--- title: "Clawarmor" id: "987562582" type: "page" slug: "clawarmor" published_at: "2026-05-19T09:51:24+00:00" modified_at: "2026-06-16T06:03:03+00:00" url: "https://accuknox.com/platform/clawarmor" markdown_url: "https://accuknox.com/platform/clawarmor.md" taxonomy_author: - "Mrinal" --- # Run Autonomous AI Agents Without Giving Them Your Secrets, Your Network, Or Your Trust. Prompt injections, malicious skills, sandbox bypasses — neutralized below the app, where the agent can't override. ## Governed Agentic AI, On **Your Own Infrastructure.** Per-agent isolation. Default deny. OpenBAO-backed secrets that never touch the container. Full runtime traces. The end state security teams can actually sign off on. ## The Agentic AI Security Gap, In Three Steps. Most platforms shortcut the hardest problem: how do you give an autonomous agent the credentials and network access it needs without handing them over? ### Every AI Agent Needs Credentials, Tools, And External Services. Most platforms handle this insecurely. Agents install packages ad-hoc, hold credentials directly inside the container, and make unconstrained outbound calls. Every agent becomes a credential-exfiltration surface. ### OpenShell Uses A Shared, Node-Level Proxy. One node, one proxy, every agent on it sharing the same blast radius. A single compromised agent exposes all credentials across every agent on the cluster. ### ClawArmor Isolates Every Agent At The Network Layer. A per-agent HTTPS proxy intercepts outbound calls, fetches secrets from OpenBAO, and injects them at the network layer. The agent never touches the actual credential value. Network is default deny. Every run is observable end-to-end. ## Secrets Never Enter The Agent Container. A per-agent proxy lane sits between the agent and the world. Outbound calls are intercepted, secrets are resolved from OpenBAO and injected on the wire, and anything not on the allowlist is dropped. ### Inside The Agent Container, The **Credential Literally Does Not Exist.** What you see when you exec into a running agent: the env var is a resolver handle, not the secret. The proxy resolves and injects on the wire, scoped to the host the secret was bound to. Compromise the agent and you still have nothing useful. ## 12 Unpatchable Attack Classes All neutralized below the app, at the kernel. RCE CRITICAL Unrestricted Shell Execution exec runs as the host Node.js process. Injected instructions reach a live shell. CVE-2026-25253 HIGH ClawJacked — WebSocket Auth Bypass Malicious pages send commands to the local gateway via WebSocket. CVE-2026-22172 CRITICAL CVE-2026-22172 Scope Elevation Via Shared Auth TOCTOU HIGH Sandbox Path Traversal assertSandboxPath holds no lock. A symlink swap escapes the workspace. API HIGH /tools/invoke Ignores Deny List Endpoint never resolves the session's sandbox context. Any skill calls any tool. Supply Chain HIGH Malicious ClawHub Skills 820+ malicious skills run with full process permissions. No install review. Injection CRITICAL Untrusted Content As Instructions Emails, pages, and webhooks carry adversarial instructions indistinguishable from user input. Persistence HIGH Memory Poisoning Injection writes false context into persistent memory. Future sessions act on it. Secrets HIGH Plaintext Credential Storage Pre-2026.2.12 stored API keys as plaintext. Misconfigurations remain common. Container CRITICAL Docker Socket Exposure Tutorials mount /var/run/docker.sock. Equivalent to root on the host. Exposure HIGH Public Management Port Default binds gateway on 0.0.0.0:3000. 53,000+ instances exposed with no auth. Bypass HIGH Elevated Exec Sandbox Bypass tools.elevated runs on the host regardless of sandbox mode. ## From Environment Definition To AI-BOM Export One declarative surface. Four steps from approved packages to an auditable agent. Step through each stage to see the actual screen. - ### Choose From Approved Packages Curated from a 100,000+ package library. Search, select, version-lock. No ad-hoc installs. The package boundary is enforced at runtime, not assumed. - ### Bind Secrets To Specific Hosts Scoped at creation. A token bound to github.com cannot authenticate elsewhere. Credentials are stored in OpenBAO and resolved on demand by the proxy. - ### Compose The Agent Declaratively Tools, model, packages, environments, network policies — all declared and reconciled by a Kubernetes controller. Edit and apply, no agent restarts required. - ### Export A Complete Agent AI-BOM Full bill of materials per agent: packages, policies, approved tools. Critical for compliance and supply-chain review. Auditors get a real artifact, not a screenshot. ## Hardened By Default Agent Security Walkthrough ## What Changes When ClawArmor Is Applied. **Secure Skills. Secure Builds, Secure Model APIs with Organizational RBAC support.** | Control | Default OpenClaw | | | --- | --- | --- | | Filesystem isolation | None — full host access | Kernel-enforced workspace allowlist | | Process execution control | None | Signed binary allowlist via KubeArmor | | Network egress restriction | None | Allowlist-only outbound connections | | nmap / scanner execution | Permitted | Blocked at kernel syscall level | | Docker socket access | Often mounted by tutorials | Explicitly denied by default | | Credential file access (.ssh, .aws) | Unrestricted | Denied outside workspace path | | Malicious skill containment | Runs at full process permissions | Contained within policy boundary | | Prompt-injection blast radius | Full host + credential access | Workspace directory only | | Sandbox policy bypass | Possible via /tools/invoke or TOCTOU | Not possible — kernel-level enforcement | | Audit trail | Application logs only | KubeArmor telemetry → AI-SPM dashboard | ## Who This Is For Security-first teams putting autonomous agents on real systems — not chat UIs on top of an API. ### Enterprise Security And Platform Security Teams Deploying autonomous AI agents on Kubernetes who need governance, observability, and credential isolation without a cloud-hosted AI dependency. ### Enterprise Architects And DevSecOps Mid-to-large enterprises running agentic workflows — reporting, incident response, cluster debugging — hitting cost ceilings or rate limits with frontier providers. ### Regulated Industries Finance, healthcare, defense. Data residency or compliance requirements that make cloud-based agentic AI non-viable. They need a self-hosted alternative with a credible security model. **NOT FOR** Teams that just want a chat interface on top of an LLM. ClawArmor is infrastructure for governing AI agents that act autonomously on real systems — not a ChatGPT replacement. Get a LIVE Tour ## Ready For A Personalized Security Assessment? “Choosing AccuKnox was driven by opensource KubeArmor’s novel use of eBPF and LSM technologies, delivering runtime security” Golan Ben-Oni Chief Information Officer “At Prudent, we advocate for a comprehensive end-to-end methodology in application and cloud security. AccuKnox excelled in all areas in our in depth evaluation.” Manoj Kern CIO “Tible is committed to delivering comprehensive security, compliance, and governance for all of its stakeholders.” Merijn Boom Managing Director