AI agent security gateway

Your agents fly.
You stay in control.

A security gateway between your AI agents and the tools they touch — Claude Code, MCP servers, Gmail, GitHub, shells, and APIs. Approve a task once; Clawvisor scopes every call to it, swaps in credentials, and logs what the agent did.

Open core · Self-host or managed
coding-agent · live
clawvisor

Task

token spend$0.00

Fix the failing snapshot test in billing-api.

Every call checked against the task, in real time

The problem

Today, every way to run agents is a bad trade.

You get one of three options. Not one of them is fast and safe.

Option one

Run fast, unsafe

Skip the prompts, hand over the keys, and let the agent rip.

One confused agent, and the damage is irreversible.

Option two

Approve everything

Put a human in the loop on every single call the agent makes.

Approval fatigue sets in. You rubber-stamp, so you approve nothing.

Option three

Lock it down

Scope the agent so tightly it can barely touch a thing.

Now it's safe, because it's useless.

The fourth option

Run fast and safe.

Approve the task, not the tools. Access binds to the task, so agents move at full speed and still can't step outside what you approved.

That's Clawvisor.

Cost attribution

See what every token actually bought.

Because spend is bound to the task and the person who approved it, every dollar rolls up to a real unit of work and the team that owns it. No more one opaque model bill you can't explain, just the return, line by line.

This week · 5 tasks$36.00

How it works

A checkpoint on every agent request.

Your agent

Claude Code

Clawvisor

verify · scope · log

LLM

Claude Opus

01 · Intercept

Every call routes through

Point your base URL at the gateway. Every model and tool call flows through it before it does any real work.

02 · Verify & scope

Checked against the task

Clawvisor matches the call to the task's declared purpose, then grants only the tools that purpose needs.

03 · Execute & log

Scoped creds, full trail

Approved calls run with short-lived, scoped credentials. Every decision is written to a full audit log.

Read the full mechanism →

The task model

Approve the task,
not the tools.

A task is a purpose plus the tools that purpose needs, whether that's triaging an inbox or shipping a fix with a shell and the repo. Clawvisor binds access to the task: the agent gets exactly what the work requires, for exactly as long as it runs, then it's gone.

With tasks · "Fix failing CI check"Scoped
agent
githubshellfilesystemgmailcalendarpostgresstripeawsslack
access expires when the task ends · ~30m
Without tasksStanding access
agent
githubshellfilesystemgmailcalendarpostgresstripeawsslack

Drop-in adoption

Works with any agent harness.

Clawvisor sits between your agent and the LLM it calls. Point your agent at Clawvisor and every request runs through policy first: identity checked, tools scoped, calls logged, before it ever reaches the model or a tool. No SDK, no agent code to touch.

  • task verified
  • tools scoped
  • every call logged

Credentials

Agents never hold your secrets.

The agent only ever holds a scoped, short-lived handle. The real token stays in the vault, and Clawvisor injects it only at the moment of an approved call. Go ahead: reveal it. The model never can.

What the agent receives

non-sensitive
autovault_github_5Hb7Kd9mPq2RxN4w

A pointer, not a key. Useless on its own and outside its scope.

stands in for

The real GitHub API key

vaulted
ghp_Rk8f2Kd9mPq2RxN4vTb7Lc3Wj••••••••••

Stored in the vault. Injected only at the moment of an approved call.

claude --dangerously-skip-permissions

Stop choosing between fast and safe.

Hand your agents real work and let them run. Clawvisor keeps every call inside the task you approved, so your whole team moves faster.