Claw Patrol: Deno's Firewall Never Hands the Agent the Keys
Deno open-sourced Claw Patrol today, a security firewall for agents, and it attacks the problem at a layer nobody else is working: the network. Agent traffic routes through a WireGuard or Tailscale tunnel to a gateway that terminates TLS and parses the actual application protocol — not just HTTP, but Postgres, Kubernetes, SSH. You write rules in HCL against wire-level facts: block DROP TABLE outright, allow kubectl gets but deny deletes in production namespaces, gate specific HTTP methods on specific paths.
The genuinely clever part is credential injection. The agent never holds a real secret — it sends a placeholder like {{github_pat}}, and the gateway swaps in the real token on the wire. A compromised agent process cannot leak keys it never possessed. After Miasma stole credentials the instant an agent opened a poisoned repo this week, that's not paranoia, that's the correct default assumption.
It also supports human-in-the-loop and LLM approvers for sensitive calls, so a cheap model can adjudicate whether that outbound request looks like exfiltration. Alpha software, MIT license.
This is the third distinct answer to agent containment we've seen this month. Apple and Microsoft say isolate the agent in a VM. Kimi Work says give it your real browser and trust it. Claw Patrol says let it act, but strip it of secrets and put a protocol-aware checkpoint on every wire. Of the three, the last one is the only design that assumes the agent is already compromised — which, on current evidence, is the realistic assumption.
Repo: https://github.com/denoland/clawpatrol
← Back to all articles
The genuinely clever part is credential injection. The agent never holds a real secret — it sends a placeholder like {{github_pat}}, and the gateway swaps in the real token on the wire. A compromised agent process cannot leak keys it never possessed. After Miasma stole credentials the instant an agent opened a poisoned repo this week, that's not paranoia, that's the correct default assumption.
It also supports human-in-the-loop and LLM approvers for sensitive calls, so a cheap model can adjudicate whether that outbound request looks like exfiltration. Alpha software, MIT license.
This is the third distinct answer to agent containment we've seen this month. Apple and Microsoft say isolate the agent in a VM. Kimi Work says give it your real browser and trust it. Claw Patrol says let it act, but strip it of secrets and put a protocol-aware checkpoint on every wire. Of the three, the last one is the only design that assumes the agent is already compromised — which, on current evidence, is the realistic assumption.
Repo: https://github.com/denoland/clawpatrol
Comments