ClawShield performs static security checks on:
Public bind addresses
Disabled authentication
Containers running as root or privileged
API key exposure in .env files
World-writable config files
It produces deterministic, schema-versioned JSON output and supports CI enforcement via severity thresholds (--fail-on).
The architecture is intentionally simple:
Scanners → Facts → Policy Engine → Findings
No remote calls, no telemetry, no mutation of configs.
The goal isn’t to be a black-box security scanner, but a transparent policy verification layer for agent runtimes.
Would appreciate feedback on:
Additional high-signal checks
Policy design
Runtime security for AI agents generally
jonscott3333•1h ago
ClawShield performs static security checks on:
Public bind addresses
Disabled authentication
Containers running as root or privileged
API key exposure in .env files
World-writable config files
It produces deterministic, schema-versioned JSON output and supports CI enforcement via severity thresholds (--fail-on).
The architecture is intentionally simple:
Scanners → Facts → Policy Engine → Findings
No remote calls, no telemetry, no mutation of configs.
The goal isn’t to be a black-box security scanner, but a transparent policy verification layer for agent runtimes.
Would appreciate feedback on:
Additional high-signal checks
Policy design
Runtime security for AI agents generally