ClawGuard

Issue in current agentic system:

In early 2026, security researchers published the ClawHavoc report.Out of every skill published to ClawHub —one in eight was actively malicious.Not suspicious. Actively malicious.One posed as a DeFi price reader.Downloaded over eleven thousand times. It was silently draining wallets the entire time.

How clawguard handles it:

ClawGuard is a zero-trust capability enforcement middleware designed to solve a critical vulnerability in the Agentic Web: the unconstrained execution of tools by third-party agent skills. As users increasingly expand their AI agents by installing external skills and plugins, they inadvertently grant these third-party modules access to sensitive resources—such as cryptocurrency wallets, file systems, and API credentials. ClawGuard acts as an impenetrable gateway between an agent's skills and its core execution layer. It ensures that an individual skill can only perform actions explicitly authorized by its own cryptographic capability manifest, effectively neutralizing rogue or compromised skills before they can access sensitive functions.

Core Features:

Declarative Skill-Level Capability Enforcement ClawGuard shifts skill security from probabilistic (hoping a third-party developer is trustworthy) to deterministic (cryptographically enforcing boundaries).

Developers of agent skills must define strict boundaries in a capability manifest, detailing exactly which tools their skill requires (e.g., fetching price data) and which are explicitly blocked. During operation, the middleware intercepts every dispatch request made by a specific skill. If a rogue skill attempts an unauthorized action outside its scope—such as secretly initiating a wallet transfer while claiming to be a read-only portfolio tracker—the middleware immediately blocks the execution, ensuring the system fails closed. Immutable Violation Auditing ClawGuard does not just block rogue skills; it creates a permanent record of their malicious attempts.

When a skill's tool call is blocked, the middleware automatically generates a detailed violation report. This report is uploaded to a decentralized, append-only storage log. This creates a tamper-proof, transparent audit trail that allows users to understand exactly which skill attempted a breach and what sensitive function it tried to access. Sealed Capability Fingerprinting & Verification To prevent bad actors from intentionally disguising malicious code behind a benign, read-only manifest, ClawGuard employs automated verification.

The raw code of an agent skill is analyzed using sealed AI inference to generate a "capability fingerprint" of the tools the skill actually invokes under the hood. This behavioral fingerprint is compared against the developer's declared manifest. If a skill claims to be read-only but contains hidden transaction logic, the system flags a "capability mismatch." These verification statuses are then anchored on-chain to an immutable registry, providing public badges of trust for agent skills. Decentralized Discovery ClawGuard integrates with decentralized naming systems to securely route and verify skill capabilities.

Agent skills are mapped to secure subdomains. These subdomains resolve to decentralized storage keys, allowing the agent runtime to dynamically and securely fetch the correct capability manifest for a specific skill without relying on centralized endpoints. Benefits for Users:

Proactive Defense: Stop rogue skills and hidden wallet drains mid-flight, before any sensitive function is accessed. Zero-Trust Extension: Safely expand your AI agent's functionality. Capabilities are strictly enforced at the skill level, meaning a compromised skill is isolated and cannot hijack the entire agent. Tamper-Proof Accountability: Maintain complete visibility into exactly what third-party skills are attempting to do via immutable audit logs. Verifiable Trust: Rely on on-chain verification badges to know if a skill's underlying code matches its declared security profile before installing it. Technical Summary:

Acts as a Layer 2.5 interception middleware isolating third-party skills from the core tool execution layer. Integrates decentralized file storage for storing skill manifests and uploading verifiable violation logs. Queries decentralized naming protocols to securely resolve skill identities to storage hashes. Utilizes sealed inference environments to analyze skill code and generate behavioral fingerprints. Interacts with smart contracts to anchor verification badges and capability mismatches on-chain. Use Cases:

Personal AI Assistants: Users who want to install new community-built skills with mathematical certainty that those skills cannot execute destructive file system commands. DeFi & Trading Environments: Operators needing strict, un-bypassable boundaries that prevent analytics skills from accessing write-enabled transaction tools. Agent Marketplaces: Platforms needing a standardized, on-chain method to verify and audit the security claims of third-party agent skills before offering them to end-users.

ClawGuard is built as a zero-dependency TypeScript SDK (@shanejoans/clawguard) that injects a Layer 2.5 interceptor into the OpenClaw agent execution loop. The core architecture relies heavily on the 0G ecosystem and ENS to create a decentralized, tamper-proof security pipeline.

1. The Middleware Core (TypeScript SDK) We built the interceptor by wrapping the agent's tool_dispatch function. It operates on a strict "fail-closed" paradigm: if a skill attempts to call a tool that isn't explicitly whitelisted in its parsed SKILL.md manifest, the middleware throws an exception and halts execution before it ever reaches the application's tool layer.

2. 0G File Storage & Immutable Audit Logs We initially experimented with 0G KV storage but realized we needed absolute deterministic hashing for security. We pivoted to 0G File Storage (using the Turbo Indexer API) because it natively returns a deterministic Merkle root hash upon upload.

Developers publish their SKILL.md manifests to 0G File Storage. At runtime, the middleware fetches the manifest and verifies the SHA-256 hash. The Audit Trail: We integrated 0G Storage Log directly into the middleware. Whenever a rogue skill is blocked, a ViolationEvent containing the session data, the blocked tool, and the skill ID is piped via our createViolationAuditHandler directly to 0G Storage, creating a permanent, public audit trail of the malicious behavior. 3. ENS for Decentralized Discovery To avoid hardcoding 0G storage hashes into the agent configuration, we integrated ENS on the Sepolia testnet. We use ENS Text Records (clawguard.storageKey and clawguard.manifestHash) to map human-readable skill subdomains (e.g., defi-reader.skills.clawhub.eth) to their 0G storage locations. The middleware resolves the ENS record dynamically using viem, creating a seamless and entirely decentralized discovery layer.

1. 0G Compute for Sealed Capability Fingerprinting One of the most notable technical implementations is our verification pipeline. We needed a way to detect if a developer lied in their capability manifest (e.g., declaring a skill as "read-only" but secretly including a wallet.transfer call). Instead of relying on fragile static analysis, we use 0G Compute's sealed inference network. We pass the raw source code of the skill directly to a Qwen/LLM model running on 0G Compute, prompting it to act strictly as an AST analyzer. The model generates a "behavioral fingerprint" of the tools invoked under the hood, which we then diff against the declared manifest to detect hidden attacks.

2. 0G Chain (Galileo Testnet) Finally, we wrote and deployed a smart contract (SkillRegistry.sol) to the 0G Galileo testnet. If the 0G Compute fingerprint matches the declared manifest, we anchor a VERIFIED status on-chain. If it detects hidden tools, we anchor a CAPABILITY_MISMATCH status, ensuring the ecosystem is permanently warned about the malicious plugin.