Your AI Agent Has Root Access. And Zero Guardrails.

2 min read Original article ↗

Open Source · Security for OpenClaw

Your OpenClaw agent can delete files, leak secrets, and make purchases. Clawsec stops it in under 5ms.

Star on GitHubView Source

The Problem

Agentic AI is here. Security isn't.

Exposed by Default

Thousands of AI agent instances are running right now with no authentication, no guardrails, and full system access.

No Built-in Security

The most popular AI frameworks ship with zero security defaults. Every agent gets full access to files, network, and shell.

Real Attacks, Real Damage

Prompt injection, secret leakage, unauthorized purchases, data exfiltration — these aren’t hypothetical. They’re happening now.

Live Demo

See it in action

Watch Clawsec intercept dangerous actions in real-time

Architecture

What happens when your agent calls a tool

Every tool invocation passes through three stages before execution

Tool call intercepted

Shell commands, HTTP requests, file writes — Clawsec’s middleware catches every tool call before it executes.

clawsec.intercept(toolCall)

Rules engine scores risk

Pattern matching against built-in rulesets: destructive-commands, secrets/*, exfiltration/*. Evaluation completes in under 5ms.

match: "destructive-commands/rm-recursive" → risk: critical

Action enforced

Based on the matched rule’s configured action in your clawsec.yaml, Clawsec decides what happens next.

action: block | confirm | allow

BlockAction denied, agent notified

ConfirmHuman approval required

Allow + LogExecuted with full audit trail

Quick Start

Running in 30 seconds

One command. Zero config required.

1

Install

openclaw plugins install clawsec

2

Configure

Auto-generates clawsec.yaml

3

Protected

Your agent is secured

See full config on GitHub

Coverage

What Clawsec catches out of the box

Built-in rulesets that protect your agent from day one. Every rule is configurable, extensible, and open source.

Destructive Commands

File deletion, database drops, process kills

rm -rfDROP TABLEkill -9

Secret Exposure

API keys, tokens, and credentials in output

AKIA*sk_live_*.env

Data Exfiltration

Unauthorized uploads to external endpoints

curl -d @dataPOST external.io

Unauthorized Purchases

Payment APIs and subscription changes

charge()subscribe()

Privilege Escalation

Root access and permission changes

sudochmod 777--admin

Prompt Injection

System prompt leaks and instruction override

ignore previousSYSTEM:

MIT Licensed·<5ms latency·Any agent framework·Extensible YAML rules