Starfish vs OpenClaw
OpenClaw did the hardest thing in software: it made agentic AI real and accessible to millions and lit up a generation of builders. This isn't a takedown. It's the case that the movement OpenClaw started can only scale if the agent is governed — and that governing it shouldn't cost you the capability that made it worth running.
What they share
Both run locally and connect a model to your machine. Both can touch files, shell, network, and apps; both keep persistent memory across sessions; both work tasks in the background; both are model-agnostic and extend through skills. That capability surface is the bar, and Starfish meets it — each action just runs gated and audited.
The difference: governance loads first
OpenClaw's design gives the agent authority and trusts it to behave. Starfish inverts that — the agent is a guest inside a governance layer that mediates every action:
- Deny-by-default. No tool runs unless it's registered, allowed for that agent, tied to a task, inside the agent's boundary, and passes risk and policy.
- Vetting is the only door. Skills are provenance-checked, risk-scored, and prompt-injection-screened before they can run; medium-risk and above are quarantined pending your consent. There is no "just install this."
- Hash-chained audit, audit-before-act. Every meaningful action is recorded to an append-only log; if the log can't be written, nothing runs.
- Hard floors a setting can't lift. Filesystem boundary, secrets, catastrophic shell, and network exfiltration are enforced independently of any policy or tolerance.
- Fail-closed. Missing or tampered governance halts startup or enters safe mode.
The security delta, mapped to real incidents
OpenClaw's rapid rise surfaced exactly the failure modes governance is built to prevent. Each maps to a control Starfish ships:
- A clicked link becoming remote code execution → no ungoverned exec path; shell runs only through vetted command-templates, and page or message content is treated as data, never instructions.
- Malicious marketplace skills → vetting-is-the-only-door: provenance, static analysis, an injection screen, and hash-on-vet before a skill can run, plus a curated, signed built-in set.
- Agent endpoints exposed to the internet → external sources are deny-by-default and tainted; the egress guard blocks internal and foreign destinations.
- Shadow installs with no review or audit → governed install and a hash-chained audit; nothing runs ungoverned or unseen.
Honest tradeoffs
Starfish asks you sometimes — deny-by-default means genuinely risky actions pause for a human. A Risk Tolerance setting and earned auto-approval tune that so routine, reversible work stays quiet, while the hard floors never yield. Starfish is also younger, with a smaller integration and community footprint; its bet is that governance, not integration count, decides whether you can trust an agent with real authority. A chat-first and messaging-app surface is on the roadmap.
Who should choose which
Choose OpenClaw if you want maximum integrations today on a machine where a mistake is cheap and you'll own the risk yourself. Choose Starfish if the agent will touch anything you can't afford to lose — real files, credentials, money, customers — and you want proof, not hope, that it stayed in bounds.