{"slug": "claw-patrol-security-firewall-for-agents", "title": "Claw Patrol Security firewall for agents", "summary": "Claw Patrol launched a security firewall for AI agents that intercepts and gates outbound requests to databases, Kubernetes, and APIs. The tool parses traffic at the wire, enforces rules via LLM judges or human approval, and maintains an audit log to prevent credential leaks and prompt injection attacks.", "body_md": "#### LLM judge\n\n`require_llm`\n\nA model with a custom prompt votes on each request. Verdicts are cached so it doesn’t re-bill.\n\n```\napprover \"llm_approver\" \"secret-judge\" {\n  model      = \"claude-haiku-4-5-20251001\"\n  credential = anthropic_manual_key.anthropic-key\n  policy     = \"Reject any SELECT that projects secret-bearing columns.\"\n}\n```\n\nThe security firewall for any agent\n\nClaw Patrol guards credentials, parses traffic at the wire, and gates actions according to rules you author—all while keeping an audit log of everything that happens.\n\n```\ncurl -fsSL https://clawpatrol.dev/install.sh | sh\n```\n\nPrefix any agent command with `clawpatrol run`\n\n. Same workflow; every action gated and tracked.\n\nAn agent that can talk to Postgres can DROP TABLE as easily as SELECT.\n\nIf the agent is compromised by prompt injection, the credentials it holds leak with it.\n\nReconstructing what actually happened means stitching together logs from multiple services.\n\nA walkthrough of the operator UI at [demo.clawpatrol.dev](https://demo.clawpatrol.dev/). Drill into any request to see what the gateway captured.\n\nEvery outbound request runs through [Claw Patrol's rule engine](/docs/rules/). Match on HTTP method, SQL verb, k8s resource, and more; not just URLs. Rules go live the second you press save.\n\nMatch anything on the wire\n\nMatch on method, path, headers, or body, and route it through an LLM judge before it goes out.\n\n```\n# User-visible messages sent from the agent are scanned by an LLM\n# judge before they go out: catches unsafe content, missing context,\n# and markdown that should not ship.\n\nrule \"message-send-content-check\" {\n  endpoint = https.messaging-api\n  condition = <<-CEL\n    http.method == 'POST'\n    && http.path == '/v1/messages/send'\n  CEL\n  approve = [llm_approver.message-content-judge]\n}\n```\n\nPostgres and ClickHouse traffic parsed verb-by-verb. Match by SQL verb, table, function name, and substrings of the statement itself.\n\n```\n# Block Postgres functions that could read the filesystem or open\n# outbound connections from inside the database — pg_read_file,\n# lo_get, and the whole dblink family.\n\nrule \"pg-banned-functions\" {\n  endpoint = postgres.pg-staging\n  priority = 100\n  condition = <<-CEL\n    sets.intersects(sql.functions, [\n      'pg_read_file', 'pg_read_binary_file', 'lo_get',\n    ])\n    || sql.functions.exists(f, f.startsWith('dblink_'))\n  CEL\n  verdict = \"deny\"\n  reason  = \"filesystem-reaching function\"\n}\n```\n\nAPI calls to kube-apiserver. Match by namespace, resource, verb, and name. Catch destructive verbs on the wrong cluster, or hand exec commands to an LLM.\n\n```\n# kubectl exec is gated by an LLM judge that reads the command argv:\n# allows ls / ps / df, denies env dumps, sensitive file reads, and\n# anything touching pod tokens or container sockets.\n\nrule \"k8s-exec-content-check\" {\n  endpoints = [kubernetes.k8s-dev, kubernetes.k8s-prod]\n  priority  = 500\n  condition = \"k8s.resource == 'pods/exec'\"\n  approve   = [llm_approver.k8s-exec-content-judge]\n}\n```\n\nExtend Claw Patrol with plugins [Read more →](/docs/plugins/)\n\nDefer ambiguous requests to a model with your prompt, or a real human via Slack. You decide which one runs when.\n\n`require_llm`\n\nA model with a custom prompt votes on each request. Verdicts are cached so it doesn’t re-bill.\n\n␃WPNCODE4␃\n\n`SELECT id, name, api_key FROM users LIMIT 10`\n\n`api_key`\n\n, a secret-bearing column.`require_human`\n\nA person votes in Slack, the dashboard, or your own webhook. Times out closed if no one’s home.\n\n```\napprover \"human_approver\" \"ops\" {\n  channel    = \"#agent-ops\"\n  credential = slack_tokens.slack-bot\n  timeout    = 600\n}\n```\n\n`/repos/acme/checkout`\n\nRecord real actions from the dashboard. Drop the JSON files into a fixtures directory. Run `clawpatrol test`\n\nin CI: when a policy change flips a verdict, the runner prints the diff and fails the build.\n\nNo gateway, no database, no auth. A single binary that loads your HCL, replays each fixture against the rule engine, and asserts the verdicts still match.\n\n``` bash\n$ clawpatrol test gateway.hcl tests/\nok tests/anthropic-implicit-allow.json\nok tests/clickhouse-default-deny.json\nok tests/clickhouse-read.json\nok tests/deno-com-require-approval.json\nok tests/api-resource-read.json\nok tests/github-api-implicit-allow.json\nok tests/k8s-allow-meta.json\nok tests/k8s-debug-pods.json\nok tests/k8s-default-deny.json\nFAIL tests/k8s-no-secrets.json\n  want verdict=\"deny\"       rule=\"k8s-no-secrets\"\n  got  verdict=\"allow\"      rule=\"k8s-no-secrets\"\nok tests/k8s-reads.json\nok tests/orb-dev2-immutable-operations-allow.json\nok tests/pg-staging-banned-functions.json\nok tests/pg-staging-default-deny.json\nok tests/pg-staging-reads.json\n36 action(s) checked, 1 mismatch(es)\n```\n\nLots of tools exist in the agent space, solving individual problems. Claw Patrol takes a holistic approach.\n\nRoute LLM calls between providers and log usage. Claw Patrol watches LLM traffic too, but focuses on what agents do downstream.\n\nScan model output for unsafe content. Claw Patrol scans actions, not just words.\n\nHTTP proxies that hold credentials and apply policies. Claw Patrol does the same, plus non-HTTP protocols like Postgres.\n\nConfine what an agent does on its machine. Claw Patrol limits what it can reach instead — stack the two.\n\nHold secrets so the agent never sees them. Claw Patrol does that, paired with wire-level rules on every call those credentials authorize.\n\nThe proxy holds your secrets and watches every byte your agents send. It has to be auditable, so it’s [MIT licensed](https://github.com/denoland/clawpatrol/blob/main/LICENSE.md).\n\n```\ncurl -fsSL https://clawpatrol.dev/install.sh | sh\n```\n\n", "url": "https://wpnews.pro/news/claw-patrol-security-firewall-for-agents", "canonical_source": "https://clawpatrol.dev/", "published_at": "2026-06-30 23:08:09+00:00", "updated_at": "2026-06-30 23:19:35.276117+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "ai-infrastructure", "ai-tools", "ai-ethics"], "entities": ["Claw Patrol", "Postgres", "ClickHouse", "Kubernetes", "Slack", "Claude Haiku", "Anthropic"], "alternates": {"html": "https://wpnews.pro/news/claw-patrol-security-firewall-for-agents", "markdown": "https://wpnews.pro/news/claw-patrol-security-firewall-for-agents.md", "text": "https://wpnews.pro/news/claw-patrol-security-firewall-for-agents.txt", "jsonld": "https://wpnews.pro/news/claw-patrol-security-firewall-for-agents.jsonld"}}