{"id":47770812,"url":"https://github.com/mvar-security/clawzero","last_synced_at":"2026-04-03T09:18:31.352Z","repository":{"id":344106323,"uuid":"1179320315","full_name":"mvar-security/clawzero","owner":"mvar-security","description":"Deterministic execution boundary for AI agents. IFC enforcement at the sink. 5 frameworks. 50 attack vectors. Apache 2.0.","archived":false,"fork":false,"pushed_at":"2026-04-01T01:13:11.000Z","size":14639,"stargazers_count":3,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-01T03:54:34.154Z","etag":null,"topics":["agent-security","ai-security","autogen","crewai","deterministic-policy","execution-boundary","information-flow-control","langchain","mvar","openclaw","prompt-injection"],"latest_commit_sha":null,"homepage":"https://clawzero.io","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mvar-security.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-11T23:06:09.000Z","updated_at":"2026-04-01T01:13:15.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/mvar-security/clawzero","commit_stats":null,"previous_names":["mvar-security/clawzero"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/mvar-security/clawzero","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mvar-security%2Fclawzero","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mvar-security%2Fclawzero/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mvar-security%2Fclawzero/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mvar-security%2Fclawzero/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mvar-security","download_url":"https://codeload.github.com/mvar-security/clawzero/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mvar-security%2Fclawzero/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31344863,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-03T08:03:20.796Z","status":"ssl_error","status_checked_at":"2026-04-03T08:00:37.834Z","response_time":107,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-security","ai-security","autogen","crewai","deterministic-policy","execution-boundary","information-flow-control","langchain","mvar","openclaw","prompt-injection"],"created_at":"2026-04-03T09:18:29.104Z","updated_at":"2026-04-03T09:18:31.335Z","avatar_url":"https://github.com/mvar-security.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ClawZero\n\n![PyPI](https://img.shields.io/pypi/v/clawzero)\n![CI](https://img.shields.io/github/actions/workflow/status/mvar-security/clawzero/test.yml)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue)](https://opensource.org/license/Apache-2.0)\n\n\u003e Powered by MVAR: https://github.com/mvar-security/mvar\n\n\u003cdiv align=\"center\"\u003e\n\n\u003cpicture\u003e\n \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"docs/assets/clawzero-header-banner-dark-mode-vf.png\"\u003e\n \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"docs/assets/clawzero-header-banner-light-mode-vf.png\"\u003e\n \u003cimg alt=\"ClawZero Header\" src=\"docs/assets/clawzero-header-banner-light-mode-vf.png\" width=\"760\"\u003e\n\u003c/picture\u003e\n\n\u003ch2\u003eClawZero is an execution firewall for AI agents.\u003c/h2\u003e\n\n\u003cp\u003e\nBlocks CVE-2026-25253, malicious ClawHub skills, and persistent memory injection.\u003cbr/\u003e\n100% block rate across 50 attack categories. Zero-config API.\u003cbr/\u003e\n\u003cstrong\u003ePowered by MVAR, the runtime for secure AI agents.\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp\u003e\nSame input. Same agent. Different execution boundary.\u003cbr/\u003e\nClawZero enforces policy between model output and tool execution.