Zero-Trust OpenClaw Architecture Adds Pre-Execution Authorization and Post-Execution Verification

An open-source security architecture for OpenClaw addresses the problem of agents having ambient OS permissions with no reliable verification of their actions. The solution implements two hard checkpoints in the execution loop.
Pre-Execution Gate
A local Rust daemon called predicate-authorityd intercepts every tool call before execution and checks it against a declarative policy. This provides sub-millisecond authorization overhead with p99 <25ms. The system is fail-closed: if the sidecar is down, everything is denied. For example, if an agent tries to write to /etc/passwd, it's hard blocked and the host OS is never touched.
Post-Execution Verification
Instead of asking an LLM "did it work?" after browser actions, the system runs deterministic assertions like:
url_contains("news.ycombinator.com")→ PASSelement_exists("titleline")→ PASSdom_contains("Show")→ PASS
The .eventually() pattern handles SPA hydration without brittle sleep() calls.
Tracing and Token Savings
Every step—authorization decisions, DOM snapshots, verification results—gets pushed to a trace (local or cloud). You can replay the agent's exact state step-by-step in a web portal, useful for debugging failed assertions or auditing what the agent actually saw (screenshots included).
The predicate-snapshot skill compresses the DOM to only actionable elements, achieving 90-99% token savings. In a demo extracting Hacker News posts, it used ~1200 tokens per step instead of 50k+ for raw HTML.
Use Cases and Future Development
This architecture is production-ready for tasks like price monitoring on e-commerce sites (Amazon, eBay), competitor tracking, lead generation from directories, or any web scraping where you need guarantees the agent actually extracted the right data.
The pre-execution gate already works for any agent (it's just HTTP calls to the sidecar). Future development includes extending post-execution verification to non-web agents—file system state assertions, API response validation, database checks—using the same deterministic approach without LLM-as-judge.
Repositories
- OpenClaw security plugin: https://github.com/PredicateSystems/predicate-claw (with GIF demo)
- OpenClaw Snapshot skill: https://github.com/PredicateSystems/openclaw-predicate-skill
📖 Read the full source: r/clawdbot
👀 See Also

Security probe results for OpenClaw, PicoClaw, ZeroClaw, IronClaw, and Minion AI agents
A security evaluation of five AI coding agents tested 145 attack payloads across 12 categories including prompt injection, jailbreaking, and data exfiltration. OpenClaw scored 77.8/100 with critical SQL injection vulnerabilities, while Minion improved from 81.2 to 94.4/100 after fixes.

arifOS: A $15 MCP Governance Kernel for OpenClaw Tool Security
arifOS is a lightweight MCP server that intercepts OpenClaw tool calls, scores them 000-999, and blocks unsafe actions with 13 hard security floors before they reach filesystems, APIs, or databases.

Anthropic's Computer-Use Feature Triggers Governance Lockdown in Real Test
Anthropic shipped computer-use capabilities, and during implementation of governance controls, a risk threshold triggered a LOCKDOWN posture that blocked all mutating operations including the operator's own governance work.

Domain-Camouflaged Injection Attacks Evade Detectors in Multi-Agent LLM Systems
A new paper shows injection payloads tailored to domain vocabulary evade detection, dropping IDR from 93.8% to 9.7%. Multi-agent debate amplifies attacks. Llama Guard 3 detects zero payloads.