HiClaw Locks Agent Credentials at the Gateway

If you're managing agent infrastructure at a small team and your current credential model is injecting API keys into every container, HiClaw is a direct challenge to that approach. The repo is trending today on GitHub with 22 stars. Here is the engineering lead's read on what it is, what v1.1.0 changed, and whether it's worth an evaluation session this week.

What Shipped

The changelog for v1.1.0, dated 2026-04-24, covers four areas that matter for anyone evaluating the project.

A Kubernetes-native control plane. HiClaw now deploys as a proper Kubernetes service via Helm chart rather than a Docker Compose stack on a developer's local machine. The default Helm profile bundles the Higress AI gateway, Tuwunel as the Matrix server, MinIO for shared file storage, and the HiClaw controller. No external dependencies required for the full stack.

Hermes, an autonomous coding agent runtime. HiClaw's architecture distinguishes between deterministic agents and autonomous execution agents. OpenClaw and QwenPaw function as task leaders in orchestration roles. Hermes is the new runtime for autonomous code execution. The design principle is explicit: deterministic agents orchestrate, Hermes executes.

1.7 GB off the Docker image. That reduction has direct operational consequences. Faster pulls in CI, lower registry storage costs, faster Worker spin-up when the Manager spawns new containers for a task. For a project open sourced on 2026-03-04, eight weeks of active development producing that kind of image-size work signals the maintainers are thinking about production constraints alongside feature velocity.

The hiclaw CLI replaces shell scripts. Prior versions managed setup and operations through shell scripts. The CLI surfaces those same operations as proper named commands. Runbooks get cleaner. Scriptable automation becomes less fragile when you're wrapping a CLI rather than sourcing shell scripts.

[[IMG: a software engineer at a standing desk reviewing a terminal window showing a Kubernetes Helm chart deployment output for a multi-agent platform, morning light through a home-office window]]

Why It Matters

The credential architecture is what separates HiClaw from most multi-agent frameworks available today, and it is worth spending time on because it is the design decision that actually changes your security posture.

In the standard multi-agent setup, every agent that calls an LLM, accesses GitHub, or hits an internal API needs credentials. The obvious implementation is environment variables injected into the agent's container at runtime. It functions. It also means every agent in your system holds a live copy of those credentials. If the agent's context window is exfiltrated, if the container is compromised, or if a prompt injection attack succeeds, the attacker has your keys.

HiClaw's approach: Workers operate with consumer tokens only. Real credentials stay in the Higress AI Gateway, which centrally manages all outbound traffic from the multi-agent system. Workers request capabilities through the gateway; they never receive the underlying keys. The README states this plainly. API keys and GitHub PATs live in the gateway. Workers can't see them.

For a small team running agents that touch production APIs or code repositories, this is a meaningful security posture improvement over the default pattern most frameworks use.

The Matrix protocol layer is the second differentiator. HiClaw builds the entire collaboration interface on Matrix, using Tuwunel as a self-hosted server and Element as the client. Every Matrix room includes the operator, the Manager, and the relevant Workers. You watch every step of every task as it runs. You intervene by typing in the room. No log aggregation dashboards, no webhook-to-Slack pipelines for visibility, no separate observability stack. The room is the interface.

The explicit design goal of eliminating DingTalk and Lark dependencies matters most for teams in environments where those platforms are common but whose bot-registration and API approval workflows introduce friction. Matrix is open protocol, fully self-hostable, and federates if you need it to. There is no vendor to lock you in.

The MinIO shared file system completes the picture. In multi-agent workflows where one agent produces an artifact that another consumes, the naive pattern is to pass that artifact through the context window. That burns tokens at scale. MinIO gives agents a shared file system for inter-agent exchange, removing the token cost from artifact passing. The README describes this as significantly reducing token consumption in multi-agent collaboration scenarios; no specific percentage is provided.

What to Try

HiClaw is worth a local evaluation session if you are running or planning to run multi-agent workflows and the credential exposure model of your current setup concerns you. The installation bar is low.

On macOS or Linux:

bash <(curl -sSL https://higress.ai/hiclaw/install.sh)

Windows is supported via PowerShell 7+. The installer walks through LLM provider selection (OpenAI-compatible APIs are supported), API key entry, and network mode. After setup, Element Web runs at http://127.0.0.1:18088. The Manager greets you in the first room and walks through Worker creation.

Hardware requirements: 2 CPU cores and 4 GB RAM to run the Manager. For multiple Workers running simultaneously, plan for 4 cores and 8 GB. Docker is required on all platforms: Docker Desktop on Windows and macOS, Docker Engine on Linux. This is not a lightweight tool. A shared dev box with 2 GB available will not work.

For production or team-shared deployments, the Helm path is the right one. Prerequisites are Kubernetes 1.24+, Helm 3.7+, and a default StorageClass for the Tuwunel and MinIO persistent volume claims.

helm repo add higress.io https://higress.io/helm-charts
helm repo update

Running on managed Kubernetes clusters removes the Docker Desktop licensing dependency entirely. That matters for teams whose production environments restrict Docker Desktop.

The skills ecosystem is worth testing early in your evaluation. Workers pull from skills.sh, which the README cites at 80,000+ community skills. Because Workers operate with consumer tokens through the gateway rather than real credentials, pulling from a community skill library carries substantially less risk than it would in a credential-exposed runtime. The Workers simply cannot exfiltrate keys they never received.

Breaking change checklist for teams upgrading from v1.0.x: the hiclaw CLI replaces the shell scripts used in prior versions. Update any automation or runbooks that called those scripts directly. The Kubernetes-native control plane in v1.1.0 is additive; it does not replace the local Docker setup. The Hermes runtime is new in v1.1.0; existing Worker configurations using OpenClaw or QwenPaw are unaffected. For net-new installs, the curl-based installer handles everything. For teams moving from a Docker-based setup to Kubernetes, the Helm chart is a fresh deploy path rather than an in-place migration.

Workers get consumer tokens only. Real credentials stay in the gateway. That is not a configuration option; it is the architecture.

[[IMG: a devops engineer in a home office reviewing a Matrix chat room showing a Manager agent coordinating two Worker agents on a code task, multiple terminal windows visible behind the browser]]

Looking Ahead

Open sourced eight weeks ago and already at v1.1.0, with a Kubernetes-native control plane, a new CLI, a dedicated autonomous coding runtime, and 1.7 GB off the image. That pace is fast for a project of this architectural depth.

The two signals worth watching: whether the Hermes autonomous coding agent runtime develops into a serious alternative for teams currently using hosted code-execution agents, and whether the Worker Template Marketplace introduced in v1.0.9 builds enough community content to make HiClaw the default framework for teams who want to compose agents rather than build runtimes from scratch.

Pin v1.1.0. Run the local install against a non-production LLM endpoint first. Then run the Helm path against a staging cluster. If the credential isolation claim holds under your threat model and the Matrix-room observability replaces your current agent debugging workflow, you have your answer before the end of the week.

• HiClaw, Collaborative Multi-Agent OS, accessed 2026-04-27