HybridClaw — Enterprise AI Digital Coworker

Latest release: v0.12.5

Current release highlights

HybridClaw v0.12.5 adds versioned admin agent-file editing, a keyboard-driven TUI approval flow, safer config recovery, and channel reliability fixes for email, WhatsApp, and retry-aware transports.

📝

Versioned agent files

/admin/agents now edits allowlisted bootstrap markdown files such as AGENTS.md, keeps saved revisions, and restores earlier versions without leaving the browser.

⌨

TUI approval picker

Pending approvals in hybridclaw tui now open a keyboard-driven picker with arrow-key navigation, quick-select numbers, and a resumable exit summary.

🛟

Config recovery

If config.json becomes invalid, interactive onboarding can restore the last known-good saved snapshot or roll back to a tracked revision before setup continues.

📧

Email first-sync safety

The built-in email transport now seeds a missing mailbox cursor from the current head so old inbox mail is not replayed as new traffic on first startup.

📲

WhatsApp startup hardening

HybridClaw disables Baileys init queries that can trigger intermittent 400/bad-request failures during WhatsApp startup and pairing.

⏳

Retry-aware transports

Retry-capable channel transports now honor server-provided Retry-After delays and reject invalid retry values early instead of silently retrying with bad timing.

HybridAI Advantage

Enterprise platform advantage built in

HybridAI gives HybridClaw a strong enterprise foundation: security, compliance alignment, and document-grounded intelligence.

Select your bot. Unlock its knowledge.

Each bot can have its own focus, tone, and knowledge. Use one for deep research, one for support, and one for day-to-day team productivity.

🔒

Security

Built for teams that need trustworthy controls and secure operations by default.

🏢

Enterprise-Ready Stack

Designed for real business workflows, team governance, and operational reliability.

🇪🇺

EU Stack

Strong fit for organizations prioritizing EU-centric infrastructure and data posture.

🛡️

GDPR Alignment

Supports privacy-conscious deployment strategies and compliance-driven teams.

☁️

Cloud Deployment

Run HybridClaw in a managed, secured cloud container — no local setup, always-on, ready in seconds.

🔍

RAG Retrieval

Ground answers in your organization’s knowledge for higher relevance and confidence.

📄

Document Intelligence

Turn internal documents into practical, searchable context your digital coworker can use.

What it does

High-impact work, handled end-to-end

📚

Answer with context

Blend workspace memory, semantic recall, and typed knowledge-graph relations with HybridAI grounding to produce actionable answers.

🔒

Execute safely

Run useful actions behind trust acceptance, runtime guardrails, sandbox controls, and instruction integrity checks so automation stays controlled.

🔄

Stay consistent across channels

Share one assistant behavior across Discord, Slack, Telegram, Teams, iMessage, WhatsApp, email, web, and terminal without managing separate bot personalities.

🧠

Remember what matters

Persist and compact long-running conversations with canonical session keys, per-channel DM isolation by default, optional linked-identity continuity, and configurable token-budget controls.

⏰

Follow through automatically

Schedule recurring or one-shot tasks with cron/interval/at semantics, and deliver proactive output to channels or webhooks.

📊

Operate with visibility

Track status, sessions, usage/cost aggregates, tamper-evident audit history, approval decisions, and observability export health from one runtime surface.

☁️

Deploy locally or in the cloud

Run on your own machine with the CLI, or launch a fully managed cloud instance in a secured Docker container — no infrastructure to maintain.

Comparison

Comparison & USPs

Area	HybridClaw	OpenClaw	NanoClaw	PicoClaw
Onboarding	Explicit trust acceptance	Strong default flow	Quick startup flow	Minimal setup path
Security & Trust	Trust-first policy posture + encrypted runtime secrets + gateway-side auth injection	Solid baseline controls	Lean safeguards	Minimal guardrails
Secret Storage	Encrypted-at-rest named secret store with separate master key	Project-dependent	Lightweight local handling	Minimal local secret layer
Runtime Control	Live config updates + SecretRefs + URL auth routes	Setup-dependent tuning	Simple control surface	Minimal controls
Digital Coworker Feel	Memory + proactive follow-up	Strong continuity model	Lightweight continuity	Short-turn focus
Enterprise Readiness	Hash-chained audit plus local instruction integrity controls	Strong base, extended per team	Lean core + add-ons	Minimal footprint strategy
Deployment Options	Local CLI + managed cloud containers	Self-hosted only	Self-hosted only	Self-hosted only
Cross-Channel Consistency	One assistant brain across channels	Often one primary channel	Light multi-channel support	Mostly single-channel simplicity

