A personal, voice-capable AI you run on your own machine, on the flat-rate Claude subscription you already pay for. No inbound port to attack. No per-token meter. And it can prove what it did.
Self-hosted AI agents were not compromised hypothetically in 2026. OpenClaw's ClawJacked flaw (CVE-2026-25253, a one-click RCE) leaked a gateway token over a WebSocket and drove the agent. Censys and Bitsight found 20,000 to 42,000 gateways exposed to the open internet; China's CNCERT issued a national warning. Around 20 percent of the skill registry was malicious, stealers, SSH-key and token exfiltration, typosquats. A single poisoned email exfiltrated a private key from a linked inbox. Urfael was built blast-radius-first against exactly these, and the difference is not an adjective. It is a command.
npm run security boots the real daemon and dashboard, attacks them the way the wild did, and prints a pass-or-fail table. You run it yourself.
| Attack class | Urfael |
|---|---|
| Network exposure | no TCP port |
| Auth-token leak → RCE | constant-time, never logged |
| Prompt-injection exfil | read-only, no egress |
| Poisoned skill / supply chain | scanned, never executed |
| Unauthenticated DoS | 401, not a crash |
| Secret theft by a runaway agent | no secrets mounted |
| Insecure defaults | fail-closed |
| Inbound trigger → escalation | loopback, per-hook secret |
| Correctness & craft regressions | guarded, can't drift |
faithful re-creation of real urfael output · read the test at app/test/security-benchmark.js
It was red-teamed by its own adversarial agents, which found real gaps (fixed before this shipped). The full scorecard: Security Benchmark · Threat Model, including the risks we don't cover.
Hard questions get a Council. Urfael decomposes the problem, dispatches read-only sandboxed workers to gather what each needs, then synthesizes one answer. You watch it happen instead of trusting a black box.
Council workers are read-only and sandboxed, read and report, no write, no shell, no network · faithful re-creation of real urfael output
A flicker-free terminal cockpit with a runic oracle that shows its thinking, changing Elder Futhark glyphs and honest thinking-words, then streams a real Markdown answer and seals it to the ledger. Voice in, voice out, when you want it.
faithful re-creation of real urfael output
Six built-in stances, switchable by just asking. Same capability, a different approach to dialogue and advice. Want a different brain too? Say switch to opus.
all five personas plus the Urfael anchor are real in app/personas.js · faithful re-creation of real urfael output
urfael whyPickaxe the provenance of any belief it learned, back to the exact commit it came from.urfael forgetA tombstone for provable, consented deletion. You can make it forget.ranked recall runs BM25 plus optional local vectors, your notes never leave the machine · faithful re-creation of real urfael output
Claude is native through your subscription, the single path billed to you. Every other model flows in through a documented Anthropic-compatible proxy, the sandbox harness still enforcing the boundaries.
Models. Claude native; 30 named providers (OpenAI, Gemini, xAI Grok, Azure, GitHub Copilot, Mistral, DeepSeek, Groq, Cerebras, Fireworks, Together, Perplexity, NVIDIA NIM, Qwen, Kimi, GLM, MiniMax, Ollama, LM Studio, vLLM, Bedrock, Vertex and more) via a documented Anthropic-compatible proxy, and OpenRouter alone unlocks 300+ models on one key. urfael model route --for cost|speed|quality|privacy recommends the best provider, Pareto-aware and honest about the tradeoffs. Claude on Bedrock or Vertex is still Claude, just billed to AWS or GCP.
Channels. 19 chat channels. Eleven native bridges (Telegram, Discord, Slack, iMessage, Email, Matrix, Signal, WhatsApp, QQ, SimpleX, PSTN phone) plus eight native webhook channels on one loopback receiver (Mattermost, Google Chat, SMS, DingTalk, Home Assistant, BlueBubbles, Feishu, WeCom). Every inbound message is allowlisted to a known principal before the brain sees it, the same fail-closed gate for all of them. Plus a universal webhook relay for Zapier / n8n / any in-and-out webhook.
Memory & data. Active recall retrieves the past turns and verified lessons that bear on each message and puts them in front of the brain automatically, hybrid keyword plus local semantic, no waiting for it to search. urfael dataset export turns your own runs and verified lessons into training data, provenance-stamped and secret-redacted. An OpenAI-compatible local API drives Open WebUI / LibreChat / the openai SDK.
Voice & reach. Local speech in and out (whisper.cpp + local TTS, nothing leaves the machine), now including Discord voice channels where only an enrolled speaker can command the agent. Runs on macOS, Linux, and Android via Termux. A2UI lets the brain emit interactive UI (cards, tables, buttons) sanitized to a safe, allowlisted schema, so a generative canvas can never execute code.
the security moat is the fixed inner ring, it never moves
Every win is real, and every gap is admitted in the same table.
| Capability | Urfael | Hermes | OpenClaw |
|---|---|---|---|
| No inbound network port | ✅ none | ⚠️ varies | ⚠️ gateway/DMs |
| Ships an attack benchmark | ✅ npm run security | ❌ | ❌ |
| Flat-rate cost (no per-token) | ✅ subscription | ❌ | ❌ |
| Can prove what it did (ledger + seal) | ✅ | ❌ | ❌ |
| Live, watchable multi-agent Council | ✅ | ⚠️ opaque | ⚠️ opaque |
| Skill hub that can't ship malware | ✅ scanned + sha-pinned + never run | ⚠️ | ❌ ~20% malware |
| Proactive memory recall (every turn) | ✅ retrieves per turn | ⚠️ frozen snapshot | ⚠️ agent must search |
| Generative UI that can't run code | ✅ sanitized canvas | ❌ | ⚠️ renders agent HTML |
| Chat-channel breadth | ✅ 19 (11 native + 8 webhook) | ✅ many | ✅ 20+ |
| Battle-tested at scale | ⚠️ small, & we say so | ✅ large | ✅ very large |
We win where it counts for a machine that lives on your desk and acts for you: blast radius, cost, provability, and not overstating maturity.
Honesty is a feature here, so this section exists on purpose.
git clone https://github.com/Grandillionaire/urfael.git && cd urfael ./install.sh # checks deps, scaffolds your vault, no keys cd app && npm start # the Console opens
You need: a Claude Code subscription (Pro or Max), signed in. macOS on Apple Silicon or Intel is the best-tested target; Linux is supported but newer. No API key.
Or run it 100% on your own GPU. A local model (Ollama / NVIDIA NIM) plus local voice means nothing leaves the machine. Guide. Full setup is in docs/SETUP.md.
claude CLI you are already signed into. Urfael is everything around that brain a wrapper is not: a tamper-evident ledger of every action, an ed25519 seal over it, a read-only sandbox for untrusted messages, a credential-deny boundary, nineteen hardened chat channels, voice in and out, proactive active recall over your own notes, a multi-agent Council, and a security benchmark you can run in one command. The model is rented. The sovereignty, the memory, and the safety are yours, on your machine, under MIT.npm run security. It boots the real daemon and dashboard and attacks them the way self-hosted agents were attacked in 2026, then prints a pass-or-fail table. The latest run resists 10 of 10 real-world attack classes across 95 of 95 checks. You do not take our word for it. You run it.0600 unix socket only, never a TCP port. The topology is one-way: Urfael reaches out (to your Claude login, to chat APIs it polls); nothing reaches in. There is no gateway to expose, no token to leak over a socket, no DM endpoint to spray. The 20,000-plus exposed gateways that got owned in 2026 were owned because they were reachable. This one is not.switch to opus.urfael why pickaxes the provenance of any lesson it learned. And urfael forget writes a tombstone for provable, consented deletion.