Fail-closed by default
A confused agent can only touch what its task allowed.
Triage the support inbox and reply to thread #4821.
- write
gmail.send
thread #4821 only
- read
gmail.read
inbox · unread
The problem with standing access
Most agent setups hand over a long-lived API key or an OAuth token with broad scopes and hope the model behaves. That works until a poisoned web page, a malicious tool result, or a simple misread instruction convinces the agent to do something it was never meant to do. Because the credential already grants everything, there is nothing between the bad instruction and your data. Standing access turns every prompt-injection bug into a potential account-wide incident.
How containment works
Zero standing access
Agents authenticate to Clawvisor, not to your tools. Until a task is approved, the agent can reach nothing: no inbox, no repo, no database.
Per-task grants
Each approved task unlocks exactly the tools and scopes it declared (gmail.send on one thread, github.read on one repo) and nothing adjacent.
Automatic revocation
When the task completes or times out, the grant disappears. There is no lingering session to steal and no token to rotate after the fact.
Fail-closed everywhere
Anything not explicitly allowed is denied. A request the policy didn't anticipate stops and waits for a human instead of guessing.
The worst an agent can do is the task you approved, and nothing else.
It's one of six power-ups you get from approving the task instead of the tools.
Containment
Agents start with zero access. Every tool is granted per-task and revoked when the task ends. A compromised prompt can't reach what the task never needed.
Let your agents fly. Safely.
Free to start for solo developers. Sign up and put a gateway in front of your agents in minutes. No credit card required.