Learning & Memory

Feature	Hermes Agent	OpenClaw	HybridClaw
Memory & Continuity
Memory system	Markdown files	Markdown files + vector search	Markdown files + SQLite semantic vectors
Memory size	Bounded (2.2k + 1.4k chars)	Growing files + vector index	Bounded prompt + SQLite
Memory nudges	Every 10 user turns	None	Heartbeat + flush nudges
Memory flush	Dedicated flush turn	Pre-compaction flush	Flush before compaction
Daily memory layer	No daily digest	Daily logs + tool recall	Daily digest to MEMORY.md
Knowledge graph memory	No graph memory	No graph memory	Entity/relation graph
Session history search	FTS5 + summaries	Experimental	Summaries + optional QMD retrieval
Cross-session user modeling	Honcho model	File-based only	Linked identities + memory backends
Session key continuity	Cross-platform mapping	Channel/topic keys	Canonical keys + linked IDs
Cache-stable memory	Frozen snapshots	Per-turn file injection	Injected memory + saved summaries
Memory injection security	Prompt-injection scanner	None	Prompt sanitization + cited recall
Skills & Learning
Skill system	54 bundled + Skills Hub	53 bundled + ClawHub	33 bundled + 7 import sources
Skill standard	agentskills.io	OpenClaw-only	OpenClaw/CLAUDE SKILL.md
Agent package format	None	None	Portable `.claw` bundles
Skill prompt loading	Slash skills as user messages	Auto-load; hidden off lists	Always-on, summary, hidden
Skill security scanning	Scanner + quarantine	Code scanner on install	Trust-aware skill scan
Autonomous skill creation	Nudged every 15 iterations	User-triggered only	Guarded skill proposals
Skill self-improvement	Live patching	Static	Observe, review, apply/reject
Adaptive skill governance	Learning loop, no staged rollback	None found	Metrics + staged rollback

Architecture

Built for reliability at scale

HybridClaw keeps one shared assistant brain across channels while running actions with safety guardrails.

Where people work

Slack / Discord / Teams
Telegram / iMessage / WhatsApp / Email
Web / Terminal

One shared user experience

→

HybridClaw Core

Shared Assistant Brain

Context, memory, and orchestration

→

Action Layer

Safe Execution

Useful actions with guardrails

→

Result

Back to your team

Fast, consistent responses

Fast by Design

HybridClaw is optimized for quick responses, even when your team uses it all day.

Reliable Operations

Clear runtime surfaces make it easier to monitor, maintain, and trust in production.

Safety by Default

Guardrails are built in so teams can unlock automation without sacrificing control.

Consistent Assistant Quality

Structured prompting keeps behavior stable, reliable, and aligned with your standards.

Technical Details

Engineering view

For technical teams who want to understand how HybridClaw is built and operated.

Core Runtime

Node.js gateway with persistent session state, scheduler metadata (`name`, `description`, `nextRunAt`), and HTTP endpoints for status, chat, and commands.

Audit Trail

Append-only wire logs are SHA-256 hash-chained for tamper-evident immutability, with searchable events, verification, and approval history.

Request Debugging

Gateway start/restart accepts --log-requests to persist best-effort redacted prompts, responses, and tool payloads in SQLite request_log for operator debugging. Typed browser input is always redacted.

Local Eval Workflows

hybridclaw eval and local /eval can point benchmark harnesses at the loopback OpenAI-compatible gateway, with managed locomo, tau2, and native terminal-bench-2.0 runs, detached logs, retrieval sweeps, and progress summaries under ~/.hybridclaw/data/evals/.

Safety Model

Trust-model acceptance is required during onboarding, execution uses container or host sandbox modes with runtime guardrails, user-directed browser auth-flow testing is supported, and TUI blocks when runtime instruction copies drift from installed defaults.

Prompt Orchestration

Structured hook pipeline: bootstrap, memory, safety, and proactivity, plus history/token budgets, current-turn media uploads, and inline @file/@folder/@diff/@staged/@git/@url context references for predictable grounded prompts.

Configuration

Typed config.json with defaults, validation, hot reload, SecretRef-backed credential surfaces, and isolation controls. Runtime secrets live in an encrypted ~/.hybridclaw/credentials.json store with a separate master-key source.

