Claw Patrol Security firewall for agents

steilpass1 pts0 comments

Claw Patrol - The security firewall for agents

Skip to main content<br>The missing option between babysitting and YOLO mode<br>The security firewall for any agent<br>Claw Patrol guards credentials, parses traffic at the wire, and gates actions according to rules you author—all while keeping an audit log of everything that happens.<br>curl -fsSL https://clawpatrol.dev/install.sh | shcopy

Just use with any agent<br>Prefix any agent command with clawpatrol run. Same workflow; every action gated and tracked.<br>$ clawpatrol run _

The problem

Access shouldn’t be permission<br>An agent that can talk to Postgres can DROP TABLE as easily as SELECT.

Using keys shouldn’t mean risking them<br>If the agent is compromised by prompt injection, the credentials it holds leak with it.

You can’t see what happened<br>Reconstructing what actually happened means stitching together logs from multiple services.

The solution<br>Claw Patrol is an agent proxy that intercepts all traffic, evaluates actions against custom rules, safeguards credentials, and logs everything that happens.

Take a tour<br>Click around the admin dashboard.<br>A walkthrough of the operator UI at demo.clawpatrol.dev. Drill into any request to see what the gateway captured.

Open the demo

Rules<br>You write access rules. Claw Patrol enforces them.<br>Every outbound request runs through Claw Patrol's rule engine. Match on HTTP method, SQL verb, k8s resource, and more; not just URLs. Rules go live the second you press save.

Match anything on the wire<br>HTTP<br>Match on method, path, headers, or body, and route it through an LLM judge before it goes out.

# User-visible messages sent from the agent are scanned by an LLM<br># judge before they go out: catches unsafe content, missing context,<br># and markdown that should not ship.

rule "message-send-content-check" {<br>endpoint = https.messaging-api<br>condition = CEL<br>http.method == 'POST'<br>&& http.path == '/v1/messages/send'<br>CEL<br>approve = [llm_approver.message-content-judge]

SQL<br>Postgres and ClickHouse traffic parsed verb-by-verb. Match by SQL verb, table, function name, and substrings of the statement itself.

# Block Postgres functions that could read the filesystem or open<br># outbound connections from inside the database — pg_read_file,<br># lo_get, and the whole dblink family.

rule "pg-banned-functions" {<br>endpoint = postgres.pg-staging<br>priority = 100<br>condition = CEL<br>sets.intersects(sql.functions, [<br>'pg_read_file', 'pg_read_binary_file', 'lo_get',<br>])<br>|| sql.functions.exists(f, f.startsWith('dblink_'))<br>CEL<br>verdict = "deny"<br>reason = "filesystem-reaching function"

Kubernetes<br>API calls to kube-apiserver. Match by namespace, resource, verb, and name. Catch destructive verbs on the wrong cluster, or hand exec commands to an LLM.

# kubectl exec is gated by an LLM judge that reads the command argv:<br># allows ls / ps / df, denies env dumps, sensitive file reads, and<br># anything touching pod tokens or container sockets.

rule "k8s-exec-content-check" {<br>endpoints = [kubernetes.k8s-dev, kubernetes.k8s-prod]<br>priority = 500<br>condition = "k8s.resource == 'pods/exec'"<br>approve = [llm_approver.k8s-exec-content-judge]

Extend Claw Patrol with plugins Read more →

Approval flows<br>Put a human in the loop, or double-check with another agent<br>Defer ambiguous requests to a model with your prompt, or a real human via Slack. You decide which one runs when.

A model with a custom prompt votes on each request. Verdicts are cached so it doesn’t re-bill.<br>approver "llm_approver" "secret-judge" {<br>model = "claude-haiku-4-5-20251001"<br>credential = anthropic_manual_key.anthropic-key<br>policy = "Reject any SELECT that projects secret-bearing columns."

incoming<br>SELECT id, name, api_key FROM users LIMIT 10<br>AI<br>✗ Denied — projects api_key, a secret-bearing column.

-or-

A person votes in Slack, the dashboard, or your own webhook. Times out closed if no one’s home.<br>approver "human_approver" "ops" {<br>channel = "#agent-ops"<br>credential = slack_tokens.slack-bot<br>timeout = 600

#agent-ops<br>CP<br>Claw PatrolAPP1:42 PM<br>prod-codex wants to DELETE /repos/acme/checkout

JC<br>Josh1:42 PM<br>approved

CP<br>Claw PatrolAPP1:42 PM<br>✓ Allowed — forwarded to upstream (14s).

Regression tests<br>Test your rules before you ship them<br>Record real actions from the dashboard. Drop the JSON files into a fixtures directory. Run clawpatrol test in CI: when a policy change flips a verdict, the runner prints the diff and fails the build.<br>No gateway, no database, no auth. A single binary that loads your HCL, replays each fixture against the rule engine, and asserts the verdicts still match.

$ clawpatrol test gateway.hcl tests/<br>ok tests/anthropic-implicit-allow.json<br>ok tests/clickhouse-default-deny.json<br>ok tests/clickhouse-read.json<br>ok tests/deno-com-require-approval.json<br>ok tests/api-resource-read.json<br>ok tests/github-api-implicit-allow.json<br>ok tests/k8s-allow-meta.json<br>ok tests/k8s-debug-pods.json<br>ok tests/k8s-default-deny.json<br>FAIL tests/k8s-no-secrets.json<br>want verdict="deny" rule="k8s-no-secrets"<br>got verdict="allow" rule="k8s-no-secrets"<br>ok...

tests json agent claw patrol rule

Related Articles