Show HN: Claw Patrol, a security firewall for agents (github.com)
In order to do this, the agent needs access to real production systems - postgres, kubernetes, gcp, clickhouse, github, etc. But this is dangerous to say the least - we want destructive actions to be reviewed by other LLMs, approved by humans, and logged appropriately.
Claw Patrol terminates TCP connections over WireGuard or Tailscale, then parses application protocols (eg http, postgres, ssh) to apply rules that allow you to deny/allow requests.
There are a few projects that sit as a proxy in front of agents to do secret injection or apply various guardrails, but none met our needs (LLM gateways, MCP proxies, sandboxes), particularly the need to handle low-level protocols, or handle complex real world situations like tunneling postgres through k8s.
Written in Go, configured in HCL, MIT licensed. Happy to answer any questions.
26 comments
[ 0.23 ms ] story [ 58.0 ms ] threadLots of good concepts to seek inspiration from.
1. process-scoped egress policy
2. policy-as-code
3. explicit approval classes
4. normalized network/ guardrail receipts.
5. structured guardrail outcomes
6. centralized decision rules
Disclosure: author of a related tool here. I have create agent-vault-proxy for a very similar reason. It also can help keep credentials out of the agent process. The agent gets a placeholder, the proxy swaps in the real secret in transit.
I read them as complementary: action firewall in front, credential broker behind. https://github.com/inflightsec/agent-vault-proxy
The nice thing about Agent Vault is the encryption of credentials and other ways they handle making sure those don't leak from storage. I suppose you could potentially wrap the two in layers as well (agent -> Claw Patrol -> Agent Vault -> external network)
EDIT: looking at some of the comments, it sounds like Claw Patrol can work with protocols beyond HTTP/S, so potentially covers more surface area than AV
For those here without young kids in their life: https://en.wikipedia.org/wiki/Paw_Patrol
It looks like those projects are trying to reinvent service-accounts and permissions... Just define the permissions for each of your APIs, and provide only endpoints to these (through MCP or whatever) to your agents...