Memory Continuity

Persistent workspace memory, nightly dream consolidation with startup catch-up, semantic memory, typed entity/relation knowledge graph, canonical transport session keys, linked-identity continuity scopes, and long-session compaction keep context coherent across Discord, Slack, Telegram, Teams, iMessage, WhatsApp, email, web, and terminal channels.

SQLite Reliability

Schema evolution uses lightweight PRAGMA user_version migrations with forward-version guards, and runtime enables journal_mode=WAL + busy_timeout=5000 for safer concurrent reads.

Usage Analytics & Export

Per-turn usage events are aggregated by day/month, model, and agent via usage commands, and sessions can be exported as JSONL snapshots (export session [sessionId]) for debugging.

Discord Conversational UX

Edit-in-place streaming, chunk-safe long messages, phase-aware typing/reactions, dynamic self-presence, adaptive debounce/rate limits, and humanized pacing (night/weekend slowdown, exchange cooldown scaling, selective silence, read-without-reply reactions, reconnect staggering).

Proactive Scheduler Jobs

scheduler.jobs[] supports cron/every/at schedules plus immediate one_shot jobs, with agent_turn or system_event actions and delivery to fixed channels, last-active channels, or webhooks. Metadata persists atomically, one-shot runs keep review state, and jobs auto-disable after repeated failures.

Skills Engine

HybridClaw ships with 35 bundled skills, including the gog Google Workspace CLI workflow, the manim-video animation workflow, and the excalidraw diagramming workflow, category-aware catalog and admin authoring flows, and OpenClaw/CLAUDE-compatible SKILL.md discovery with prompt embedding modes (always/summary/hidden), eligibility checks, and trust-aware security scanning. Community imports support packaged official/<skill> skills, skills-sh, clawhub, lobehub, claude-marketplace, well-known, and explicit GitHub repo/path sources via hybridclaw skill import or /skill import.

Agent Packaging

hybridclaw agent export|inspect|install manages portable .claw archives that can bundle an agent workspace plus selected workspace skills and home plugins for backup, transfer, or bootstrap workflows. Legacy pack|unpack aliases still work.

Authenticated Browser Sessions

hybridclaw browser login|status|reset manages a persistent Chromium profile under the runtime data directory so browser automation can reuse cookies and local storage for approved authenticated flows.

Personality Switcher

Command-driven persona switching via /personality updates a managed block in SOUL.md (Name, Definition, Rules) so style remains persistent across sessions without always-on prompt bloat.

Ralph Autonomous Loop

Autonomous iteration can run beyond a single turn via proactive.ralph.maxIterations, and operators can control it live with ralph on|off|set <n>|info without waiting for idle recycle.

Discord Context Enrichment

Discord replies can include pending guild-history context, participant alias memory, @name mention-to-ID rewrites, and optional per-channel presence snapshots for better grounded responses.

Runtime Self-Awareness

Prompt assembly now injects runtime metadata (version, UTC date, model/default model, chatbot/channel/guild IDs, node/OS/host/workspace) so answers stay aligned to the active runtime state.

Web Routing Intelligence

Read-first routing prefers web_fetch for static retrieval, emits escalation hints on JS/app-shell/bot-blocked pages, and guides browser extraction with full snapshots for dynamic content.

Plugin Extensibility

HybridClaw supports local plugins with typed manifests, plugin tools, memory layers, prompt hooks, lifecycle hooks, and exported SDK types. Operators can auto-discover plugins from home or project directories, manage them with hybridclaw plugin list|config|install|reinstall|uninstall, hot-reload them with /plugin reload, and install repo-shipped plugins such as gbrain, honcho-memory, mempalace-memory, qmd-memory, and brevo-email for external retrieval, memory recall, and per-agent email routing.

Interfaces & Integrations

Shared assistant behavior across Discord, Slack, Telegram, Teams, iMessage, WhatsApp, email, web, and terminal, plus bundled skills for office docs, GitHub, Notion, Stripe, WordPress, Google Workspace, Discord, email, and Apple workflows.

Observability Export

Structured audit events are pushed to HybridAI observability ingest with cursor-based delivery, auto-managed bot-scoped ingest tokens, and per-turn token usage metrics.

Gateway Lifecycle

Runtime supports start, stop, and restart flows with graceful shutdown handling, explicit sandbox overrides (--sandbox=container|host), status reporting for both managed and unmanaged gateway processes, and safer startup fallback when Discord token configuration is invalid.

