Run high-trust agents on hardware you own.

skiff gives operators a control plane around agent frameworks when workloads involve credentials, network access, money, medical or legal documents, cloud admin, local files, or desktop workflows.

Request access Try self-hosted preview Decision guide Where it fits

payloadClaude/OpenClaw

routeproxy path

secretsbroker handles

auditlocal rows

isolatecove when needed

launch surface public claims stay bounded

payload-agnostic frameworks stay swappable

local audit operator-owned records

no model lock-in control plane, not intelligence

Decision guide

When the control plane matters.

Agent frameworks decide what the agent tries to do. skiff is for operators who also need a stable place to define what the agent can reach, which credentials it can use, what gets redacted, what gets reviewed, and what evidence remains after the run.

Frameworks fit when

The agent is a low-risk assistant or demo.
Credentials, network paths, and audit trails are not material.
The framework's own logs are enough.

Use skiff when

The agent touches money, health, legal, cloud, desktop, or private work data.
Policy, credentials, network control, and audit must live outside the prompt.
You want OpenClaw, Claude Code, Gemini CLI, or a custom harness under one operator-owned control plane.

Cloud sandboxes fit when

The data can live in the sandbox provider's control plane.
Elastic capacity matters more than local ownership.
Browser or code isolation is the whole problem.

Agent payload, local control plane

payload

Bring the agent framework your team already uses.

route

Force traffic through a proxy path where wired.

broker

Keep credentials as handles outside the agent process.

audit

Record requests and decisions under operator control.

$ skiff serve --mitm
payload: agent framework selected by operator
network: routed through skiff proxy where forced mode is wired
records: local proxy rows, redaction, dashboard

Launch surface. Proxy audit rows, redaction, self-hosted dashboard, and the skiff serve --mitm forced-routing path are the public claims. Broader product surfaces and judge-gated decisions are preview claims under release verification; native iOS/macOS credential backends and production rollback evidence are still closing.

Self-hosted preview

First proof should be runnable.

The preview path is for developers and security evaluators who want to inspect the source, start the local dashboard, and review the wired proxy/audit code paths before a sales conversation. Treat it as preview: useful for evaluation, not a GA production promise.

$ git clone https://github.com/tmc/skiff
$ cd skiff
$ ./scripts/demo-oob.sh --keep-running
# open http://localhost:8090/app

What it proves: local dashboard startup and demo agent path; the wired audit/redaction paths remain inspectable in source.
What stays gated: universal forced routing, native Secure Enclave/Keychain production backends, and public GA until rollback evidence exists.

The model is not the trust boundary.

Agent frameworks are moving fast. One week the payload is Claude Code, the next it is OpenClaw, NemoClaw, NanoClaw, OpenShell, Gemini CLI, or something new. skiff assumes the payload will change. The durable layer is what the operator must still own: policy, credentials, network control, audit, lifecycle, and isolation.

Where skiff fits

skiff sits around agent frameworks.

Model vendors, browser-agent infrastructure, and computer-use platforms will keep improving. skiff gives regulated teams and privacy-sensitive operators one local control plane around whichever payload wins, without making a hosted sandbox the trust boundary.

Model vendors

Claude, OpenAI, Gemini, and future model runtimes own intelligence and developer experience.

skiff does not compete on model quality. If a model-vendor agent wins, skiff still supplies local execution posture, routed egress, brokered secrets, and operator-owned records.

Browser infrastructure

Browserbase and Steel make web sessions observable, scalable, proxy-aware, and production-friendly.

Browser automation can be one payload. Desktop apps, terminals, native tools, and cove-backed Mac runs need the same policy model as support lands.

Computer sandboxes

Cua, Lume, E2B, and Daytona validate isolated execution for agents and code.

skiff focuses on the controls around execution: credential handles, network paths, audit rows, redaction, escalation, and customer-controlled Macs, Linux hosts, or tenant hardware when hosted sandboxes are the wrong trust boundary.

Who it is for

Security teams adopting agents

Give developers agent freedom without letting prompts decide egress, credentials, or audit posture.

DevOps and admin workflows

Run agents against GitHub, CI, cloud consoles, terminals, and incidents with routing, logs, and secret handling.

Privacy-sensitive automation

Put money, medical, legal, and family/work data workflows on customer-controlled hardware instead of a model vendor's cloud.

Agent framework authors

Keep building the payload. skiff supplies policy, network, credentials, audit, lifecycle, and isolation around it.

High-risk automations

devops

An agent diagnoses a production incident.

It opens GitHub, CI, cloud consoles, terminals, and logs. skiff's job is to keep the network path, credential handles, and action records outside the prompt.

egress + audit first

finance/admin

An agent reconciles money workflows.

Bank, Stripe, QuickBooks, invoices, payouts, and statements are obvious automation targets. They are also where browser state and credentials need local control.

secrets stay brokered

local desktop

An agent needs a real Mac.

