Desktop app security

The MultiClaw desktop app is built on Tauri v2, a Rust-based framework designed to minimize the attack surface. Every security layer described below is enabled by default — you don't need to configure anything.

Tauri capability model

The UI runs inside a WebView that is designed to have no direct access to the filesystem, processes, or system calls. To perform a privileged operation, the frontend must invoke a declared IPC command in the Rust core. Commands not listed in the capability configuration are blocked by the framework.

This boundary is designed to prevent a compromised script in the UI from escalating to the system layer through undeclared paths. The separation is enforced by Tauri's capability model at the framework level, not by application-layer runtime checks.

What the capability model covers

UI-to-system isolation: the WebView is designed to be unable to reach the filesystem, execute shell commands, or access system APIs unless a specific IPC command is declared and exposed by the Rust core.
Least privilege by default: only the commands the app explicitly declares in its capability configuration are available. Everything else is blocked at the framework level.

What the capability model does not cover

The capability model isolates the WebView from the system. It does not protect against threats that originate outside the app, such as malware running at the OS level or a compromised system process. OS-level security (disk encryption, user account controls, endpoint protection) remains your responsibility.

Content Security Policy

The WebView enforces a strict Content Security Policy (CSP) that blocks inline scripts, eval(), and external script loading. This substantially limits what an attacker can do with a cross-site scripting (XSS) vector in the UI layer.

The CSP is set at the framework level and applies to every page rendered inside the app. Combined with the Tauri capability model, CSP acts as a second barrier: even if a script bypasses one layer, the other limits what that script can reach.

Note:

CSP reduces the impact of XSS but does not eliminate all injection risks. It is one layer in a defense-in-depth approach.

WebView rendering engine

Tauri v2 uses the operating system's built-in WebView rather than bundling a separate browser engine:

Platform	WebView engine
macOS	WebKit (provided by Safari)
Windows	WebView2 (provided by Microsoft Edge)
Linux	WebKitGTK

Because the WebView is provided by the OS, it receives security patches through your regular OS updates. Keeping your operating system current is one of the most effective ways to maintain desktop app security.

Update integrity

App updates are signed with minisign (Ed25519 public-key cryptography). Before installing an update, the updater verifies the signature against the embedded public key.

If verification fails, the update is rejected, and your current version stays unchanged. The app does not apply partially downloaded or unsigned updates.

How updates work

The app checks for available updates.
If a new version is found, the app downloads the update package and its signature file.
The updater verifies the signature against the public key embedded in your current installation.
If the signature is valid, the update is applied. If not, the update is discarded.

You can continue using the app while updates download. The update takes effect the next time you restart the app.

Code signing

Every release is signed to protect against tampering.

Platform	Signing method
macOS	Apple Developer ID certificate, notarized by Apple
Windows	Updater artifacts signed with minisign (Ed25519)
Linux	Updater artifacts signed with minisign (Ed25519)

On macOS, the operating system verifies the Developer ID certificate when you first open the app and blocks unsigned or tampered binaries. On Windows and Linux, the OS does not perform native binary verification, but the Tauri updater independently verifies the minisign signature before applying any update.

Verify your installation on macOS

You can confirm the app's code signature by running this command in Terminal:

codesign --verify --deep --strict /Applications/MultiClaw.app

If the signature is valid, the command produces no output. If the binary has been tampered with, you'll see an error message.

Filesystem access scope

The Rust core limits file access to known data directories:

~/.openclaw/: agent data, sessions, configuration, and logs managed by OpenClaw
~/.multiclaw/: app preferences, workflow recordings, drafts, and MultiClaw-specific logs
The OS temp directory: transient working files

Requests that target paths outside these directories are not served by the Rust core's file access commands.

When you attach a file to a chat message or export data, the app uses your operating system's file picker. Access is scoped to the file or location you select — the app does not request broader directory access through this flow.

Local data storage

Configuration files and session data are stored in the directories listed above. Authentication tokens are stored locally on your machine.

Tip:

If you share your computer, use a separate OS user account. Each OS account has its own ~/.multiclaw/ and ~/.openclaw/ directories, keeping agent data and credentials isolated between users.

Your responsibilities

The desktop app handles isolation, signing, and access scoping automatically. These protections work alongside your own security practices, not instead of them:

Keep your OS updated. WebView security patches arrive through OS updates. Delaying updates delays security fixes.
Don't bypass code signing checks. On macOS, don't disable Gatekeeper to run unsigned copies of the app. On Windows, install from official channels only.
Use a strong account password. The app authenticates against MultiClaw Cloud. A weak password on your cloud account undermines the security of your local session.
Lock your computer. Desktop app sessions persist while the app is open. Lock your screen when you step away to prevent unauthorized access.

Related articles