Admin Console

Embedded browser-based admin at /admin with Dashboard, Terminal, Gateway, Sessions, Jobs, Bindings, Models, Scheduler, MCP, Audit, Skills, Plugins, Tools, and Config pages. Use /admin/terminal for a live PTY session, pair /chat with web conversations, and keep /agents open for workspace dashboards. When WEB_API_TOKEN is set, the auth callback can store it in browser storage and redirect to a safe relative destination without leaving the token in the URL.

Commands

Commands across CLI, TUI, Discord, and gateway surfaces for config, auth, plugins, skills, diagnostics, and debugging.

Toolbox

17 built-in capabilities

From reading content to taking action, HybridClaw can complete real workflows end-to-end.

📄

read

Read file contents

✏️

write

Create or overwrite files

🔧

edit

Surgical string replace

🗑️

delete

Remove files safely

🔍

glob

Pattern-match file paths

🔎

grep

Fixed-string search with opt-in regex mode

💻

bash

Shell commands (guarded)

🧠

memory

Durable workspace memory

🔍

session_search

Search past sessions

🌐

web_fetch

Static/read-only URL fetch & extraction

📦

web_extract

Extract structured data from pages

🔍

web_search

Search the web

🖥️

browser_*

JS-rendered + interactive automation with cursor-aware click targets (auth, click, type, screenshot, PDF)

👁️

vision_analyze

Analyze images with vision and auto-route to a capable fallback model when needed

📨

message

Send across Slack, Discord, Teams, Telegram, WhatsApp, email

🧰

delegate

Push-based subagent orchestration (single/parallel/chain)

🕑

cron

Schedule recurring tasks

Personality

A workspace that shapes your agent

Bootstrap files give your agent identity, memory, and purpose. Each agent gets its own persistent workspace, and sessions can bind or switch independently.

File	Purpose
SOUL.md	Personality and behavior
IDENTITY.md	Name, avatar, style
USER.md	Info about the user
MEMORY.md	Persistent memory across sessions
TOOLS.md	Tool usage notes and tips
HEARTBEAT.md	Tasks to check during heartbeat
BOOT.md	Startup instructions
BOOTSTRAP.md	One-time onboarding (removed after first run)
OPENING.md	First proactive message for a fresh session
AGENTS.md	Conventions and guidelines

Get Started

Get started in 60 seconds

Choose your deployment: run locally on your machine or spin up a managed cloud instance.

1. Install CLI

npm install -g @hybridaione/hybridclaw

2. Initialize workspace

hybridclaw onboarding to accept trust model and generate config.json.

3. Start runtime

hybridclaw gateway to launch the core service with your configured bot/model. Use hybridclaw gateway start --sandbox=host when HybridClaw itself already runs inside a container.

4. Connect interface

Use Discord, the built-in web chat, or run hybridclaw tui for a terminal-native chat experience with a startup banner, an interactive approval picker, and an exit summary with a ready-to-run resume command. Web chat accepts uploads and pasted files, and TUI can queue a copied file or clipboard image with /paste or Ctrl-V.

5. Diagnose issues fast

Run hybridclaw doctor to check runtime, auth, providers, Docker, channels, and disk state. Add --fix when a safe remediation is available.

# 60-second flow
npm install -g @hybridaione/hybridclaw
hybridclaw onboarding
hybridclaw gateway
hybridclaw tui

1. Register free account

2. Upgrade account

Choose a paid plan or contact us via Discord or support@hybridai.one for a voucher code.

3. Launch cloud instance

Start your personal HybridClaw in the cloud — running in a secured Docker container, fully managed and always-on.

4. Start using it

Connect via Discord, the web chat, or any supported interface. Your cloud instance is ready to go — no local setup needed.

FAQ

Common questions

How do I diagnose setup problems quickly?

Run hybridclaw doctor. It checks runtime, gateway, config, credentials, database, providers, Docker, channels, skills, security, and disk state in parallel. Use hybridclaw doctor --fix to apply safe remediations where supported, or --json for CI-friendly output. When the environment checks pass but a specific turn still needs inspection, start or restart the gateway with --log-requests to persist best-effort redacted prompts, responses, and tool payloads in SQLite request_log.

Why does onboarding ask me to accept TRUST_MODEL.md?

HybridClaw enforces explicit trust-model acceptance before runtime starts. Acceptance is recorded in config.json with policy version and timestamp so operators can prove security acknowledgement. For CI or other headless shells, HYBRIDCLAW_ACCEPT_TRUST=true can persist that acceptance automatically before credential checks. Technical runtime controls are documented separately in SECURITY.md.

