I built this because running OpenClaw locally felt a bit like running chmod 777 for the internet.
While Docker/VMs provide OS-level isolation, they don't solve the application-layer risk: if my agent hits a Prompt Injection on a malicious site, it can still use its authenticated tools to wipe my CRM or exfiltrate Slack data.
ClawBands is a middleware that hooks into the OpenClaw before_tool_call event loop. It enforces a synchronous blocking check before any dangerous operation (Shell Exec, File Write, etc.) is actually executed.
Ideally, this acts like sudo for your agent:
In Terminal (TTY): It pauses execution and renders an interactive prompt.
Headless: It can route approval requests via a dedicated tool (clawbands_respond) to Telegram/WhatsApp.
It's a 24h PoC written in TypeScript. I'm particularly interested in feedback on the blocking logic implementation, handling the async pause reliably in the event loop was the trickiest part.
seyz•2h ago
While Docker/VMs provide OS-level isolation, they don't solve the application-layer risk: if my agent hits a Prompt Injection on a malicious site, it can still use its authenticated tools to wipe my CRM or exfiltrate Slack data.
ClawBands is a middleware that hooks into the OpenClaw before_tool_call event loop. It enforces a synchronous blocking check before any dangerous operation (Shell Exec, File Write, etc.) is actually executed.
Ideally, this acts like sudo for your agent:
In Terminal (TTY): It pauses execution and renders an interactive prompt.
Headless: It can route approval requests via a dedicated tool (clawbands_respond) to Telegram/WhatsApp.
It's a 24h PoC written in TypeScript. I'm particularly interested in feedback on the blocking logic implementation, handling the async pause reliably in the event loop was the trickiest part.
Happy to answer any questions!