Connect any AI host
One command installs the BoxOwl skill into Claude Desktop, Claude Code, Cursor, VS Code Copilot, Gemini CLI, ChatGPT — or any MCP-speaking harness.
cli
stdio
MCP · ready
Your personal data vault, built to work with any AI.
Connect Claude Desktop, Claude Code CLI, Cursor, Gemini CLI, VS Code Copilot, ChatGPT, OpenClaw, or Hermes. Pair with Hermes Agent for the full kernel. Five minutes from install to first tool call.
MCP-native
Per-tool scope grants
Every read auditable
Grant per-tool scopes
The agent asks for what it needs; you authorize each tool, each category, each field. Risky actions pause for a confirmation prompt before they run.
read
write
confirm-mode
Every read recorded
Per-agent audit log on your device. See every tool call, every read, every denied call. Exportable as a signed Open Audit receipt under CC0.
tools
reads
activity log
Eight hosts at launch. One installer.
BoxOwl works with whatever AI you already use. The @boxowl/skills
installer handles the per-host wiring; Hermes Agent is the recommended composition partner for a fully local path.
Agents work on your behalf. Inside lines you draw.
BoxOwl's substrate isn't the agent — it's what the agent acts through. Per-tool scope grants, a confirm-mode matrix tuned per risk tier, and an audit log that records every move.
Per-tool scope grants
Each tool call carries an explicit scope. The agent asks; you authorize once per category, per field. Revoke a scope and the next call returns nothing.
Confirm-mode + risk tiers
Low-risk tools run silently; medium-risk pause for a yes/no; high-risk demand an explicit acknowledgement of the change being made. Risk tier per tool is the daemon's contract, not the agent's choice.
Audit log + login redeem
Every read, every write, every denied call recorded on your device. Login credentials redeem against a one-shot token — the agent never sees the password, only a placeholder the extension fills.
Composition partner
BoxOwl + Hermes Agent compose into the full kernel.
Hermes Agent ships built-in cron, twenty-plus outbound channels, an agentskills.io community catalogue, sandboxing, MCP support. BoxOwl ships the vault, per-field consent, audit log, scope grammar, login redeem, signed skill registry. Paired, they compose into the full kernel — neither tries to be the other.
Hermes Agent is third-party MIT-licensed open source. Install whichever orchestration you prefer; the pairing path is documented either way.
Three Hermes install paths
Five minutes to working personal AI.
Detect whatever's already running on your machine, point BoxOwl at an endpoint you trust, or bring up a fresh Docker stack — the daemon handles the wiring either way.
Detect an existing local runtime
You've already got Ollama, vLLM, or llama.cpp running. BoxOwl probes the usual ports and picks one up.
# auto-detect Ollama / vLLM / llama.cpp on localhost $ boxowl-daemon hermes detect ok · using ollama at http://127.0.0.1:11434
Point at an external endpoint Full /v1/models probe rolling out
Your runtime lives on another box on the LAN, or behind a tunnel, or on a colo. Hand BoxOwl the URL.
# point at any OpenAI-shape /v1/chat/completions endpoint $ boxowl-daemon hermes use http://10.0.0.5:8000 ok · saved · model: hermes-3-llama-3.1-8b
Docker compose --launch flag rolling out
Cold-start a vetted Hermes-on-Docker stack. Templates committed to the daemon repo; bring-up command rolling out.
# materialize a vetted compose template into ~/.boxowl/hermes/ $ boxowl-daemon hermes docker ok · template at ~/.boxowl/hermes/docker-compose.yml hint · cd ~/.boxowl/hermes && docker compose up -d
Locality matrix
Honest about what runs where.
Tier A is fully local — the model itself runs on your hardware. Tier B is partially local — the model vendor sees your prompts, but the vault never leaves your device.
Hermes via Ollama / vLLM / llama.cpp
Model inference runs on your hardware. No prompt ever leaves the box. Vault and audit log are already local. This is the only configuration we can claim "your personal AI runs on your hardware" without qualifiers.