Do I still configure everything through .env?

No. Runtime behavior lives in typed config.json and runtime secrets live in an encrypted ~/.hybridclaw/credentials.json store. HybridClaw reads the master key from HYBRIDCLAW_MASTER_KEY, /run/secrets/hybridclaw_master_key, or a local owner-only credentials.master.key. If .env exists in the current working directory, supported secrets are imported once for compatibility. If you need the whole runtime state elsewhere, set HYBRIDCLAW_DATA_DIR to an absolute path.

Can HybridClaw call an API without exposing the real key to the model?

Yes. Store the key with /secret set <NAME> <VALUE>, then either reference it in a prompt with <secret:NAME> or bind it to a URL prefix with /secret route add. HybridClaw injects the real header in the gateway-side http_request path and persists redacted tool-call arguments instead of the plaintext secret.

Is it safe to let the agent run shell commands?

By default, tools execute inside ephemeral Docker containers with read-only filesystems, memory caps, dropped capabilities, no-new-privileges, PID limits, and a deny-list of dangerous command patterns. When HybridClaw itself already runs inside a container, operators can switch to host sandbox mode to avoid Docker-in-Docker, trading container isolation for workspace fencing and command guardrails.

Can browser tools test real login flows?

Yes, when explicitly requested by the user for the intended site. Runtime guidance allows authenticated browser-flow testing, while sensitive credential values are redacted from structured audit tool-argument logs.

How do I reuse real browser logins?

Run hybridclaw browser login to open a headed Chromium profile, sign in manually, then close the browser. HybridClaw stores that profile under the runtime data directory and reuses it for later browser automation, including cookie and local-storage based sessions.

How does HybridClaw choose web_fetch vs browser tools?

Default is web_fetch for static/read-only retrieval. HybridClaw escalates to browser automation for JavaScript-heavy apps, auth-gated flows, interaction steps, or when web_fetch reports hints like javascript_required, spa_shell_only, empty_extraction, boilerplate_only, or bot_blocked. Browser snapshots also mark pointer- and click-handler-driven custom controls more reliably, which helps the agent interact with modern app-style UIs.

Can I attach files or point a prompt at repo context?

Yes. The built-in web chat accepts uploads and pasted clipboard files or images before send, and TUI can queue a copied local file or clipboard image with /paste or Ctrl-V. You can also add inline context references such as @file:path[:start-end], @folder:path, @diff, @staged, @git:<count>, and @url:https://example.com/spec so HybridClaw can attach the relevant context directly to the prompt.

Can I extend HybridClaw with plugins?

Yes. HybridClaw supports local plugins with typed manifests, plugin tools, memory layers, prompt hooks, and lifecycle hooks. Valid plugins auto-discover from ~/.hybridclaw/plugins/ and project-local .hybridclaw/plugins/ directories, and you can manage them with hybridclaw plugin list, config, install, reinstall, uninstall, and /plugin reload.

Can I back up or transfer an agent?

Yes. hybridclaw agent export creates a portable .claw archive, inspect validates it without extracting, and install restores the agent on another machine. Archives can also bundle selected workspace skills and home plugins. Legacy pack and unpack aliases still work.

Is the audit trail immutable?

Audit logs are append-only and hash-chained per session, so modifications are tamper-evident. Use hybridclaw audit verify <sessionId> to validate integrity, and hybridclaw audit approvals --denied to review denied actions.

What happens if instruction files are changed?

HybridClaw keeps runtime copies of SECURITY.md and TRUST_MODEL.md under ~/.hybridclaw/instructions/. TUI checks them before startup. Use hybridclaw audit instructions to review drift and hybridclaw audit instructions --sync to restore them from installed sources. Sync actions are audit logged.

What is HybridClaw Cloud?

HybridClaw Cloud lets you run your agent in a fully managed, secured Docker container — no local installation, no infrastructure to maintain. Sign up at hybridai.one, choose a paid plan or redeem a voucher code, and launch your cloud instance in seconds. It supports the same features, channels, and integrations as the local version.

Can I use it without Discord?

Absolutely. Run hybridclaw tui, use the built-in web chat, or connect Slack, Telegram, Microsoft Teams, iMessage, WhatsApp, or email. The same assistant behavior and context model is shared across supported interfaces, and gateway startup stays available even if one transport is temporarily misconfigured.

