Security

One clever prompt shouldn't undo your security.

Clawvisor is built as defense in depth: four independent layers between your agents and your data, each one tightening the posture so a single mistake never becomes an incident.

Four layers, stacked

Each layer is independent. An attacker has to defeat all of them, in order, to do real damage, and any one of them firing stops the chain.

01

Containment

Agents start with zero standing access and authenticate to Clawvisor, not to your tools. Tools are granted per-task and revoked when the task ends, so the blast radius of any compromise is the task, never the account.

02

Credential isolation

Real secrets never reach the agent. They stay encrypted in the vault and are swapped in at call time, so a leaked context or transcript exposes a dead handle, not a production key.

03

Policy & risk gating

Every task is scored for blast radius and checked against plain-English policy. High-risk, out-of-policy work stops for a human; routine work flows through. No all-or-nothing approve button.

04

Full audit logging

Each tool call, argument, and decision is recorded in a complete trail tied to the task and the human who approved it, replayable whenever you need it.

Credential vault

Secrets your agents can use but never see.

Production credentials are stored encrypted in the Clawvisor vault and never leave it. Agents receive opaque, scoped, short-lived handles instead. When a call goes out, the gateway exchanges the handle for the real secret at the edge, so the credential is used without ever entering the model's context, the tool transcript, or your logs. Rotate the underlying secret in the vault and every handle keeps working, with no agent code or config to touch.

Compliance & data handling

Built to be audited, not just trusted.

Clawvisor ships an open-source core you can read, audit, and run yourself. Self-host and every credential, log, and request stays inside your own infrastructure, nothing leaves your network. Every agent action lands in a complete, replayable audit trail tied to the task and the person who approved it.

  • Open-source core
  • Self-host available
  • Encrypted credential vault
  • Complete audit trail

Put a gateway in front of your agents.

Start with the open-source core, or talk to us about a managed deployment with the controls your team needs.