Your agent's claw on every machine.
Give any AI agent bash, read, write, edit, grep, and glob
on any machine you can SSH into.
Quickstart · How it works · Tools · Configuration · CLI
AI agents can write code, but they're stuck on one machine. They can't check logs on prod, grep for errors across services, or edit a config on staging.
Claw is an MCP server that extends your agent's tools to any remote machine. 8 tools. Any host you can SSH into. Zero config on the remote.
You: "Check why the API is returning 500s on prod, look at the logs, and fix the nginx config"
Agent: connects to prod-api via SSH
greps /var/log/nginx/error.log for errors
reads the nginx config
edits the misconfigured upstream block
runs nginx -t && systemctl reload nginx
Done. Across machines. Autonomously.
No ports to open. No daemons. No root required. Claw uses your SSH keys, deploys a tiny binary on first connect, and cleans up after itself.
npx -y @opsyhq/claw serve
# or install globally
npm install -g @opsyhq/clawClaude Code
claude mcp add claw -- npx -y @opsyhq/claw serveOr run the installer:
npx -y @opsyhq/claw install claude-codeCursor
Add to .cursor/mcp.json:
{
"mcpServers": {
"claw": {
"command": "npx",
"args": ["-y", "@opsyhq/claw", "serve"]
}
}
}Claude Desktop
Add to claude_desktop_config.json:
{
"mcpServers": {
"claw": {
"command": "npx",
"args": ["-y", "@opsyhq/claw", "serve"]
}
}
}Any MCP client
npx -y @opsyhq/claw serve
# Speaks MCP over stdioThe agent can add machines itself via the claw_machines tool, or you can set them up ahead of time:
# Import from your SSH config
claw init --from-ssh
# Or add manually
claw add prod-api --ssh deploy@prod-api.example.com
claw add staging --ssh deploy@staging.example.comTalk to your agent. It now has claws on every machine you configured.
"Show me running containers on prod-api"
"Grep for 'connection refused' in the logs on staging"
"Find all .env files across prod-api and staging"
"Edit the upstream block in nginx.conf on prod-api"
┌─────────────────────────────────────┐
│ AI Agent (Claude, Cursor, etc.) │
│ ↓ MCP tool calls │
├─────────────────────────────────────┤
│ Claw (runs locally) │
│ │
│ ┌─────────────┐ ┌───────────────┐ │
│ │ Tool Router │ │ Conn Pool │ │
│ └──────┬──────┘ └──────┬────────┘ │
│ └───────┬───────┘ │
│ ┌──────┴───────┐ │
│ │ SSH │ Local │ │
│ └──┬───┘───┬───┘ │
└─────────────┼───────┼──────────────┘
▼ ▼
┌──────┐ ┌──────┐
│ prod │ │ your │
│ api │ │ mac │
└──────┘ └──────┘
On first connect, Claw auto-deploys a small static binary (pincer) to ~/.claw/pincer on the remote host. Pincer speaks JSON-RPC over stdin/stdout and handles all tool execution — structured file editing, safe command handling, grep with regex support.
Connections are persistent and pooled. No reconnecting per command.
Claw exposes 8 MCP tools. These match the tools agents already know from local development (Claude Code's Read/Write/Edit/Bash/Grep/Glob/LS) — just extended to remote machines.
| Tool | Description |
|---|---|
| claw_machines | List, add, remove, and update machines |
| claw_bash | Run a shell command |
| claw_read | Read a file with optional line range |
| claw_write | Create or overwrite a file |
| claw_edit | Find-and-replace in a file |
| claw_grep | Search file contents with regex |
| claw_glob | Find files by pattern |
| claw_ls | List directory contents |
Every tool takes a host parameter — the machine name to target.
claw_bash(host: "prod-api", command: "docker ps")
claw_grep(host: "prod-api", pattern: "error|timeout", path: "/var/log", include: "*.log")
claw_edit(host: "staging", path: "/app/config.yaml", old_string: "port: 80", new_string: "port: 8080")
machines:
prod-api:
transport: ssh
host: prod-api.example.com
user: deploy
staging:
transport: ssh
host: staging.example.com
user: deploy
local:
transport: localSSH transport uses your existing ~/.ssh/config automatically — keys, ports, jump hosts all just work.
Drop a claw.yaml in your project root:
machines:
dev:
transport: local
staging:
transport: ssh
host: staging.myapp.com
user: deployCommit this to your repo. Your whole team gets the same machine setup, each using their own SSH keys.
- Your existing access — Claw uses your SSH keys. It can only reach what you already can.
- No open ports — All connections are outbound SSH from your machine.
- No persistence — The remote binary only runs during your session.
- Audit log — Every tool call is logged to
~/.config/claw/logs/. - Want guardrails? — For approval workflows and policy enforcement on remote operations, check out Opsy.
claw serve # Start MCP server (stdio)
claw init --from-ssh # Import machines from ~/.ssh/config
claw add <name> --ssh user@host # Add a remote machine
claw add <name> --local # Add local machine
claw install claude-code # Write MCP config for Claude Code
claw install cursor # Write MCP config for Cursor- SSH transport
- Local transport
- Runtime binary download from GitHub Releases
- npm trusted publishing (OIDC)
- Docker transport
- Kubernetes transport
- AWS SSM transport
PRs welcome. See the development guide to get started.
Development
npm install # Install dependencies
npm run build # Build TypeScript
npm run typecheck # Type-check without emitting
npm run build-pincer # Cross-compile pincer (requires Go)
npm run dev # Watch modeProject structure:
claw/
├── bin/claw.ts # CLI entrypoint
├── src/
│ ├── cli/ # CLI commands (serve, init, add, install)
│ ├── config/ # YAML config loading + SSH config parser
│ ├── server/ # MCP server, tool schemas, router
│ ├── tools/ # Local tool implementations
│ ├── transports/ # Transport layer (local, SSH, pool, deployer)
│ └── logging/ # Audit log
├── pincer/ # Go binary deployed to remote hosts
│ ├── main.go # JSON-RPC stdin/stdout server
│ ├── rpc/ # Request dispatcher
│ └── tools/ # Tool implementations in Go
└── scripts/build-pincer.sh # Cross-compile for linux/amd64+arm64
Built by OpsyHQ · MIT License
Claw icon by Lorc / Game Icons (CC BY 3.0)