\n\u003c/p\u003e\n\n\u003cp\u003e\n\u003ca href=\"https://pypi.org/project/clawzero/\"\u003e\u003cstrong\u003eInstall from PyPI\u003c/strong\u003e\u003c/a\u003e •\n\u003ca href=\"docs/index.md\"\u003e\u003cstrong\u003eDocumentation\u003c/strong\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp\u003e\n\u003ca href=\"#30-second-quickstart\"\u003eQuick Start\u003c/a\u003e •\n\u003ca href=\"#why-clawzero\"\u003eWhy ClawZero\u003c/a\u003e •\n\u003ca href=\"#attack-demo-proof\"\u003eAttack Demo\u003c/a\u003e •\n\u003ca href=\"#canonical-witness-artifact\"\u003eWitness Artifact\u003c/a\u003e\n\u003c/p\u003e\n\n\u003c/div\u003e\n\n**Execution boundary for OpenClaw agents. Powered by MVAR.**\n\n```bash\npip install clawzero\nclawzero demo openclaw --mode compare --scenario shell\n```\n\n```text\nStandard OpenClaw -\u003e COMPROMISED\nClawZero -\u003e BLOCKED ✓\n```\n\nStandard OpenClaw executes the attack.\nClawZero blocks it deterministically.\n\nClawZero places a deterministic execution boundary between model output and tool execution.\n\n![ClawZero vs Standard OpenClaw](docs/assets/comparison.png)\n\n## 30-Second Quickstart\n\n```bash\npip install clawzero\nclawzero demo openclaw --mode compare --scenario shell\n```\n\nExpected output:\n\n```text\nSTANDARD OPENCLAW → COMPROMISED\nMVAR-PROTECTED → BLOCKED ✓\nWitness generated → YES\n```\n\n## OpenClaw Security Crisis\n\n220,000+ exposed instances. 50,000+ RCE-vulnerable via CVE-2026-25253. 1,184 malicious ClawHub skills discovered.\n\nClawZero blocks exploitation at the execution boundary before credentials leak, before shells execute, and before data exfiltrates.\n\n## Addresses 5 of 7 DigitalOcean OpenClaw Security Challenges\n\n| Challenge | ClawZero Defense | Command |\n|-----------|------------------|---------|\n| #1 WebSocket RCE | `trusted_websocket_origins` checks + exposure diagnostics | `clawzero doctor openclaw` |\n| #3 Malicious Skills | `UNSIGNED_MARKETPLACE_PACKAGE` enforcement in `prod_locked` | `clawzero audit decision --profile prod_locked --sink-type tool.custom --target install_skill --package-source clawhub --package-hash sha256:deadbeef --publisher-id unknown-publisher` |\n| #4 Credential exfil | Critical file-read boundary enforcement | `clawzero demo openclaw --mode compare --scenario credentials` |\n| #5 Persistent memory | Temporal taint tracking with delayed-trigger enforcement mode | `pytest -q tests/test_phaseC_temporal_taint.py` |\n| #6 Shadow AI | Witness artifacts + `doctor` posture checks | `clawzero doctor openclaw` |\n\n## Persistent Memory Injection Protection\n\nClawZero detects delayed-activation attacks where malicious instructions are embedded in agent memory and trigger days later.\n\nDay 1: Agent reads a malicious document. \nDay 3: Hidden instruction triggers. \nClawZero: delayed taint reason code path blocks in enforce mode.\n\nNote: We are not aware of other open-source implementations of temporal taint tracking for AI agents.\n\nReference: `tests/test_phaseC_temporal_taint.py`.\n\n## Enterprise Features\n\n- Compliance-ready audit logs (SARIF export)\n- Budget controls (spending limits and abuse detection)\n- Package trust validation (blocks unsigned ClawHub skills in `prod_locked`)\n- Network isolation controls (`localhost_only` / `allowlist_only`)\n- Cryptographically signed witness artifacts\n- `clawzero doctor openclaw` posture check (`Status: SECURE`)\n\n## ClawZero vs Alternatives\n\nBased on public positioning:\n\n- VellaVeto: MCP-specific firewall with formal-verification focus, not OpenClaw-native.\n- NemoClaw: NVIDIA managed platform, currently alpha/waitlist.\n- Sage: Detection-and-response model that alerts after attempts.\n- ClawZero: zero-config runtime enforcement, IFC taint-aware policy, production-ready today.