Show HN: Claw Patrol, a security firewall for agents

41 points - last Tuesday at 4:06 PM

At Deno we've been using OpenClaw and other agents increasingly for addressing production problems in Deno Deploy - when a PagerDuty alert fires, the agent starts researching the cause and making fixes.

In order to do this, the agent needs access to real production systems - postgres, kubernetes, gcp, clickhouse, github, etc. But this is dangerous to say the least - we want destructive actions to be reviewed by other LLMs, approved by humans, and logged appropriately.

Claw Patrol terminates TCP connections over WireGuard or Tailscale, then parses application protocols (eg http, postgres, ssh) to apply rules that allow you to deny/allow requests.

There are a few projects that sit as a proxy in front of agents to do secret injection or apply various guardrails, but none met our needs (LLM gateways, MCP proxies, sandboxes), particularly the need to handle low-level protocols, or handle complex real world situations like tunneling postgres through k8s.

Written in Go, configured in HCL, MIT licensed. Happy to answer any questions.

https://clawpatrol.dev/

Source

Comments

radku today at 6:15 PM

Nice work shipping this.

Disclosure: author of a related tool here. I have create agent-vault-proxy for a very similar reason. It also can help keep credentials out of the agent process. The agent gets a placeholder, the proxy swaps in the real secret in transit.

I read them as complementary: action firewall in front, credential broker behind. https://github.com/inflightsec/agent-vault-proxy

varmabudharaju today at 5:53 PM

This is very interesting. I build something like this but native to claude code and something that focus on just logging the violation. My question is if you are terminating a process with in the workflow will that about all other things that executed before. anyway would love your feed back on this https://github.com/varmabudharaju/agent-pd

Apylon777 last Tuesday at 6:23 PM

This is a really cool library to look at even if you aren't running openclaw directly.

Lots of good concepts to seek inspiration from.

1. process-scoped egress policy

2. policy-as-code

3. explicit approval classes

4. normalized network/ guardrail receipts.

5. structured guardrail outcomes

6. centralized decision rules

Jayakumark today at 5:37 PM

How will credentials be injected via Gateway for each user ? If we have 5 users with one gateway, how it knows whose github credential to inject ?

dhavd today at 6:21 PM

I did this

pavelpilyak last Tuesday at 6:20 PM

Neat! Reading the docs - it's default-allow and ships with no rules? Any plans for a default rule set?

Hans_Cui today at 1:32 PM

really interesting work! i am curious how you handle rule configuration for different protocols such as Postgres or ssh. Thanks for open-sourcing it under MIT.

oneclickclaw today at 1:27 PM

[flagged]