Security

Last updated: March 3, 2026

Security-First by Design

OpenPawz is architected with security as a foundational requirement, not an afterthought. As a local-first application with a pure Rust backend, the attack surface is minimal by design.

Credential Encryption

All API keys, tokens, and credentials are encrypted using AES-256-GCM and stored in your operating system's native keychain:

  • macOS — Keychain Services
  • Windows — Windows Credential Manager
  • Linux — Secret Service (GNOME Keyring / KWallet)

Credentials never leave your machine and are never transmitted to OpenPawz or any third party.

No Open Ports

OpenPawz does not open network listeners or expose any services to your local network. The embedded MCP bridge and n8n instance communicate internally only. There are no open ports, no HTTP servers, and no remote access vectors.

Zero Telemetry

OpenPawz sends absolutely no data home. No analytics, no crash reports, no heartbeat pings, no update checks beyond what you explicitly initiate. You can verify this by inspecting network traffic or auditing the source code.

Rust Backend

The core engine is written in Rust, which provides memory safety guarantees without a garbage collector. This eliminates entire classes of vulnerabilities — buffer overflows, use-after-free, null pointer dereferences — at compile time.

Sandboxed Execution

OpenPawz is built on Tauri v2, which uses your OS's native webview with strict Content Security Policies. IPC between the frontend and Rust backend is whitelisted per-command, limiting what the UI layer can access.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

Please do not file public issues for security vulnerabilities. We aim to acknowledge reports within 48 hours and provide a fix or mitigation plan within 7 days.

Audit the Code

OpenPawz is fully open source under the MIT License. Every security claim on this page can be verified by inspecting the source at github.com/OpenPawz/openpawz.