Your agent's claw on every machine.
Give any AI agent bash, read, write, edit, grep, and glob
on any machine you can SSH into.
Quickstart Β· How it works Β· Tools Β· Configuration Β· CLI
AI agents can write code, but they're stuck on one machine. They can't check logs on prod, grep for errors across services, or edit a config on staging.
Claw is an MCP server that extends your agent's tools to any remote machine. 8 tools. Any host you can SSH into. Zero config on the remote.
You: "Check why the API is returning 500s on prod, look at the logs, and fix the nginx config"
Agent: connects to prod-api via SSH
greps /var/log/nginx/error.log for errors
reads the nginx config
edits the misconfigured upstream block
runs nginx -t && systemctl reload nginx
Done. Across machines. Autonomously.
No ports to open. No daemons. No root required. Claw uses your SSH keys, deploys a tiny binary on first connect, and cleans up after itself.
npx -y @opsyhq/claw serve
# or install globally
npm install -g @opsyhq/clawClaude Code
claude mcp add claw -- npx -y @opsyhq/claw serveOr run the installer:
npx -y @opsyhq/claw install claude-codeCursor
Add to .cursor/mcp.json:
{
"mcpServers": {
"claw": {
"command": "npx",
"args": ["-y", "@opsyhq/claw", "serve"]
}
}
}Claude Desktop
Add to claude_desktop_config.json:
{
"mcpServers": {
"claw": {
"command": "npx",
"args": ["-y", "@opsyhq/claw", "serve"]
}
}
}Any MCP client
npx -y @opsyhq/claw serve
# Speaks MCP over stdioThe agent can add machines itself via the claw_machines tool, or you can set them up ahead of time:
# Import from your SSH config
claw init --from-ssh
# Or add manually
claw add prod-api --ssh deploy@prod-api.example.com
claw add staging --ssh deploy@staging.example.comTalk to your agent. It now has claws on every machine you configured.
"Show me running containers on prod-api"
"Grep for 'connection refused' in the logs on staging"
"Find all .env files across prod-api and staging"
"Edit the upstream block in nginx.conf on prod-api"
βββββββββββββββββββββββββββββββββββββββ
β AI Agent (Claude, Cursor, etc.) β
β β MCP tool calls β
βββββββββββββββββββββββββββββββββββββββ€
β Claw (runs locally) β
β β
β βββββββββββββββ βββββββββββββββββ β
β β Tool Router β β Conn Pool β β
β ββββββββ¬βββββββ ββββββββ¬βββββββββ β
β βββββββββ¬ββββββββ β
β ββββββββ΄ββββββββ β
β β SSH β Local β β
β ββββ¬ββββββββ¬ββββ β
βββββββββββββββΌββββββββΌβββββββββββββββ
βΌ βΌ
ββββββββ ββββββββ
β prod β β your β
β api β β mac β
ββββββββ ββββββββ
On first connect, Claw auto-deploys a small static binary (pincer) to ~/.claw/pincer on the remote host. Pincer speaks JSON-RPC over stdin/stdout and handles all tool execution β structured file editing, safe command handling, grep with regex support.
Connections are persistent and pooled. No reconnecting per command.
Claw exposes 8 MCP tools. These match the tools agents already know from local development (Claude Code's Read/Write/Edit/Bash/Grep/Glob/LS) β just extended to remote machines.
| Tool | Description |
|---|---|
| claw_machines | List, add, remove, and update machines |
| claw_bash | Run a shell command |
| claw_read | Read a file with optional line range |
| claw_write | Create or overwrite a file |
| claw_edit | Find-and-replace in a file |
| claw_grep | Search file contents with regex |
| claw_glob | Find files by pattern |
| claw_ls | List directory contents |
Every tool takes a host parameter β the machine name to target.
claw_bash(host: "prod-api", command: "docker ps")
claw_grep(host: "prod-api", pattern: "error|timeout", path: "/var/log", include: "*.log")
claw_edit(host: "staging", path: "/app/config.yaml", old_string: "port: 80", new_string: "port: 8080")
machines:
prod-api:
transport: ssh
host: prod-api.example.com
user: deploy
staging:
transport: ssh
host: staging.example.com
user: deploy
local:
transport: localSSH transport uses your existing ~/.ssh/config automatically β keys, ports, jump hosts all just work.
Drop a claw.yaml in your project root:
machines:
dev:
transport: local
staging:
transport: ssh
host: staging.myapp.com
user: deployCommit this to your repo. Your whole team gets the same machine setup, each using their own SSH keys.
- Your existing access β Claw uses your SSH keys. It can only reach what you already can.
- No open ports β All connections are outbound SSH from your machine.
- No persistence β The remote binary only runs during your session.
- Audit log β Every tool call is logged to
~/.config/claw/logs/. - Want guardrails? β For approval workflows and policy enforcement on remote operations, check out Opsy.
claw serve # Start MCP server (stdio)
claw init --from-ssh # Import machines from ~/.ssh/config
claw add <name> --ssh user@host # Add a remote machine
claw add <name> --local # Add local machine
claw install claude-code # Write MCP config for Claude Code
claw install cursor # Write MCP config for Cursor- SSH transport
- Local transport
- Runtime binary download from GitHub Releases
- npm trusted publishing (OIDC)
- Docker transport
- Kubernetes transport
- AWS SSM transport
PRs welcome. See the development guide to get started.
Development
npm install # Install dependencies
npm run build # Build TypeScript
npm run typecheck # Type-check without emitting
npm run build-pincer # Cross-compile pincer (requires Go)
npm run dev # Watch modeProject structure:
claw/
βββ bin/claw.ts # CLI entrypoint
βββ src/
β βββ cli/ # CLI commands (serve, init, add, install)
β βββ config/ # YAML config loading + SSH config parser
β βββ server/ # MCP server, tool schemas, router
β βββ tools/ # Local tool implementations
β βββ transports/ # Transport layer (local, SSH, pool, deployer)
β βββ logging/ # Audit log
βββ pincer/ # Go binary deployed to remote hosts
β βββ main.go # JSON-RPC stdin/stdout server
β βββ rpc/ # Request dispatcher
β βββ tools/ # Tool implementations in Go
βββ scripts/build-pincer.sh # Cross-compile for linux/amd64+arm64
Built by OpsyHQ Β· MIT License
Claw icon by Lorc / Game Icons (CC BY 3.0)
