GitHub Repository

Security proxy for AI agents. Scans every message for prompt injection, PII, and secrets. Defense-in-depth: Go proxy + iptables firewall + eBPF kernel monitor. YAML policy engine, audit logging, 5 AI agents with RAG knowledge bases.

131 starsGo

ClawShield – Open-source security proxy for AI agents (Go, eBPF)

Name: ClawShield – Open-source security proxy for AI agents (Go, eBPF)
Availability: InStock
Author: sleuthco

by sleuthco·Mar 2, 2026·2 points·2 comments

Visit Project View on HN

AI Analysis

●●●BangerWizardrySolve My Problem

Defense-in-depth AI agent firewall: proxy + eBPF kernel + three-tier injection detection.

Strengths

•Three-tier prompt injection detection (regex heuristics, structural analysis, canary tokens) genuinely novel for LLM security
•eBPF kernel monitoring + iptables firewall adds hardware-enforced layer beyond application logic
•Comprehensive vulnerability scanner covering SQLi, SSRF, path traversal, command injection, XSS in decoded JSON context

Weaknesses

•Tight coupling to OpenClaw gateway limits adoption; unclear how standalone it truly is
•Detection rules (regex, canary tokens) will require continuous tuning as attack patterns evolve
•No independent security audit or benchmarks against real prompt injection attempts

Post Description

Author here. ClawShield is a security proxy that sits in front of OpenClaw (open-source AI gateway) and scans all inbound/outbound messages.

The core is an HTTP/WebSocket reverse proxy in Go (~6k lines) with four scanners:

1. Prompt injection detection - three tiers: regex heuristics (role overrides, instruction injection, delimiter attacks, encoding attacks), structural analysis (base64-decoded instruction blocks, imperative verb density scoring), and canary token leak detection.

2. Secrets/PII scanning - regex argument filters applied to decoded JSON values (defeats unicode escape bypasses like \u0070assword).

3. Vulnerability scanning - SQLi (UNION, tautologies, blind with SLEEP/BENCHMARK), SSRF (private IPs, cloud metadata at 169.254.169.254, decimal/hex IP encoding, dangerous schemes like gopher://), path traversal (double URL-encoding, null bytes), command injection (shell metacharacters, backtick execution), XSS.

4. Malware detection - magic bytes for PE/ELF/Mach-O, YARA-like signature rules for reverse shells and C2 frameworks, archive bomb detection via compression ratio, Shannon entropy analysis.

Policy engine is deny-by-default YAML. You define tool allowlists, denylists, per-tool argument filters, domain allowlists, and per-agent/per-channel restrictions. Every decision is logged to SQLite.

Optional extras: iptables egress firewall (Go, generates validated rules from YAML) and eBPF kernel monitor (Python/BCC - traces execve, tcp_v4_connect, openat2, setuid for fork bomb/privesc/port scan detection).

Docker quickstart is 3 commands. Ten cross-compiled binaries on the release (proxy + setup wizard for linux/mac/windows, amd64/arm64).

We run this in production at clawshield.sleuthco.ai.

I built this because I was contributing security patches to OpenClaw and the netfilter suite and kept seeing the same gap: the AI ecosystem has sophisticated multi-agent routing but no standardized way to inspect and control what flows through it.

Happy to answer questions about the scanner architecture, policy engine, or threat model.