry point tighter.
5. LLM 上下文约束 5. LLM Context Constraints
SmallClaw 对 LLM 的调用不是把所有历史和所有资料原封不动发给模型,而是先构造强约束上下文,再发起请求。具体做法是:先根据 prompt、workspace、skills、权限和规则选择上下文,再把匹配到的 skill 注入为 Local Skill Context,然后用这个受控上下文替换原始 user message 的最后一条内容。 SmallClaw does not send all history and all materials to the model verbatim. It first constructs a constrained context and then makes the request. In practice, it selects context based on prompt, workspace, skills, permissions, and rules, injects the matched skill as Local Skill Context, and then replaces the last raw user message with that controlled context.
这带来两个直接好处:一是提升响应质量,因为模型看到的是更相关、更干净的上下文;二是降低 token 消耗,因为无关内容不会大规模进入 prompt。同时,这种上下文收口也会降低误导性信息干扰,让模型更不容易被无关历史带偏。 This has two direct benefits: it improves response quality because the model sees a more relevant and cleaner context, and it reduces token consumption because irrelevant content does not flood the prompt. At the same time, tighter context reduces misleading noise and makes the model less likely to drift because of unrelated history.
6. 权限与执行边界 6. Permissions and Execution Boundaries
SmallClaw 的危险动作不是由模型直接决定,而是经过多层权限约束。包括文件系统权限、shell 执行权限、网络权限、浏览器自动化权限、定时执行权限,以及通知和其它本地能力。也就是说,LLM 的建议只是建议,真正的执行还要过应用内权限和 macOS 系统权限。 SmallClaw’s risky actions are not decided by the model alone; they go through multiple layers of permission control, including file-system permissions, shell execution permissions, network permissions, browser automation permissions, scheduled execution permissions, and notifications plus other local capabilities. In other words, the LLM’s suggestion is only a suggestion; actual execution still has to pass app-level permissions and macOS system permissions.
OpenClaw 的重点则更偏向 runtime sandbox、agent boundary 和安装治理,适合更复杂的隔离模型。SmallClaw 更像把本地入口和执行边界收得更紧。 OpenClaw focuses more on runtime sandboxing, agent boundaries, and installation governance, which suits more complex isolation models. SmallClaw is more about keeping local entry points and execution boundaries tightly constrained.
7. 哪个更安全 7. Which One Is Safer
如果只看某一个维度,答案会不同。SmallClaw 更强的地方是更少的环境依赖、更少的供应链复杂度、更紧的 skill 入口治理、更受控的上下文输入和更强的 macOS 本地集成。OpenClaw 更强的地方是更完整的运行时隔离思路、更系统的安装与更新治理、更明确的平台化安全文档,以及更适合多运行环境、多 agent 的场景。 If you only look at one dimension, the answer changes. SmallClaw is stronger in fewer environment dependencies, less supply-chain complexity, tighter skill-entry governance, more controlled context input, and deeper macOS local integration. OpenClaw is stronger in a more complete runtime isolation model, more systematic install/update governance, clearer platform security documentation, and support for multi-runtime, multi-agent scenarios.
总体判断是:如果威胁模型主要是“陌生 skill 混入、上下文污染、环境复杂导致不可控”,SmallClaw 的设计更保守;如果威胁模型主要是“运行环境、插件生态、隔离边界和通用平台治理”,OpenClaw 的安全体系更完整。所以更准确的说法是:SmallClaw 更擅长守住本地入口和上下文边界,OpenClaw 更擅长构建更完整的运行与隔离体系。 Overall, if the threat model is mainly about unfamiliar skills slipping in, context contamination, or uncontrollable complexity from the environment, SmallClaw’s design is more conservative. If the threat model is mainly about runtime environments, plugin ecosystems, isolation boundaries, and general platform governance, OpenClaw’s security system is more complete. So the more accurate statement is: SmallClaw is better at guarding local entry points and context boundaries, while OpenClaw is better at building a more complete runtime and isolation system.
结语 Conclusion
SmallClaw 的安全路线很清晰:它不追求把所有平台问题都纳入一个通用框架,而是专注在 macOS 这个明确环境里,把权限、同步、技能、上下文和执行边界都收得更紧。OpenClaw 的路线则更平台化,适合更广泛的运行和隔离需求。 SmallClaw’s security route is clear: it does not try to fold every platform problem into a general framework; instead, it focuses on a well-defined macOS environment and keeps permissions, sync, skills, context, and execution boundaries tighter. OpenClaw’s route is more platform-oriented and better suited to broader runtime and isolation needs.
如果把安全理解为“少暴露面、少依赖、少误用、少上下文噪声”,SmallClaw 很有优势;如果把安全理解为“更完整的运行时隔离和生态治理”,OpenClaw 更成熟。 If security means fewer exposure points, fewer dependencies, fewer misuse opportunities, and less context noise, SmallClaw has a strong advantage. If security means more complete runtime isolation and ecosystem governance, OpenClaw is more mature.