Deterministic in-path execution boundary for OpenClaw agents
Project description
ClawZero
ClawZero is a deterministic in-path enforcement substrate for OpenClaw agent flows.
ClawZero brings MVAR's execution boundary to OpenClaw agents.
Same input. Same agent. Different boundary.
ClawZero places a deterministic execution boundary between model output and tool execution. Powered by MVAR. ClawZero is not a model. It's a runtime firewall. It works with any LLM, any OpenClaw agent, any tool definition.
SAME INPUT. SAME AGENT. DIFFERENT BOUNDARY. Standard OpenClaw executes the attack. MVAR blocks it deterministically.
30-Second Quickstart
git clone https://github.com/mvar-security/clawzero
cd clawzero
pip install -e .
clawzero demo openclaw --mode compare --scenario shell
Expected output:
STANDARD OPENCLAW → COMPROMISED
MVAR-PROTECTED → BLOCKED ✓
Witness generated → YES
Attack Demo Proof
The attack demo is proof of enforcement behavior, not the product center.
ClawZero is not a model-safety claim. It is an execution-boundary claim.
Security and Responsible Use
ClawZero is a defensive security component designed to enforce execution boundaries for AI agents.
The project includes attack demonstrations and adversarial scenarios in order to illustrate how prompt injection and untrusted inputs can reach high-privilege execution sinks.
These demonstrations exist solely for defensive research and education.
When using ClawZero or its demonstrations:
- Only test systems you own or have explicit authorization to evaluate
- Run demonstrations in sandboxed or isolated environments
- Treat automated results as signals; verify findings manually
ClawZero is designed to prevent exploitation, not enable it.
The attack demonstrations show how enforcement works; they are not tools for performing real-world attacks.
Canonical Witness Artifact
{
"timestamp": "2026-03-12T10:00:00Z",
"agent_runtime": "openclaw",
"sink_type": "shell.exec",
"target": "bash",
"decision": "block",
"reason_code": "UNTRUSTED_TO_CRITICAL_SINK",
"policy_id": "mvar-embedded.v0.1",
"engine": "embedded-policy-v0.1",
"provenance": {
"source": "external_document",
"taint_level": "untrusted",
"source_chain": ["external_document", "openclaw_tool_call"],
"taint_markers": ["prompt_injection", "external_content"]
},
"adapter": {
"name": "openclaw",
"mode": "event_intercept",
"framework": "openclaw"
},
"witness_signature": "ed25519_stub:abcd1234ef567890"
}
What ClawZero Is / Is Not
ClawZero is:
- An in-path runtime enforcement substrate
- Deterministic sink policy evaluation at execution time
- A signed witness artifact generator for auditability
ClawZero is not:
- A red-team toolkit
- An attack simulation platform first
- An LLM-as-judge safety layer
CLI
Command families map to enforcement jobs:
clawzero demo- run side-by-side enforcement proof demosclawzero witness- inspect and validate witness artifactsclawzero audit- evaluate deterministic decisions for sink requestsclawzero attack- replay known attack scenarios as enforcement proofs
OpenClaw Attack Demo
Run the side-by-side comparison:
clawzero demo openclaw --mode compare --scenario shell
clawzero demo openclaw --mode compare --scenario credentials
clawzero demo openclaw --mode compare --scenario benign
Zero-Config API
from clawzero import protect
safe_tool = protect(my_tool, sink="filesystem.read", profile="prod_locked")
Policy Profiles
| Sink Type | dev_balanced | dev_strict | prod_locked |
|---|---|---|---|
shell.exec |
block | block | block |
filesystem.read |
allow, block /etc/**, ~/.ssh/** |
block, allow /workspace/** |
block, allow /workspace/project/** |
filesystem.write |
allow, block /etc/**, ~/.ssh/** |
block, allow /workspace/** |
block, allow /workspace/project/** |
credentials.access |
block | block | block |
http.request |
allow | allow mode + block all domains | allow mode + allow localhost |
tool.custom |
allow | annotate | allow |
Powered by MVAR
- MVAR repository: https://github.com/mvar-security/mvar
- ClawZero is the OpenClaw adapter for MVAR
- MVAR is the enforcement engine behind ClawZero policy decisions
The MVAR execution governance model is:
- Filed as provisional patent (February 24, 2026, 24 claims)
- Submitted to NIST RFI Docket NIST-2025-0035
- Published as preprint on SSRN (February 2026)
License
Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file clawzero-0.1.0.tar.gz.
File metadata
- Download URL: clawzero-0.1.0.tar.gz
- Upload date:
- Size: 19.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
82228dbdcc94e8e8fcdee525bb929de8f639d093a2bf23fe0c5630f2f3200b97
|
|
| MD5 |
b231977c8135752462673202e2960c4c
|
|
| BLAKE2b-256 |
8cb421cb46d204fe99adee372b1883e79eb0bb42d0ec137aeec3a184b7fa29be
|
File details
Details for the file clawzero-0.1.0-py3-none-any.whl.
File metadata
- Download URL: clawzero-0.1.0-py3-none-any.whl
- Upload date:
- Size: 19.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bdf2af435a804338ef3178f384c568db954e5b3606caed978eebba3ed32d1c51
|
|
| MD5 |
6046da5e7306951fc70b42e5e143f177
|
|
| BLAKE2b-256 |
292c6afd7182ffc1d77325b1b997ea2a5f51b58c4c7e21d2a36924cc55c9d6b0
|
