Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Show HN: ClawShield – Open-source security proxy for AI agents (Go, eBPF) (github.com/sleuthco)
2 points by sleuthco 23 days ago | hide | past | favorite | 2 comments
Author here. ClawShield is a security proxy that sits in front of OpenClaw (open-source AI gateway) and scans all inbound/outbound messages.

The core is an HTTP/WebSocket reverse proxy in Go (~6k lines) with four scanners:

1. Prompt injection detection - three tiers: regex heuristics (role overrides, instruction injection, delimiter attacks, encoding attacks), structural analysis (base64-decoded instruction blocks, imperative verb density scoring), and canary token leak detection.

2. Secrets/PII scanning - regex argument filters applied to decoded JSON values (defeats unicode escape bypasses like \u0070assword).

3. Vulnerability scanning - SQLi (UNION, tautologies, blind with SLEEP/BENCHMARK), SSRF (private IPs, cloud metadata at 169.254.169.254, decimal/hex IP encoding, dangerous schemes like gopher://), path traversal (double URL-encoding, null bytes), command injection (shell metacharacters, backtick execution), XSS.

4. Malware detection - magic bytes for PE/ELF/Mach-O, YARA-like signature rules for reverse shells and C2 frameworks, archive bomb detection via compression ratio, Shannon entropy analysis.

Policy engine is deny-by-default YAML. You define tool allowlists, denylists, per-tool argument filters, domain allowlists, and per-agent/per-channel restrictions. Every decision is logged to SQLite.

Optional extras: iptables egress firewall (Go, generates validated rules from YAML) and eBPF kernel monitor (Python/BCC - traces execve, tcp_v4_connect, openat2, setuid for fork bomb/privesc/port scan detection).

Docker quickstart is 3 commands. Ten cross-compiled binaries on the release (proxy + setup wizard for linux/mac/windows, amd64/arm64).

We run this in production at clawshield.sleuthco.ai.

I built this because I was contributing security patches to OpenClaw and the netfilter suite and kept seeing the same gap: the AI ecosystem has sophisticated multi-agent routing but no standardized way to inspect and control what flows through it.

Happy to answer questions about the scanner architecture, policy engine, or threat model.



Solid proxy architecture. The deny-by-default YAML policy engine is the right call.

One question on the audit side: decisions are logged to SQLite — is that log tamper-evident? If an operator or admin modifies a row after the fact, is there a mechanism to detect it, or does verification depend on the SQLite file being unaltered?

Asking because in regulated environments, the first thing auditors challenge is whether the log itself can be trusted independently.


Author here and available for discussion. Have a PR already that I need to review!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: