I made a OpenClaw clone with security focus. It flips the tables on the common security concept for agents that capability should be limited. Instead we want to track and contain what the agent can see, which in turn is what can cause the agent to act in ways we do not want. It also introduces three other notable improvements: Bandwidth Constrained Protocol (a way to have information flow from a high taint agent to a low taint agent), a new security model with three components (taint, sensitivity and capability) exclude one to reduce risk significantly and sandboxing with per file access via globs. What do you think?

Bandwidth Contrained Protocol (documented here https://github.com/tri-onyx/tri-onyx/blob/main/adr/005-bandw...) is a way to limit the flow of information from an agent that may be tained to one that is clean. This is a generalization of how Claude Code fetches web pages and provides a question with the fetch that is to be answered by a subagent. This allow the non-tainted agent to be in control of the conversation and limits the ability of a prompt injections to propagate.

The new security model is called the Lethal Trifecta of Taint, Sensitivity and Capability. If any one agent has high taint, highly sensitive information and high capability at the same time this is a critical risk agent. If you cut of either of these legs you can reduce the risk significantly. Taint and Sensitivity contributes more than capability. I.e. an agent that is tainted with tools is still okay as long as it doesn't also have access to sensitive information at the same time. This makes it very easy to see what agents can be considered high risk or not.

Finally, each agent is heavily sandboxed but not hobbled. They have access to a full container runtime but you can restrict outbound and file access ro/rw with glob patterns enforced by an independent FUSE driver. All files are tracked in a Git workspace that allows tracking of information between sessions.