A personal, voice-capable AI you run on your own machine. No inbound port to attack. It runs on the flat-rate Claude subscription you already pay for, or any of 30 providers, or a local model. And it can prove what it did.
In 2026 this was not hypothetical. Public reporting documented a one-click RCE in a widely used agent that leaked a gateway token over a WebSocket; scanners put exposed agent gateways in the tens of thousands; a popular skill registry was caught serving token-stealers; a single poisoned email pulled a private key from a linked inbox. Urfael was built blast-radius-first against exactly these. The difference is not an adjective. It is a command.
npm run security boots the real daemon and dashboard, attacks them the way the wild did, and prints a pass-or-fail table. You run it yourself.
| Attack class | Urfael |
|---|---|
| Network exposure | no TCP port |
| Auth-token leak → RCE | constant-time, never logged |
| Prompt-injection exfil | read-only, no egress |
| Poisoned skill / supply chain | scanned, never executed |
| Unauthenticated DoS | 401, not a crash |
| Secret theft by a runaway agent | no secrets mounted |
| Insecure defaults | fail-closed |
| Inbound trigger → escalation | loopback, per-hook secret |
| Correctness & craft regressions | guarded, can't drift |
faithful re-creation of real urfael output · read the test at app/test/security-benchmark.js
It was red-teamed by its own adversarial agents, which found real gaps (fixed before this shipped). The full scorecard: Security Benchmark · Threat Model, including the risks we don't cover.
Hard questions get a Council. Urfael decomposes the problem, dispatches read-only sandboxed workers to gather what each needs, then synthesizes one answer. You watch it happen instead of trusting a black box.
Council workers are read-only and sandboxed, read and report, no write, no shell, no network · faithful re-creation of real urfael output
A flicker-free terminal cockpit with a runic oracle that shows its thinking, changing Elder Futhark glyphs and honest thinking-words, then streams a real Markdown answer and seals it to the ledger. Voice in, voice out, when you want it.
faithful re-creation of real urfael output
The brain is the claude CLI, so urfael code runs Claude Code in your repo with a safety net the bare CLI lacks: it remembers each repo, snapshots your tracked and untracked files before it touches anything, and gives you a one-command undo that is itself reversible.
faithful re-creation of real urfael output
Per-repo memory (a CONVENTIONS.md and HISTORY.md keyed to the git remote, loaded every turn) keeps your conventions across sessions. Auto-checkpoint snapshots your tracked and untracked files to a private git shadow ref before the brain runs, gitignored files like .env stay out, and your branch and index are never touched. Rewind restores them, checkpoints the current state first so the undo is itself undoable, and keeps anything you made since. The bare CLI has none of this.
Six built-in stances, switchable by just asking. Same capability, a different approach to dialogue and advice. Want a different brain too? Say switch to opus.
all five personas plus the Urfael anchor are real in app/personas.js · faithful re-creation of real urfael output
urfael whyPickaxe the provenance of any belief it learned, back to the exact commit it came from.urfael forgetA tombstone for provable, consented deletion. You can make it forget.every turn, job, cron and learn-verdict is appended to a sha256 hash chain, then signed by your key, any edit is detectable · faithful re-creation of real urfael output
Claude is native through your subscription, the single path billed to you. Every other model flows in through a documented Anthropic-compatible proxy, the sandbox harness still enforcing the boundaries.
Models. Claude is native through your subscription; 30 providers (OpenAI, Gemini, Grok, Mistral, DeepSeek, Groq, Ollama, Bedrock, Vertex, and more) run through a documented Anthropic-compatible proxy, and OpenRouter unlocks 300+ models on one key. urfael model route picks the best one for cost, speed, quality, or privacy.
Channels. 19 chat channels on one fail-closed gate: eleven native bridges (Telegram, Discord, Slack, iMessage, Email, Matrix, Signal, WhatsApp, and more) plus eight native webhook channels, with a universal relay for Zapier and n8n. Every inbound message is allowlisted to a known principal before the brain sees it.
Memory & data. Active recall puts the past turns and verified lessons that bear on each message in front of the brain automatically (hybrid keyword plus local semantic). urfael dataset export turns your own runs into provenance-stamped, secret-redacted training data, and an OpenAI-compatible local API drives Open WebUI or LibreChat.
Voice & reach. Local speech in and out (whisper.cpp + local TTS, nothing leaves the machine), plus Discord voice where only an enrolled speaker can command it. Runs on macOS, Linux, and Android via Termux. A2UI lets the brain emit interactive UI sanitized to a safe, allowlisted schema, so a generative canvas can never execute code.
the security moat is the fixed inner ring, it never moves
Against Hermes Agent and OpenClaw, Urfael wins where it counts for a machine that lives on your desk: no inbound port, a flat bill, an attack benchmark you run yourself, and a ledger that proves what it did. It loses on raw scale and channel count, and we put that in the same table.
The security posture is verified by a command and frozen by 533 tests. The newer bridges, Discord voice, and the Android host are code-complete but not yet certified against live accounts, and we label them that way.
Free and open source under the MIT license. Download the app, or run two lines in a terminal. You bring a Claude subscription (or any of 30 providers, or a local model); there is no API key and no Urfael account.
macOS (Apple Silicon) and Linux ship native installers, not yet notarized. To open on macOS the first time: drag Urfael to Applications, then open System Settings, go to Privacy and Security, and click Open Anyway (or run xattr -dr com.apple.quarantine /Applications/Urfael.app in Terminal). Intel Macs run from source; Windows runs through WSL. Or use the two-line source install below.
git clone https://github.com/Grandillionaire/urfael.git && cd urfael ./install.sh # checks deps, scaffolds your vault, no keys cd app && npm start # the Console opens
You need: a Claude Code subscription (Pro or Max) signed in, or any provider, or a local model. macOS on Apple Silicon or Intel is the best-tested target; Linux is supported but newer. Full setup is in the install guide.
Or run it 100% on your own GPU. A local model (Ollama / NVIDIA NIM) plus local voice means nothing leaves the machine. Guide.
The full single-user agent is free and MIT, forever. Paid editions add what teams and regulated work need: governance, a signed attestation an auditor accepts, and managed operation. None of them ever meter your tokens.
Paid editions never meter tokens. You always bring your own subscription, provider, or local model.
Coming later: a fully managed Cloud edition with simple monthly plans, for people who want the convenience without running anything themselves. Tell us if you want it sooner.
Get the launch, the benchmark results, and release notes.
npm run security. It boots the real daemon and dashboard and attacks them the way self-hosted agents were attacked in 2026, then prints a pass-or-fail table. The latest run resists 10 of 10 real-world attack classes across 95 of 95 checks. You do not take our word for it. You run it.