The staged autonomy pattern ("trust is earnable") maps directly to what we built with protect-mcp — shadow mode first (log everything, block nothing), then enforce when you've seen enough data to trust the policies.
For the prompt injection concern: protect-mcp wraps MCP tool calls with per-tool policies. Even if the agent gets injected, it can't call tools outside the policy. Every decision is optionally Ed25519-signed and verifiable offline.
npmjs.com/package/protect-mcp
hm, interesting! I like, what I've done is that each step in the process is one agent. One agent get's one task, and only the tool to do it.
How is it different from openclaw?
Openclaw is great, but it's still early adopters and often tech savvy people who use it. This is for non tech savvy people in a small companies that are still hesistant to let AI Run their workflow, and n8n and zapier takes too much time to setup and maintain, or the if/then isn't working in their setting.
Openclaw = tech savvy people small team, really knows AI
Operator23 = Wants safe agents super easy to setup doing one task and learn about it.
Nothing about prompt injection protections. This appears to be openclaw but trusting that you won’t silently expose all your (our) data.
So not openclaw, promp injections is a part of the backend based on evalas and scorer meaning that right tool was called, and what each agent can expect.
Instead of having a lot of subagents getting their memory filled with previous runs, prompt injection can be a better way to really narrow down each subagents actual task.