The only AI agent that doesn't trust its own tools.

A secure, self-hosted personal AI agent framework. Every tool runs in its own Docker container. Every action passes through a Guardian safety pipeline. You stay in control.

Get Started View on GitHub
MIT License GitHub Stars

Built for paranoid people (like us)

๐Ÿณ

Per-Tool Docker Isolation

Every tool runs in its own ephemeral container. No shared filesystems. No ambient authority. A compromised tool can't touch anything else.

๐Ÿ›ก๏ธ

Guardian Safety Pipeline

Four layers of defense: DeBERTa classifier for fast screening, LLM judge for nuanced review, YAML policy enforcement, and coherence checking. All before any tool executes.

๐ŸŽ

macOS Host Bridge

Native integration with macOS apps โ€” Calendar, Reminders, Finder, and more โ€” through a secure host bridge. Your agent lives on your Mac, not in the cloud.

๐Ÿ“„

YAML-Driven Tools

Define tools in simple YAML. Specify the container image, permissions, arguments, and safety constraints. No code required to add capabilities.

How it works

You
โ†’
Agent Core LLM reasoning
โ†’
Guardian 4-layer safety
โ†’
Tool Containers Docker isolation
Guardian Pipeline
  1. Fast DeBERTa classifier โ€” instant risk scoring
  2. Deep LLM judge โ€” contextual safety review
  3. Policy YAML rules โ€” your explicit constraints
  4. Check Coherence โ€” does the action match intent?

Up and running in 60 seconds

Terminal 
# Install prerequisites
$ brew install pyenv uv age

# Clone and set up
$ git clone https://github.com/creel-ai/creel.git
$ cd creel
$ pyenv install 3.12.12
$ uv venv && source .venv/bin/activate
$ uv pip install -e ".[dev]"

# Configure and run
$ export ANTHROPIC_API_KEY=sk-ant-...
$ creel chat

๐Ÿงบ Creel agent ready. Tools loaded: 12. Guardian: active.