Agents

AI Agents

Your AI agents, on your trust boundary.

Connect Claude Desktop, Claude Code CLI, Cursor, Gemini CLI, VS Code Copilot, ChatGPT, OpenClaw, or Hermes — three install modes for the fully-local Hermes path. Five minutes from install to first tool call.

Get BoxOwl

MCP-native Per-tool scope grants Every read auditable

01 / CONNECT

Connect any AI host

One command installs the BoxOwl skill into Claude Desktop, Claude Code, Cursor, VS Code Copilot, Gemini CLI, ChatGPT — or any MCP-speaking harness.

cli

stdio

MCP · ready

02 / GRANT

Grant per-tool scopes

The agent asks for what it needs; you authorize each tool, each category, each field. Risky actions pause for a confirmation prompt before they run.

read

write

confirm-mode

03 / AUDIT

Every read recorded

Per-agent audit log on your device. See every tool call, every read, every denied call. Exportable as a signed Open Audit receipt under CC0.

tools

reads

activity log

Engine-agnostic

Eight hosts at launch. One installer.

BoxOwl works with whatever AI you already use. The @boxowl/skills installer handles the per-host wiring; Hermes Agent is the recommended orchestration partner for the fully-local path.

Hermes Tier A · fully local Setup →

Claude Desktop Tier B · model cloud Setup →

Claude Code CLI Tier B · model cloud Setup →

Cursor Tier B · model cloud Setup →

Gemini CLI Tier B · model cloud Setup →

VS Code Copilot Tier B · model cloud Setup →

ChatGPT Tier B · model cloud · REST Setup →

OpenClaw Tier B · model cloud Setup →

All per-host walkthroughs

Trust boundary

Agents work on your behalf. Inside lines you draw.

BoxOwl's substrate isn't the agent — it's what the agent acts through. Per-tool scope grants, a confirm-mode matrix tuned per risk tier, and an audit log that records every move.

Per-tool scope grants

Each tool call carries an explicit scope. The agent asks; you authorize once per category, per field. Revoke a scope and the next call returns nothing.

Confirm-mode + risk tiers

Low-risk tools run silently; medium-risk pause for a yes/no; high-risk demand an explicit acknowledgement of the change being made. Risk tier per tool is the daemon's contract, not the agent's choice.

Audit log + login redeem

Every read, every write, every denied call recorded on your device. Login credentials redeem against a one-shot token — the agent never sees the password, only a placeholder the extension fills.

Composition partner

BoxOwl + Hermes Agent compose cleanly.

Hermes Agent ships built-in cron, twenty-plus outbound channels, an agentskills.io community catalogue, sandboxing, MCP support. BoxOwl ships the vault, per-field consent, audit log, scope grammar, login redeem, signed skill registry. Paired, the two cover the personal-agent surface without either trying to be the other.

Hermes Agent is third-party MIT-licensed open source. Install whichever orchestration you prefer; the pairing path is documented either way.

Pricing

Free or Premium — Hermes works either way.

Free includes three AI agent connections; Hermes Agent paired with BoxOwl takes one slot. That's the full local-inference path — vault stays on your device, model runs on your hardware, audit log local — at zero cost.

Premium lifts the connection cap to unlimited, runs your own external assistants (Claude, ChatGPT, Cursor, Gemini, …) alongside Hermes, and unlocks cloud-fallback inference for sessions where your hardware can't keep up. See full pricing →

Locality matrix

Honest about what runs where.

Tier A is fully local — the model itself runs on your hardware. Tier B is partially local — the model vendor sees your prompts, but the vault never leaves your device.

Tier A — fully local

Hermes Agent

Hermes Agent runs the Hermes model on your hardware via its own runtime, then calls BoxOwl over MCP. No prompt ever leaves the box. Vault and audit log are already local. This is the only configuration we can claim "your AI agents run on your hardware" without qualifiers.

model · local
vault · local
audit · local

Tier B — partially local

Claude Code · Cursor · Gemini CLI · ChatGPT · …

Model vendor sees the prompts you send them — that's the trade for top-shelf model quality. The vault still stays on your device; BoxOwl never relays plaintext credentials. Per-tool scope, confirm-mode, and audit are unchanged.

model · vendor cloud
vault · local
audit · local

Migrate in five minutes

From 1Password, Bitwarden, LastPass, Chrome, or Safari.

Install BoxOwl + your favorite AI agent's BoxOwl skill — your assistant walks you through it. Five minutes later, you're done. Your AI never saw your passwords; BoxOwl handled them directly via the daemon's scope-gated vault.passwords:bulk_import tool.

One skill per source: migrate-from-1password, migrate-from-bitwarden, migrate-from-lastpass, migrate-from-chrome, migrate-from-safari. Per-host walkthroughs →

What's coming

Trust-boundary slice at launch. Broader framework after.

The trust-boundary slice of PAFRAME ships at launch — signed skill registry, vault-event triggers via MCP subscription, push and cloud-mediated email channels for skills that need to reach outside Hermes Agent. The broader framework (skills runtime, deeper outbound channels, cron-wrapper for non-Hermes-Agent users) is post-launch.

Designed to fold into the existing agentskills.io community catalog so seed skills travel through ecosystem rails, not a walled garden.

How it compares

Vault-shaped trust boundary. Uncontested in this category.

No surveyed vendor targets the user as data subject with an agent-aware vault. The closest cousins are developer-facing.

Capability	BoxOwl	1Password	Bitwarden Secrets Mgr	Composio	Custom MCP
MCP server out of the box	✓	—	—	via SDK	DIY
Per-tool scope grants	✓	—	team-only	tool-level	DIY
Confirmation gating by risk tier	✓	—	—	—	DIY
Per-agent audit log on device	✓	—	cloud-only	cloud-only	DIY
Login redeem — agent never sees plaintext	✓	—	—	—	—
Structured personal data + per-field consent	✓	—	—	—	—
Open-source daemon + SDKs (Apache 2.0)	✓	—	server OSS	SDK OSS	DIY
Local-first vault	✓	cloud-first	cloud-first	cloud-first	depends

✓ shipped · — not offered · "DIY" means the surface exists if you build it yourself · "team-only" / "cloud-only" refers to the vendor's tier where the capability is exposed. Composio and Custom MCP are developer-facing; BoxOwl is the only consumer-facing option in this row.

The substrate, in four lines.

The architecture behind every Agents capability.

End-to-end encrypted

Vault items are encrypted at rest with a key only you can derive. The daemon decrypts in-process to satisfy a scoped read; nothing else.

Open audit log

Every read, write, denied call recorded with actor + tool + scope + result. Exportable as a signed Open Audit receipt under CC0.

Scope grammar

One scope per tool, per category, per field. Registered at handler level; the gateway dispatches through it. Adding a tool is registering a scope, not editing a controller.

Confirm-mode matrix

Risk tier × user-set confirm preference. Low + always_confirm = pause; high + never_confirm = pause anyway. The daemon enforces; the agent doesn't get to choose.

Daemon source under Apache 2.0 at /docs, or in the public repo at github.com/BoxOwl-Me/daemon.

The Agents section is free.

Daemon, MCP server, skill catalog, audit log — all open and free. Premium unlocks Secrets + Data features (Travel Mode, attachments, NightWatch, family vaults). Free · $3/mo Premium · $24/yr annual · Family from $6/mo.

See pricing

Bring your agents to your vault.

BoxOwl is in private beta. Install the daemon, pick your agent host, grant a few scopes — and watch the audit log fill up with calls you authorized.

Get BoxOwl Read the per-host walkthroughs