Fail-closed by default

A confused agent can only touch what its task allowed.

Containment is the default posture, not a feature you switch on. Agents begin with no access at all. Tools are granted for the duration of a single approved task and revoked the moment it ends, so the blast radius of any mistake or injection is the task, never the account.
Scoped to one task

Triage the support inbox and reply to thread #4821.

support-agentexpires when task completes
Tools requested2
  • gmail.send

    thread #4821 only

    write
  • gmail.read

    inbox · unread

    read
low risk

The problem with standing access

Most agent setups hand over a long-lived API key or an OAuth token with broad scopes and hope the model behaves. That works until a poisoned web page, a malicious tool result, or a simple misread instruction convinces the agent to do something it was never meant to do. Because the credential already grants everything, there is nothing between the bad instruction and your data. Standing access turns every prompt-injection bug into a potential account-wide incident.

How containment works

01

Zero standing access

Agents authenticate to Clawvisor, not to your tools. Until a task is approved, the agent can reach nothing: no inbox, no repo, no database.

02

Per-task grants

Each approved task unlocks exactly the tools and scopes it declared (gmail.send on one thread, github.read on one repo) and nothing adjacent.

03

Automatic revocation

When the task completes or times out, the grant disappears. There is no lingering session to steal and no token to rotate after the fact.

04

Fail-closed everywhere

Anything not explicitly allowed is denied. A request the policy didn't anticipate stops and waits for a human instead of guessing.

Let your agents fly. Safely.

Free to start for solo developers. Sign up and put a gateway in front of your agents in minutes. No credit card required.