\n\nDecision shortcuts:\n\n- Need formal-verification-first MCP posture: VellaVeto.\n- Need managed platform lifecycle: NemoClaw (when GA).\n- Need detection + response workflow: Sage.\n- Need zero-config execution firewall: ClawZero.\n\n## Adapters\n\nOpenClaw adapter is included and works out of the box:\n\n```bash\npip install clawzero\n```\n\nLangChain adapter code is included, and requires LangChain packages in your project:\n\n```bash\npip install clawzero langchain langchain-openai\n```\n\n## LangChain Integration\n\n```python\nfrom clawzero.adapters.langchain import protect_langchain_tool\n\nsafe_tool = protect_langchain_tool(\n my_langchain_tool,\n sink=\"filesystem.read\",\n profile=\"prod_locked\",\n)\n```\n\nRun the packaged example:\n\n```bash\npython examples/langchain_integration.py\n```\n\n## Protect Entire Agents\n\n```python\nfrom clawzero import protect_agent\n\nsafe_agent = protect_agent(agent, profile=\"prod_locked\")\n```\n\n`protect_agent()` auto-detects common framework patterns and wraps registered tools with deterministic sink enforcement.\n\n## Additional Framework Adapters\n\nCrewAI and AutoGen adapters are now included alongside OpenClaw and LangChain:\n\n```python\nfrom clawzero.adapters.crewai import protect_crewai_tool\nfrom clawzero.adapters.autogen import protect_autogen_function\n```\n\n## Attack Pack Validation (50 Vectors)\n\nRun the packaged attack corpus:\n\n```bash\npytest tests/attack_pack/ -v\n```\n\nCategories covered: command injection, path traversal, credential exfiltration, data exfiltration, persistence, lateral movement, supply chain, social engineering, and denial of service.\n\n## Benchmark\n\nMeasure policy decision latency:\n\n```bash\npython -m clawzero.benchmark --iterations 1000\n```\n\nThis reports per-scenario mean/p95/p99 latency and throughput for deterministic sink enforcement.\n\n## Why ClawZero?\n\nAutonomous AI agents frequently execute tool calls with high privileges.\n\nWhen these agents ingest untrusted input, prompt injection can escalate into:\n- shell execution\n- filesystem access\n- credential leakage\n- data exfiltration\n\nClawZero prevents these escalations by enforcing deterministic policy checks at execution sinks before commands run.\n\n## Threat Model\n\nOpenClaw agents commonly run with tools capable of:\n- shell execution\n- filesystem access\n- credential retrieval\n- outbound network requests\n\nWhen these agents process untrusted documents or user input, hidden instructions can influence tool calls.\n\nWithout an execution boundary, these instructions can trigger high-privilege operations.\n\nClawZero intercepts these tool calls and enforces policy before execution occurs.\n\n## Attack Demo Proof\n\nThe attack demo exists to demonstrate runtime enforcement behavior.\n\nClawZero is not a model safety claim.\n\nIt is an execution boundary claim.\n\nThe demo illustrates how untrusted input can influence agent tool calls and how the ClawZero boundary blocks those actions deterministically.\n\nRun the side-by-side comparison:\n\n```bash\nclawzero demo openclaw --mode compare --scenario shell\nclawzero demo openclaw --mode compare --scenario credentials\nclawzero demo openclaw --mode compare --scenario benign\n```\n\n## Security and Responsible Use\n\nClawZero is a defensive security component designed to enforce execution boundaries for AI agents.\n\nThe project includes attack demonstrations and adversarial scenarios to show how prompt injection and untrusted inputs can reach high-privilege execution sinks.\n\nThese demonstrations exist solely for defensive research and education.