cd /news/ai-safety/claw-patrol-security-firewall-for-ag… · home topics ai-safety article
[ARTICLE · art-45702] src=clawpatrol.dev ↗ pub= topic=ai-safety verified=true sentiment=↑ positive

Claw Patrol Security firewall for agents

Claw Patrol launched a security firewall for AI agents that intercepts and gates outbound requests to databases, Kubernetes, and APIs. The tool parses traffic at the wire, enforces rules via LLM judges or human approval, and maintains an audit log to prevent credential leaks and prompt injection attacks.

read4 min views1 publishedJun 30, 2026
Claw Patrol Security firewall for agents
Image: source

LLM judge

require_llm

A model with a custom prompt votes on each request. Verdicts are cached so it doesn’t re-bill.

approver "llm_approver" "secret-judge" {
  model      = "claude-haiku-4-5-20251001"
  credential = anthropic_manual_key.anthropic-key
  policy     = "Reject any SELECT that projects secret-bearing columns."
}

The security firewall for any agent

Claw Patrol guards credentials, parses traffic at the wire, and gates actions according to rules you author—all while keeping an audit log of everything that happens.

curl -fsSL https://clawpatrol.dev/install.sh | sh

Prefix any agent command with clawpatrol run

. Same workflow; every action gated and tracked.

An agent that can talk to Postgres can DROP TABLE as easily as SELECT.

If the agent is compromised by prompt injection, the credentials it holds leak with it.

Reconstructing what actually happened means stitching together logs from multiple services.

A walkthrough of the operator UI at demo.clawpatrol.dev. Drill into any request to see what the gateway captured.

Every outbound request runs through Claw Patrol's rule engine. Match on HTTP method, SQL verb, k8s resource, and more; not just URLs. Rules go live the second you press save.

Match anything on the wire

Match on method, path, headers, or body, and route it through an LLM judge before it goes out.


rule "message-send-content-check" {
  endpoint = https.messaging-api
  condition = <<-CEL
    http.method == 'POST'
    && http.path == '/v1/messages/send'
  CEL
  approve = [llm_approver.message-content-judge]
}

Postgres and ClickHouse traffic parsed verb-by-verb. Match by SQL verb, table, function name, and substrings of the statement itself.


rule "pg-banned-functions" {
  endpoint = postgres.pg-staging
  priority = 100
  condition = <<-CEL
    sets.intersects(sql.functions, [
      'pg_read_file', 'pg_read_binary_file', 'lo_get',
    ])
    || sql.functions.exists(f, f.startsWith('dblink_'))
  CEL
  verdict = "deny"
  reason  = "filesystem-reaching function"
}

API calls to kube-apiserver. Match by namespace, resource, verb, and name. Catch destructive verbs on the wrong cluster, or hand exec commands to an LLM.


rule "k8s-exec-content-check" {
  endpoints = [kubernetes.k8s-dev, kubernetes.k8s-prod]
  priority  = 500
  condition = "k8s.resource == 'pods/exec'"
  approve   = [llm_approver.k8s-exec-content-judge]
}

Extend Claw Patrol with plugins Read more →

Defer ambiguous requests to a model with your prompt, or a real human via Slack. You decide which one runs when.

require_llm

A model with a custom prompt votes on each request. Verdicts are cached so it doesn’t re-bill.

␃WPNCODE4␃

SELECT id, name, api_key FROM users LIMIT 10

api_key

, a secret-bearing column.require_human

A person votes in Slack, the dashboard, or your own webhook. Times out closed if no one’s home.

approver "human_approver" "ops" {
  channel    = "#agent-ops"
  credential = slack_tokens.slack-bot
  timeout    = 600
}

/repos/acme/checkout

Record real actions from the dashboard. Drop the JSON files into a fixtures directory. Run clawpatrol test

in CI: when a policy change flips a verdict, the runner prints the diff and fails the build.

No gateway, no database, no auth. A single binary that loads your HCL, replays each fixture against the rule engine, and asserts the verdicts still match.

$ clawpatrol test gateway.hcl tests/
ok tests/anthropic-implicit-allow.json
ok tests/clickhouse-default-deny.json
ok tests/clickhouse-read.json
ok tests/deno-com-require-approval.json
ok tests/api-resource-read.json
ok tests/github-api-implicit-allow.json
ok tests/k8s-allow-meta.json
ok tests/k8s-debug-pods.json
ok tests/k8s-default-deny.json
FAIL tests/k8s-no-secrets.json
  want verdict="deny"       rule="k8s-no-secrets"
  got  verdict="allow"      rule="k8s-no-secrets"
ok tests/k8s-reads.json
ok tests/orb-dev2-immutable-operations-allow.json
ok tests/pg-staging-banned-functions.json
ok tests/pg-staging-default-deny.json
ok tests/pg-staging-reads.json
36 action(s) checked, 1 mismatch(es)

Lots of tools exist in the agent space, solving individual problems. Claw Patrol takes a holistic approach.

Route LLM calls between providers and log usage. Claw Patrol watches LLM traffic too, but focuses on what agents do downstream.

Scan model output for unsafe content. Claw Patrol scans actions, not just words.

HTTP proxies that hold credentials and apply policies. Claw Patrol does the same, plus non-HTTP protocols like Postgres.

Confine what an agent does on its machine. Claw Patrol limits what it can reach instead — stack the two.

Hold secrets so the agent never sees them. Claw Patrol does that, paired with wire-level rules on every call those credentials authorize.

The proxy holds your secrets and watches every byte your agents send. It has to be auditable, so it’s MIT licensed.

curl -fsSL https://clawpatrol.dev/install.sh | sh
── more in #ai-safety 4 stories · sorted by recency
── more on @claw patrol 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/claw-patrol-security…] indexed:0 read:4min 2026-06-30 ·