Zero-Trust OpenClaw Architecture Adds Pre-Execution Authorization and Post-Execution Verification
An open-source security architecture for OpenClaw addresses the problem of agents having ambient OS permissions with no reliable verification of their actions. The solution implements two hard checkpoints in the execution loop.
Pre-Execution Gate
A local Rust daemon called predicate-authorityd intercepts every tool call before execution and checks it against a declarative policy. This provides sub-millisecond authorization overhead with p99 <25ms. The system is fail-closed: if the sidecar is down, everything is denied. For example, if an agent tries to write to /etc/passwd, it's hard blocked and the host OS is never touched.
Post-Execution Verification
Instead of asking an LLM "did it work?" after browser actions, the system runs deterministic assertions like:
url_contains("news.ycombinator.com")→ PASSelement_exists("titleline")→ PASSdom_contains("Show")→ PASS
The .eventually() pattern handles SPA hydration without brittle sleep() calls.
Tracing and Token Savings
Every step—authorization decisions, DOM snapshots, verification results—gets pushed to a trace (local or cloud). You can replay the agent's exact state step-by-step in a web portal, useful for debugging failed assertions or auditing what the agent actually saw (screenshots included).
The predicate-snapshot skill compresses the DOM to only actionable elements, achieving 90-99% token savings. In a demo extracting Hacker News posts, it used ~1200 tokens per step instead of 50k+ for raw HTML.
Use Cases and Future Development
This architecture is production-ready for tasks like price monitoring on e-commerce sites (Amazon, eBay), competitor tracking, lead generation from directories, or any web scraping where you need guarantees the agent actually extracted the right data.
The pre-execution gate already works for any agent (it's just HTTP calls to the sidecar). Future development includes extending post-execution verification to non-web agents—file system state assertions, API response validation, database checks—using the same deterministic approach without LLM-as-judge.
Repositories
- OpenClaw security plugin: https://github.com/PredicateSystems/predicate-claw (with GIF demo)
- OpenClaw Snapshot skill: https://github.com/PredicateSystems/openclaw-predicate-skill
📖 Read the full source: r/clawdbot
👀 See Also
Open-Source Attack Surface Management Cheat Sheet Released
A developer has open-sourced an Attack Surface Management cheat sheet that covers practical workflows, tools, and references. The project includes sections on asset discovery, infrastructure tracking, reconnaissance tooling, automation workflows, and learning resources.
Supply-chain attack uses invisible Unicode code to bypass detection
Researchers discovered 151 malicious packages uploaded to GitHub from March 3-9 using invisible Unicode characters to hide malicious code. The attack targets GitHub, NPM, and Open VSX repositories with packages that appear legitimate but contain hidden payloads.
SupraWall MCP Plugin Blocks Prompt Injection Attacks on Local AI Agents
SupraWall is an MCP plugin that intercepts and blocks sensitive data exfiltration attempts from AI agents, demonstrated in a red-team challenge where it prevented credential leaks via prompt injection attacks.
AI System Discovers 12 OpenSSL Zero-Days, Curl Cancels Bug Bounty Due to AI Spam
AISLE's AI system discovered all 12 zero-day vulnerabilities in OpenSSL's recent security release, marking the first large-scale demonstration of AI-based cybersecurity. Meanwhile, curl cancelled its bug bounty program due to AI-generated spam submissions.