How are screenshots returned in Discord?

HybridClaw attaches generated screenshots directly to the reply and keeps the text concise (for example: "Here it is.") instead of exposing internal workspace file paths.

What is the heartbeat system?

A configurable periodic poll (default every 30 minutes) where the agent wakes up, checks its HEARTBEAT.md file for tasks, and proactively reaches out if something needs attention. Silent acknowledgments are discarded to avoid noise.

Can different Discord channels use different bots?

Yes. Each channel is its own session, so it can use different chatbot/model/RAG settings and can also bind to a different agent workspace with /agent switch. You can control reply activation per channel with /channel-mode and guild policy via /channel-policy.

How do I allow free-response in only one Discord channel?

Set guild policy to allowlist using /channel-policy policy:allowlist, then run /channel-mode mode:free in the one channel you want active. Leave other channels unlisted (or set them to off).

How does HybridClaw avoid over-replying in busy channels?

In free-response channels, HybridClaw can selectively stay silent when a peer likely already answered, react instead of replying to short acknowledgments (for example "thanks"), and slow pacing during nights/weekends or long back-and-forth exchanges.

How does scheduling work?

Two layers: chat-created tasks (schedule add) and config-backed scheduler.jobs[]. Both support cron, one-shot at, and interval semantics, and config jobs also support immediate one_shot runs. Config jobs can use agent_turn/system_event actions plus channel/last-channel/webhook delivery, with persisted metadata, review-state tracking for one-shot jobs, and auto-disable after repeated failures.

What is HybridAI?

HybridAI is the bot platform that powers HybridClaw. It provides managed chatbots with document knowledge bases, retrieval-augmented generation (RAG), and multi-model support through an OpenAI-compatible API. You create and configure bots on the HybridAI platform, then connect them to HybridClaw.

What AI models does it support?

HybridClaw supports HybridAI models, OpenAI Codex models (via openai-codex/ prefix), OpenRouter models (via openrouter/ prefix), Hugging Face router models (via huggingface/ prefix), and local backends including Ollama, LM Studio, llama.cpp, and vLLM. Use model list to browse available models and switch per channel or session at any time.

Can I migrate an existing OpenClaw or Hermes Agent home?

Yes. Run hybridclaw migrate openclaw --dry-run or hybridclaw migrate hermes --dry-run to preview the compatible workspace files, config values, model settings, and optional secrets that can be imported into a HybridClaw agent. Add --agent <id> to target a different agent and --migrate-secrets when you want compatible secrets moved into the encrypted runtime store.

Does the agent remember things between conversations?

Yes. The active agent writes daily memory files (memory/YYYY-MM-DD.md) and curates long-term insights into MEMORY.md. By default, direct-message continuity is isolated per channel kind and peer. Operators can opt into linked-identity continuity when verified aliases should share one main session scope. Before session compaction, a dedicated flush turn ensures durable notes are persisted. These files plus SOUL.md are injected into every request.

Can I switch the assistant personality at runtime?

Yes. Use /personality (or /personality list) to view profiles, /personality <name> to activate one, and /personality reset to go back to default. HybridClaw persists the active persona in SOUL.md as a managed block with Name, Definition, and Rules.

Is there a web-based admin interface?

Yes. The gateway serves an embedded admin console at /admin with pages for Dashboard, Terminal, Gateway, Sessions, Jobs, Bindings, Models, Scheduler, MCP, Audit, Skills, Plugins, Tools, and Config. The Skills page can create local skills from a form or ZIP upload and review adaptive-skill amendments. There is also a live browser terminal at /admin/terminal, a web chat at /chat, and an agent/session dashboard at /agents. When WEB_API_TOKEN is unset, localhost access opens without a login prompt. When it is set, the auth callback can store the token in browser storage and redirect to a safe relative path after login.

Can I use skills from CLAUDE.md or OpenClaw?

Yes. HybridClaw supports OpenClaw/CLAUDE-compatible SKILL.md frontmatter, including always, requires, and metadata fields. Skills can be loaded from workspace, project .agents/skills, personal (~/.codex/~/.claude/~/.agents), bundled, or enterprise extra directories; higher-priority tiers override lower ones. Community skills can also be imported from packaged official/<skill> sources, skills-sh, clawhub, lobehub, claude-marketplace, well-known, and explicit GitHub repo/path refs. Trust-aware scanning blocks risky personal/community skills while allowing vetted bundled skills.