How it works

One gateway between your agents and everything they touch.

Clawvisor sits in the request path between your agent and the LLM or tool it calls. Every request runs through policy first: identity checked, risk scored, tools scoped, calls logged, before it does any real work.

The request path

Point your agent at Clawvisor. Everything else falls out of that.

Your agent

Claude Code

Clawvisor

verify · scope · log

LLM

Claude Opus

The lifecycle of a single task

01

The agent declares a task

Instead of asking for tools one call at a time, the agent states a task: a purpose plus the tools it expects to need. Clawvisor sits in the request path, so this happens with no SDK and no agent rewrite.

02

Clawvisor scores the blast radius

Every task is assessed for how much damage it could do if it went wrong: reversibility, scope, and the sensitivity of the tools requested. The result is a low / medium / high risk rating on the request.

03

Policy decides: pass or hold

Plain-English policy decides what happens next. In-policy, low-risk work is auto-approved and flows straight through. Anything outside the rules pauses and waits for a named human to approve or deny.

04

Scoped execution, then revocation

On approval, the gateway swaps vaulted credentials in at call time and grants exactly the scopes the task declared, nothing adjacent. Every call is logged and tied to the task. When the task ends, the grant is revoked.

Approval required

Fix the failing CI check on billing-api and open a PR.

dev-agentexpires when task completes
Tools requested3
  • github.read

    repo: billing-api

    read
  • github.write

    branch: fix/ci

    write
  • shell.exec

    npm test

    write
medium risk

Let your agents fly. Safely.

Free to start for solo developers. Sign up and put a gateway in front of your agents in minutes. No credit card required.