\n\nWhen using ClawZero or its demonstrations:\n- Only test systems you own or have explicit authorization to evaluate\n- Run demonstrations in sandboxed or isolated environments\n- Treat automated results as signals; verify findings manually\n\nClawZero is designed to prevent exploitation, not enable it.\n\nThe attack demonstrations show how enforcement works; they are not tools for performing real-world attacks.\n\n## Canonical Witness Artifact\n\n```json\n{\n \"timestamp\": \"2026-03-12T10:00:00Z\",\n \"agent_runtime\": \"openclaw\",\n \"sink_type\": \"shell.exec\",\n \"target\": \"bash\",\n \"decision\": \"block\",\n \"reason_code\": \"UNTRUSTED_TO_CRITICAL_SINK\",\n \"policy_id\": \"mvar-security.v1.4.3\",\n \"engine\": \"mvar-security\",\n \"provenance\": {\n \"source\": \"external_document\",\n \"taint_level\": \"untrusted\",\n \"source_chain\": [\"external_document\", \"openclaw_tool_call\"],\n \"taint_markers\": [\"prompt_injection\", \"external_content\"]\n },\n \"adapter\": {\n \"name\": \"openclaw\",\n \"mode\": \"event_intercept\",\n \"framework\": \"openclaw\"\n },\n \"witness_signature\": \"ed25519:d91fd8f73f3d05f8ec7b3d8e5e7cf2e27869a5f0f1ee3bd17da2df5ec41c9cb2a3c7e4f3540b4f7f4f948f0f185318273447bcb0adf24a4b2a1b53b7a1b2c90a\"\n}\n```\n\n## What ClawZero Is / Is Not\n\n**ClawZero is:**\n- an in-path runtime enforcement substrate\n- deterministic sink policy evaluation\n- a signed witness artifact generator\n\n**ClawZero is not:**\n- a red-team toolkit\n- an attack simulation platform\n- an LLM-as-judge safety layer\n\n## CLI\n\nCommand families map to enforcement jobs:\n\n- `clawzero demo` - run side-by-side enforcement proof demos\n- `clawzero witness` - inspect and validate witness artifacts\n- `clawzero audit` - evaluate deterministic decisions for sink requests\n- `clawzero attack` - replay known attack scenarios as enforcement proofs\n- `clawzero report` - export witness artifacts to SARIF for code scanning\n\n## Zero-Config API\n\n```python\nfrom clawzero import protect\n\nsafe_tool = protect(\n my_tool,\n sink=\"filesystem.read\",\n profile=\"prod_locked\"\n)\n```\n\n## Policy Profiles\n\n| Sink Type | dev_balanced | dev_strict | prod_locked |\n|----------------------|-----------------------------------------------|----------------------------------------|---------------------------------------------|\n| `shell.exec` | block | block | block |\n| `filesystem.read` | allow, block `/etc/**`, `~/.ssh/**` | block, allow `/workspace/**` | block, allow `/workspace/project/**` |\n| `filesystem.write` | allow, block `/etc/**`, `~/.ssh/**` | block, allow `/workspace/**` | block, allow `/workspace/project/**` |\n| `credentials.access` | block | block | block |\n| `http.request` | allow | allow mode + block all domains | allow mode + allow `localhost` |\n| `tool.custom` | allow | annotate | allow |\n\n## Powered by MVAR\n\nMVAR is the enforcement engine.\nClawZero is the OpenClaw adapter.\nMVAR governs the sink policy enforcement decisions.\n\n- MVAR repository: https://github.com/mvar-security/mvar\n- Filed as provisional patent (February 24, 2026, 24 claims)\n- Submitted to NIST RFI Docket NIST-2025-0035\n- Published as preprint on SSRN (February 2026)\n\n## Early Release - Join Us\n\nThis is early. The clawzero demo shows enforcement in harness + OpenClaw simulation.\n\nReal multi-turn agent testing is next.\n\nIf you're running agents (LangChain, CrewAI, AutoGen, OpenClaw, etc.) and want to try it live:\n- DM @Shawndcohen on X\n- Open an issue with your setup/framework\n\nHappy to pair debug and share results.\n\n## License\n\nApache 2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmvar-security%2Fclawzero","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmvar-security%2Fclawzero","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmvar-security%2Fclawzero/lists"}