Zero-Trust OpenClaw Architecture Adds Pre-Execution Authorization and Post-Execution Verification
An open-source security architecture for OpenClaw addresses the problem of agents having ambient OS permissions with no reliable verification of their actions. The solution implements two hard checkpoints in the execution loop.
Pre-Execution Gate
A local Rust daemon called predicate-authorityd intercepts every tool call before execution and checks it against a declarative policy. This provides sub-millisecond authorization overhead with p99 <25ms. The system is fail-closed: if the sidecar is down, everything is denied. For example, if an agent tries to write to /etc/passwd, it's hard blocked and the host OS is never touched.
Post-Execution Verification
Instead of asking an LLM "did it work?" after browser actions, the system runs deterministic assertions like:
url_contains("news.ycombinator.com")→ PASSelement_exists("titleline")→ PASSdom_contains("Show")→ PASS
The .eventually() pattern handles SPA hydration without brittle sleep() calls.
Tracing and Token Savings
Every step—authorization decisions, DOM snapshots, verification results—gets pushed to a trace (local or cloud). You can replay the agent's exact state step-by-step in a web portal, useful for debugging failed assertions or auditing what the agent actually saw (screenshots included).
The predicate-snapshot skill compresses the DOM to only actionable elements, achieving 90-99% token savings. In a demo extracting Hacker News posts, it used ~1200 tokens per step instead of 50k+ for raw HTML.
Use Cases and Future Development
This architecture is production-ready for tasks like price monitoring on e-commerce sites (Amazon, eBay), competitor tracking, lead generation from directories, or any web scraping where you need guarantees the agent actually extracted the right data.
The pre-execution gate already works for any agent (it's just HTTP calls to the sidecar). Future development includes extending post-execution verification to non-web agents—file system state assertions, API response validation, database checks—using the same deterministic approach without LLM-as-judge.
Repositories
- OpenClaw security plugin: https://github.com/PredicateSystems/predicate-claw (with GIF demo)
- OpenClaw Snapshot skill: https://github.com/PredicateSystems/openclaw-predicate-skill
📖 Read the full source: r/clawdbot
👀 See Also
jqwik v1.10.0 Sneaks Prompt Injection That Deletes Code When Used by AI Agents
Johannes Link added a hidden instruction to jqwik v1.10.0 that tells AI coding agents to delete all jqwik tests and code, concealed with ANSI escapes. Claude correctly flags it, but human users may not be so lucky.
IronClaw's Security-First Approach to AI Agent Safety
IronClaw addresses AI agent security concerns by implementing constrained execution, encrypted environments, and explicit permissions instead of relying on LLM intelligence for safe behavior.
Architectural fix for AI agent over-centralization: separating memory, execution, and outbound actions
A developer realized their AI assistant was becoming an 'internal autocrat' by handling long-term memory, tool access, and autonomous decisions in one component. The solution involved separating the system into three roles: private controller, scoped workers, and outbound gate.
Security Analysis of Extracting OpenClaw Components for Custom AI Agents
A developer analyzed OpenClaw's source code to determine which components can be safely extracted for use in custom AI agents, scoring each using the Lethal Quartet framework. The analysis reveals significant security risks in components like Semantic Snapshots and BrowserClaw.