- model · local
- vault · local
- audit · local
Claude Code · Cursor · Gemini CLI · ChatGPT · …
Model vendor sees the prompts you send them — that's the trade for top-shelf model quality. The vault still stays on your device; BoxOwl never relays plaintext credentials. Per-tool scope, confirm-mode, and audit are unchanged.
- model · vendor cloud
- vault · local
- audit · local
Cross-pillar · migration
Move from your old password manager in one prompt. Rolling out
Agent-driven migration via the MCP boxowl_import_from_file tool: hand the agent a 1Password, Bitwarden, or LastPass export and watch it walk the diff. Conflict resolution previewed before any write commits.
Daemon-side scope grammar (vault.passwords:bulk_import) and per-skill scope catalogs (`migrate-from-{vendor}`) rolling out into the launch bar.
What's coming
Trust-boundary slice at launch. Broader framework after.
The trust-boundary slice of PAFRAME ships at launch — signed skill registry, vault-event triggers via MCP subscription, push and cloud-mediated email channels for skills that need to reach outside Hermes Agent. The broader framework (skills runtime, deeper outbound channels, cron-wrapper for non-Hermes-Agent users) is post-launch.
Designed to fold into the existing agentskills.io community catalog so seed skills travel through ecosystem rails, not a walled garden.
How it compares
Vault-shaped trust boundary. Uncontested in this category.
No surveyed vendor targets the user as data subject with an agent-aware vault. The closest cousins are developer-facing.
| Capability | BoxOwl | 1Password | Bitwarden Secrets Mgr | Composio | Custom MCP |
|---|---|---|---|---|---|
| MCP server out of the box | ✓ | — | — | via SDK | DIY |
| Per-tool scope grants | ✓ | — | team-only | tool-level | DIY |
| Confirmation gating by risk tier | ✓ | — | — | — | DIY |
| Per-agent audit log on device | ✓ | — | cloud-only | cloud-only | DIY |
| Login redeem — agent never sees plaintext | ✓ | — | — | — | — |
| Structured personal data + per-field consent | ✓ | — | — | — | — |
| Open-source daemon + SDKs (Apache 2.0) | ✓ | — | server OSS | SDK OSS | DIY |
| Local-first vault | ✓ | cloud-first | cloud-first | cloud-first | depends |
✓ shipped · — not offered · "DIY" means the surface exists if you build it yourself · "team-only" / "cloud-only" refers to the vendor's tier where the capability is exposed. Composio and Custom MCP are developer-facing; BoxOwl is the only consumer-facing option in this row.
The substrate, in four lines.
The architecture behind every Pillar 3 capability.
End-to-end encrypted
Vault items are encrypted at rest with a key only you can derive. The daemon decrypts in-process to satisfy a scoped read; nothing else.
Open audit log
Every read, write, denied call recorded with actor + tool + scope + result. Exportable as a signed Open Audit receipt under CC0.
Scope grammar
One scope per tool, per category, per field. Registered at handler level; the gateway dispatches through it. Adding a tool is registering a scope, not editing a controller.
Confirm-mode matrix
Risk tier × user-set confirm preference. Low + always_confirm = pause; high + never_confirm = pause anyway. The daemon enforces; the agent doesn't get to choose.
Daemon source under Apache 2.0 at /docs, or in the public repo at github.com/BoxOwl-Me/daemon.
Pillar 3 itself is free.
Daemon, MCP server, skill catalog, audit log — all open and free. Premium unlocks Pillar 1 + 2 features (Travel Mode, attachments, NightWatch, family vaults). Free · $3/mo Premium · $24/yr annual · Family from $6/mo.
Bring your AI to your vault.
BoxOwl is in private beta. Install the daemon, pick your agent host, grant a few scopes — and watch the audit log fill up with calls you authorized.