Show HN: Claw Patrol, a security firewall for agents

21 pointsposted 11 hours ago
by rough-sea
(github.com)

4 Comments

Apylon777

9 hours ago

This is a really cool library to look at even if you aren't running openclaw directly.

Lots of good concepts to seek inspiration from.

1. process-scoped egress policy

2. policy-as-code

3. explicit approval classes

4. normalized network/ guardrail receipts.

5. structured guardrail outcomes

6. centralized decision rules

rough-sea

8 hours ago

Thanks! Don't forget wire level protocol parsing - this is important because agents usually can spawn subprocesses and if they have postgres credentials, you're just one psql call away from disaster if you only have MCP/HTTP proxies in place.

pavelpilyak

9 hours ago

Neat! Reading the docs - it's default-allow and ships with no rules? Any plans for a default rule set?

rough-sea

8 hours ago

Yes default allow and no rules by default. Some sort of default policy would be a great feature - I've been considering it. No one wants agents to DROP tables.

We have a big and detailed config file for our own internal use - but reluctant to release that exactly because it has information about our systems.

There's an example config file here that might be helpful https://github.com/denoland/clawpatrol/blob/main/examples/ga... - we use agents to write the config by pointing it at https://clawpatrol.dev/llms-full.txt