HackerTrans
TopNewTrendsCommentsPastAskShowJobs

rough-sea

no profile record

Submissions

Show HN: Claw Patrol, a security firewall for agents

github.com
112 points·by rough-sea·เดือนที่แล้ว·31 comments

comments

rough-sea
·เดือนที่แล้ว·discuss
It's not about enforcing read-only - we want agents to do destructive things. Like rebooting a pod, rolling back a deployment, etc.

Plus a lot of these services are reached by tunneling through something else. We tunnel into k8s where it has dangerous credentials.

We also don't want to define MCPs for everything. The principle is that the agent doesn't need code changes, including skills/MCPs - it just accesses systems.

Claw Patrol lets us give agents more access because it's watching everything at the wire. `kubectl delete pod foo` waits for slack approval, SELECT on env_vars runs through an LLM judge to check if it actually returns secret data. For our setup this is security policy that is a single file, checked into git, that gates access across 14 k8s clusters, clickhouse, postgres, a dozen other HTTP APIs.
rough-sea
·เดือนที่แล้ว·discuss
Could work - but our agents (codex/claude/openclaw) spawn subprocesses - imagine an engineer uses claude to debug an issue, it spawns psql directly, routing around MCP. Wire level interception is the only place a process tree can't escape.

Regarding reinventing permissions - scoped credentials solve this to some extent, but it's really nice to have a single place where we can define rules for all services (eg "DROP TABLE" never can occur), or you can SELECT unless it includes the env_vars.secrets column.
rough-sea
·เดือนที่แล้ว·discuss
Yes works at the wire level, not http. Have a look at the example config file https://github.com/denoland/clawpatrol/blob/d2e531d8cb0f1a3a...

Claw Patrol holds credentials - so probably doesn't make sense to layer with AV - but it's true that AV has more sophisticated storage of creds (eg using 1p)
rough-sea
·เดือนที่แล้ว·discuss
If the operator isn't around, then it shouldn't be approved. But yes, this is a problem, we have to ask the agent to retry after approval if its timed out. Currently the design philosophy is that the agent doesn't need to know anything about the firewall - no skill files, no code changes, completely transparent. But we're soon introducing a discovery endpoint that will allow the agent to know which services it has credentials for and tell the agent how to poll for HITL approval. This is an area of active development: https://github.com/denoland/clawpatrol/pull/666
rough-sea
·เดือนที่แล้ว·discuss
There's a plugin API https://clawpatrol.dev/docs/plugins/
rough-sea
·เดือนที่แล้ว·discuss
You can define different profiles that are associated with different credentials. Take a look here https://clawpatrol.dev/docs/credentials/#single-credential-t...
rough-sea
·เดือนที่แล้ว·discuss
Thanks! Don't forget wire level protocol parsing - this is important because agents usually can spawn subprocesses and if they have postgres credentials, you're just one psql call away from disaster if you only have MCP/HTTP proxies in place.
rough-sea
·เดือนที่แล้ว·discuss
Yes default allow and no rules by default. Some sort of default policy would be a great feature - I've been considering it. No one wants agents to DROP tables.

We have a big and detailed config file for our own internal use - but reluctant to release that exactly because it has information about our systems.

There's an example config file here that might be helpful https://github.com/denoland/clawpatrol/blob/main/examples/ga... - we use agents to write the config by pointing it at https://clawpatrol.dev/llms-full.txt
rough-sea
·เดือนที่แล้ว·discuss
Unless you ascribe to some meta-physical soul - you believe human consciousness is encoded in matter - in the interactions between atoms. Actually at a much higher level of abstraction- neurons - but it’s all simulatable in principle. Thus, yes, it could literally be a bunch of x86 instructions.
rough-sea
·3 ปีที่แล้ว·discuss
Thank you. It’s depressing to find so many people on HN expressing sympathy for the nonsense written in the manifesto.

People should read “Beginning of Infinity” for a strong counter argument.
rough-sea
·4 ปีที่แล้ว·discuss
You can use Node modules in Deno using https://esm.sh/

You can use Deno modules in Node using https://github.com/denoland/dnt