29 comments

[ 2.5 ms ] story [ 49.3 ms ] thread
Really cool! I'm also building something in this space but taking a slightly different approach. I'm glad to see more focus on security for production agentic workflows though, as I think we don't talk about it enough when it comes to claws and other autonomous agents.

I think you're spot on with the fact that it's so far it's been either all or nothing. You either give an agent a lot of access and it's really powerful but proportionally dangerous or you lock it down so much that it's no longer useful.

I like a lot of the ideas you show here, but I also worry that LLM-as-a-judge is fundamentally a probabilistic guardrail that is inherently limited. How do you see this? It feels dangerous to rely on a security system that's not based on hard limitations but rather probabilities?

We’re supposed to be fixing LLM security by adding a non-LLM layer to it,

not adding LLM layers to stuff to make them inherently less secure.

This will be a neat concept for the types of tools that come after the present iteration of LLMs.

Unless I’m sorely mistaken.

It's all fine until OpenClaw decides to start prompt injecting the judge
So cool ! I'm building something very close to that but from another perspective, making this open source is giving me many idea !
Needs to be deterministic. ACLs
Comments like this don't fill me with confidence: https://github.com/brexhq/CrabTrap/blob/4fbbda9ca00055c1554a...

  // The policy is embedded as a JSON-escaped value inside a structured JSON object.
  // This prevents prompt injection via policy content — any special characters,
  // delimiters, or instruction-like text in the policy are safely escaped by
  // json.Marshal rather than concatenated as raw text.
Why do you say that? I thought this pattern was well established, or are you aware of known issues with it?
The debate here is missing a practical question: is the judge from the same model family as the agent it's judging?

If both are Claude, you have shared-vulnerability risk. Prompt-injection patterns that work against one often work against the other. Basic defense in depth says they should at least be different providers, ideally different architectures.

Secondary issue: the judge only sees what's in the HTTP body. Someone who can shape the request (via agent input) can shape the judge's context window too. That's a different failure mode than "judge gets tricked by clever prompting." It's "judge is starved of the signals it would need to spot the trick."

[flagged]
Blatant “astroturfing” in these comments
Non-deterministic business rules engine.
> pointing it at a few days of real traffic produced policies that matched human judgment on the vast majority of held-out requests.

The problem is, 99% secure is a failing grade.

99% is usually the best you can do. So you can only layer multiple defences together, this makes sense as one layer to me.

I have an issue with security layers that are inherently nondeterministic. You can't really reason strongly about what this tool provides as part of a security model.

But also, it's in an area where real security seems extremely hard. I think at some point everyone will have a situation where they wanna give an agent some private information and access to the web. You just can't do that in a way that's deterministically safe. But if there are usecase where making it probabilistically safer is enough to tip the balance, well, fine.

(comment deleted)
Interesting approach! I’ve been building something complementary on the deterministic side. LLM-as-judge guardrails are fundamentally probabilistic and can be gamed or hallucinate themselves (as several comments pointed out). That’s why I built EvalView — it does full trajectory snapshots + diffs so you can see exactly what changed, plus a lightweight zero-judge model-check that directly pings the model and reports drift level (NONE / WEAK / MEDIUM / STRONG). Gives you deterministic regression detection that works alongside (or instead of) LLM judges. https://github.com/hidai25/eval-view Curious how you handle drift detection in CrabTrap.
Installing a self signed cert system wide to do MITM? Sign me up!
How is the judge protected from injection?