When the payload leaves browser automation and touches desktop apps, files, or screenshots, skiff can pair with cove for a disposable macOS run.

policy plus rollback

healthcare

An agent navigates benefits and medical paperwork.

Insurance portals, lab PDFs, claims, scheduling, and provider messages are useful automation targets precisely because they are messy and sensitive.

local records + redaction

legal

An agent reviews diligence folders.

Contracts, NDAs, cap tables, email attachments, and shared-drive exports need a clear action trail and a boundary between prompt context and source material.

audit before autonomy

personal ops

An agent handles family admin.

Taxes, medical bills, school forms, subscriptions, travel, and home services are where consumers want help but do not want a cloud agent holding every secret.

consumer-grade privacy

How it works

Choose the payload.
The runtime model targets OpenClaw, NemoClaw, NanoClaw, OpenShell, Claude Code, Gemini CLI, and future frameworks as swappable payloads as support is added.
Place the control plane around it.
skiff manages lifecycle, network routing, proxy audit rows, redaction, and local dashboard state outside the agent's prompt context.
Broker secrets by handle.
The device credential backend shape keeps sensitive material out of the agent container; polished iOS Secure Enclave and macOS Keychain paths are Phase B1.
Escalate isolation when needed.
When the payload needs a real Mac, cove can provide a disposable macOS environment with rollback and control surfaces.

Network and secrets

The control plane is the product.

For high-risk automations, the valuable layer is not another prompt wrapper. It is the machinery that decides what the payload can reach, how credentials are presented, what gets redacted, and what the operator can review after the run.

Routed egress

Proxy rows, redaction, and forced routing give the operator a path to see and constrain network activity before the agent becomes a production actor.

Mobile-held secrets

The planned iOS companion app turns the phone into a consent and secret-management surface: approve, proxy, or deny sensitive steps without handing raw credentials to the payload.

Escalation into cove

When a task needs a real Mac, skiff can move the payload into a cove-backed disposable environment so policy and rollback share one run record.

Judge-gated decisions

Policy review belongs at substrate decision points: tool calls, memory writes, chat sends, scheduler actions, and state transitions, not inside the payload prompt.

What changes

Without skiff

Each agent runtime invents its own safety story.
Credentials often enter the same context as the prompt.
Network activity is discovered in upstream logs after the fact.
Switching frameworks means relearning the control surface.

With skiff

The agent is a payload inside one operator-owned control plane.
Secrets are brokered by handle where the path is wired.
Proxy rows and local audit records become the first place to look.
OpenClaw, Claude Code, Gemini CLI, and future runtimes can be swapped underneath the same policy model as support is added.

Capabilities

Payload-agnostic runtime model — frameworks are payloads; skiff is the control plane around whichever framework wins.
Network control plane — Envoy-backed proxy surface, request rows, redaction, and forced routing on the wired serve --mitm path.
Credential broker shape — handles live outside the payload; native iOS Secure Enclave and macOS Keychain paths are planned follow-up.
Local audit — records stay under operator control instead of requiring a fleet-management cloud.
Caletta stack integration — cove for disposable Macs, axmcp for native app control, cdp for browser control, and nlm for knowledge workflows.

Current boundaries

Forced routing is path-specific. The skiff serve --mitm path is the claim; ncd --demo, skiff send, and other spawn paths remain closure work.
Credential UX is not final. The device backend exists as an architectural shape; native iOS/macOS secret stores are planned.
Judge coverage is preview, not GA. MCP tool gates, memory gates, chat sends, scheduler actions, and state-transition gates are implemented paths under release verification, with production claims blocked on the rollback rehearsal.
No proprietary model layer. The operator chooses the model and agent payload. skiff controls deployment posture, not model intelligence.

Diligence FAQ

Where does skiff fit?

skiff fits when the useful agent workflow also needs controls outside the agent framework: network paths, credential handles, policy checks, lifecycle, and local audit around the payload.

Do people actually care?

They may not ask for local agent runtime infrastructure by name. They do ask for agents that can handle money, medical paperwork, legal documents, cloud admin, and private desktop workflows. Those are exactly the workflows where credentials, screenshots, files, and audit trails matter.

Won't OpenAI, Anthropic, or Google build this?

They may build parts. skiff assumes their agents may win and treats them as payloads. The durable product is customer-controlled execution around the model: policy, credentials, network control, audit, lifecycle, and isolation on hardware the operator controls.

Is this another agent framework?

No. OpenClaw, NemoClaw, NanoClaw, OpenShell, Claude Code, Gemini CLI, and future runtimes are the payload layer. skiff is the local control plane around them when the operator needs a stable safety, network, and audit model.

skiff does not try to be the smartest agent. It is the control plane that still matters when the smartest agent changes.

skiff exists because agent frameworks change quickly. The durable layer is what they all need around them: policy, credentials, network control, audit, lifecycle, and isolation on hardware the operator controls.

source github.com/tmc/skiff

docs safety posture, verification report, and launch FAQ available on request

contact travis@tmc.dev