Zora: Offline-First AI Agent with Default-Deny Security and Local Memory

Zora is an AI agent designed to run fully offline via Ollama by default, with a security-first architecture that starts with zero access permissions. Built in response to security and billing issues with OpenClaw, it implements a default-deny approach where users explicitly unlock only what they need.

Security Architecture

Unlike OpenClaw's default-permit model that led to CVSS 8.8 RCE vulnerabilities and exposed instances, Zora stores safety rules in a policy.toml file loaded from disk before every action, preventing context compaction from erasing security policies mid-session. The agent uses dual-LLM quarantine (CaMeL architecture) for prompt injection defense, ensuring raw channel messages never reach the main agent. There's no skill marketplace - skills are local files users install themselves.

Cost and Connectivity

Zora routes background tasks (heartbeat, routines, scheduled jobs) to local Ollama by default, requiring no credit card or API key. For more capable models, it can work with existing Claude accounts via the agent SDK or Gemini through Google accounts without requiring API keys attached to billing accounts.

Memory System

The agent implements three memory tiers: within-session (policy and context injected fresh at start), between-session (plain-text files in ~/.zora/memory/ that persist across restarts), and long-term consolidation with weekly background compaction scheduled for Sunday 3 am to avoid peak API costs. A rolling 50-event risk window tracks session state separately to prevent compaction from erasing risk history.

Getting Started

Three commands to try Zora:

npm i -g zora-agent
zora-agent init
zora-agent ask "do something"

The project is available at github.com/ryaker/zora.