Deterministic in-path execution boundary for OpenClaw agents
Project description
ClawZero
Powered by MVAR: https://github.com/mvar-security/mvar
Same input. Same agent. Different execution boundary.
ClawZero is a deterministic execution boundary for OpenClaw agents.
It places policy enforcement between model output and tool execution.
Powered by MVAR, the runtime for secure AI agents.
ClawZero is not a model. It is a runtime enforcement boundary.
It works with any LLM, any OpenClaw agent, and any tool definition.
Execution boundary for OpenClaw agents. Powered by MVAR.
pip install clawzero
clawzero demo openclaw --mode compare --scenario shell
Standard OpenClaw -> COMPROMISED
ClawZero -> BLOCKED ✓
Standard OpenClaw executes the attack. ClawZero blocks it deterministically.
ClawZero places a deterministic execution boundary between model output and tool execution.
30-Second Quickstart
pip install clawzero
clawzero demo openclaw --mode compare --scenario shell
Expected output:
STANDARD OPENCLAW → COMPROMISED
MVAR-PROTECTED → BLOCKED ✓
Witness generated → YES
Adapters
OpenClaw adapter is included and works out of the box:
pip install clawzero
LangChain adapter code is included, and requires LangChain packages in your project:
pip install clawzero langchain langchain-openai
LangChain Integration
from clawzero.adapters.langchain import protect_langchain_tool
safe_tool = protect_langchain_tool(
my_langchain_tool,
sink="filesystem.read",
profile="prod_locked",
)
Run the packaged example:
python examples/langchain_integration.py
Why ClawZero?
Autonomous AI agents frequently execute tool calls with high privileges.
When these agents ingest untrusted input, prompt injection can escalate into:
- shell execution
- filesystem access
- credential leakage
- data exfiltration
ClawZero prevents these escalations by enforcing deterministic policy checks at execution sinks before commands run.
Threat Model
OpenClaw agents commonly run with tools capable of:
- shell execution
- filesystem access
- credential retrieval
- outbound network requests
When these agents process untrusted documents or user input, hidden instructions can influence tool calls.
Without an execution boundary, these instructions can trigger high-privilege operations.
ClawZero intercepts these tool calls and enforces policy before execution occurs.
Attack Demo Proof
The attack demo exists to demonstrate runtime enforcement behavior.
ClawZero is not a model safety claim.
It is an execution boundary claim.
The demo illustrates how untrusted input can influence agent tool calls and how the ClawZero boundary blocks those actions deterministically.
Run the side-by-side comparison:
clawzero demo openclaw --mode compare --scenario shell
clawzero demo openclaw --mode compare --scenario credentials
clawzero demo openclaw --mode compare --scenario benign
Security and Responsible Use
ClawZero is a defensive security component designed to enforce execution boundaries for AI agents.
The project includes attack demonstrations and adversarial scenarios to show how prompt injection and untrusted inputs can reach high-privilege execution sinks.
These demonstrations exist solely for defensive research and education.
When using ClawZero or its demonstrations:
- Only test systems you own or have explicit authorization to evaluate
- Run demonstrations in sandboxed or isolated environments
- Treat automated results as signals; verify findings manually
ClawZero is designed to prevent exploitation, not enable it.
The attack demonstrations show how enforcement works; they are not tools for performing real-world attacks.
Canonical Witness Artifact
{
"timestamp": "2026-03-12T10:00:00Z",
"agent_runtime": "openclaw",
"sink_type": "shell.exec",
"target": "bash",
"decision": "block",
"reason_code": "UNTRUSTED_TO_CRITICAL_SINK",
"policy_id": "mvar-security.v1.4.3",
"engine": "mvar-security",
"provenance": {
"source": "external_document",
"taint_level": "untrusted",
"source_chain": ["external_document", "openclaw_tool_call"],
"taint_markers": ["prompt_injection", "external_content"]
},
"adapter": {
"name": "openclaw",
"mode": "event_intercept",
"framework": "openclaw"
},
"witness_signature": "ed25519:d91fd8f73f3d05f8ec7b3d8e5e7cf2e27869a5f0f1ee3bd17da2df5ec41c9cb2a3c7e4f3540b4f7f4f948f0f185318273447bcb0adf24a4b2a1b53b7a1b2c90a"
}
What ClawZero Is / Is Not
ClawZero is:
- an in-path runtime enforcement substrate
- deterministic sink policy evaluation
- a signed witness artifact generator
ClawZero is not:
- a red-team toolkit
- an attack simulation platform
- an LLM-as-judge safety layer
CLI
Command families map to enforcement jobs:
clawzero demo- run side-by-side enforcement proof demosclawzero witness- inspect and validate witness artifactsclawzero audit- evaluate deterministic decisions for sink requestsclawzero attack- replay known attack scenarios as enforcement proofsclawzero report- export witness artifacts to SARIF for code scanning
Zero-Config API
from clawzero import protect
safe_tool = protect(
my_tool,
sink="filesystem.read",
profile="prod_locked"
)
Policy Profiles
| Sink Type | dev_balanced | dev_strict | prod_locked |
|---|---|---|---|
shell.exec |
block | block | block |
filesystem.read |
allow, block /etc/**, ~/.ssh/** |
block, allow /workspace/** |
block, allow /workspace/project/** |
filesystem.write |
allow, block /etc/**, ~/.ssh/** |
block, allow /workspace/** |
block, allow /workspace/project/** |
credentials.access |
block | block | block |
http.request |
allow | allow mode + block all domains | allow mode + allow localhost |
tool.custom |
allow | annotate | allow |
Powered by MVAR
MVAR is the enforcement engine. ClawZero is the OpenClaw adapter. MVAR governs the sink policy enforcement decisions.
- MVAR repository: https://github.com/mvar-security/mvar
- Filed as provisional patent (February 24, 2026, 24 claims)
- Submitted to NIST RFI Docket NIST-2025-0035
- Published as preprint on SSRN (February 2026)
Early Release - Join Us
This is early. The clawzero demo shows enforcement in harness + OpenClaw simulation.
Real multi-turn agent testing is next.
If you're running agents (LangChain, CrewAI, AutoGen, OpenClaw, etc.) and want to try it live:
- DM @Shawndcohen on X
- Open an issue with your setup/framework
Happy to pair debug and share results.
License
Apache 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file clawzero-0.1.5.tar.gz.
File metadata
- Download URL: clawzero-0.1.5.tar.gz
- Upload date:
- Size: 60.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
94c4e556b9b82f32e7011032e633349795d52c9c815b8be090eb9db765329d8e
|
|
| MD5 |
f989b4de2b0c8d742582bfb8f7404dfc
|
|
| BLAKE2b-256 |
069b16e8b688af997eec552685f5e4192aeb9832a33e01d378086a2a7accebaa
|
File details
Details for the file clawzero-0.1.5-py3-none-any.whl.
File metadata
- Download URL: clawzero-0.1.5-py3-none-any.whl
- Upload date:
- Size: 57.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c0c6402a4c0d7db1cff56b4f86c1e43faacf90bd37838dedc53a75af632efedf
|
|
| MD5 |
565d4f3cd60e28c0ea0583d9981061f3
|
|
| BLAKE2b-256 |
3084e5cae219f496a6695d7670286e357cfd2379e9b76b7ac359242354429193
|
