Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

OpenClaw PRISM: A Zero-Fork, Defense-in-Depth Runtime Security Layer for Tool-Augmented LLM Agents

Frank Li

Abstract

Tool-augmented LLM agents introduce security risks that extend beyond user-input filtering, including indirect prompt injection through fetched content, unsafe tool execution, credential leakage, and tampering with local control files. We present OpenClaw PRISM, a zero-fork runtime security layer for OpenClaw-based agent gateways. PRISM combines an in-process plugin with optional sidecar services and distributes enforcement across ten lifecycle hooks spanning message ingress, prompt construction, tool execution, tool-result persistence, outbound messaging, sub-agent spawning, and gateway startup. Rather than introducing a novel detection model, PRISM integrates a hybrid heuristic-plus-LLM scanning pipeline, conversation- and session-scoped risk accumulation with TTL-based decay, policy-enforced controls over tools, paths, private networks, domain tiers, and outbound secret patterns, and a tamper-evident audit and operations plane with integrity verification and hot-reloadable policy management. We outline an evaluation methodology and benchmark pipeline for measuring security effectiveness, false positives, layer contribution, runtime overhead, and operational recoverability in an agent-runtime setting, and we report current preliminary benchmark results on curated same-slice experiments and operational microbenchmarks. The system targets deployable runtime defense for real agent gateways rather than benchmark-only detection.

OpenClaw PRISM: A Zero-Fork, Defense-in-Depth Runtime Security Layer for Tool-Augmented LLM Agents

Abstract

Tool-augmented LLM agents introduce security risks that extend beyond user-input filtering, including indirect prompt injection through fetched content, unsafe tool execution, credential leakage, and tampering with local control files. We present OpenClaw PRISM, a zero-fork runtime security layer for OpenClaw-based agent gateways. PRISM combines an in-process plugin with optional sidecar services and distributes enforcement across ten lifecycle hooks spanning message ingress, prompt construction, tool execution, tool-result persistence, outbound messaging, sub-agent spawning, and gateway startup. Rather than introducing a novel detection model, PRISM integrates a hybrid heuristic-plus-LLM scanning pipeline, conversation- and session-scoped risk accumulation with TTL-based decay, policy-enforced controls over tools, paths, private networks, domain tiers, and outbound secret patterns, and a tamper-evident audit and operations plane with integrity verification and hot-reloadable policy management. We outline an evaluation methodology and benchmark pipeline for measuring security effectiveness, false positives, layer contribution, runtime overhead, and operational recoverability in an agent-runtime setting, and we report current preliminary benchmark results on curated same-slice experiments and operational microbenchmarks. The system targets deployable runtime defense for real agent gateways rather than benchmark-only detection.
Paper Structure (45 sections, 2 figures, 6 tables)

This paper contains 45 sections, 2 figures, 6 tables.

Table of Contents

  1. Keywords.
  2. Introduction
  3. Background and Threat Model
  4. Agent Runtime Model
  5. Protected Assets
  6. Adversaries and Goals
  7. Out-of-Scope Attacks and Assumptions
  8. System Design
  9. Architecture Overview
  10. Lifecycle-Wide Enforcement
  11. Two-Tier Injection Scanning
  12. Session Risk Engine and Policy Response
  13. Tool, Network, and Audit Governance
  14. Tool governance.
  15. Path governance.
  16. ...and 30 more sections

Figures (2)

  • Figure 1: PRISM architecture. The in-process plugin enforces security decisions inside the OpenClaw gateway. Optional data-plane sidecars extend scanning and tool governance; operations sidecars provide policy management and file-integrity monitoring. The audit plane ties runtime decisions to later verification and recovery.
  • Figure 2: Lifecycle-wide enforcement in PRISM. Security controls are distributed across five runtime phases, allowing the system to escalate from observation and warning to hard policy enforcement, redaction, and stateful recovery.