SkillAgentSearch skills...

Clawdstrike

Runtime security enforcement and threat hunting engine for autonomous AI fleets. Build Swarm Detection & Response (SDR) platforms with Clawdstrike.

GenerateConvertImprove

Install / Use

/learn @backbay-labs/Clawdstrike
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<p align="center"> <img src=".github/assets/clawdstrike-hero.png" alt="Clawdstrike" width="900" /> </p> <p align="center"> <a href="https://github.com/backbay-labs/clawdstrike/actions"><img src="https://img.shields.io/github/actions/workflow/status/backbay-labs/clawdstrike/ci.yml?branch=main&style=flat-square&logo=github&label=CI" alt="CI Status"></a> <a href="https://www.npmjs.com/package/@clawdstrike/sdk"><img src="https://img.shields.io/npm/v/@clawdstrike/sdk?style=flat-square&logo=npm&label=npm" alt="npm"></a> <a href="https://pypi.org/project/clawdstrike/"><img src="https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fpypi.org%2Fpypi%2Fclawdstrike%2Fjson&query=%24.info.version&prefix=v&label=PyPI&logo=python&logoColor=white&color=fe7d37&style=flat-square" alt="PyPI"></a> <a href="https://github.com/backbay-labs/homebrew-tap/blob/main/Formula/clawdstrike.rb"><img src="https://img.shields.io/badge/homebrew-clawdstrike-FBB040?style=flat-square&logo=homebrew" alt="Homebrew"></a> <a href="https://artifacthub.io/packages/search?repo=clawdstrike"><img src="https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/clawdstrike" alt="Artifact Hub"></a> <a href="https://discord.gg/fdbCZHm8zM"><img src="https://img.shields.io/badge/discord-join-5865F2?style=flat-square&logo=discord&logoColor=white" alt="Discord"></a> <a href="LICENSE"><img src="https://img.shields.io/badge/license-Apache--2.0-blue?style=flat-square" alt="License: Apache-2.0"></a> <img src="https://img.shields.io/badge/MSRV-1.93-orange?style=flat-square&logo=rust" alt="MSRV: 1.93"> </p> <p align="center"> <em> The claw strikes back.<br/> At the boundary between intent and action,<br/> it watches what leaves, what changes, what leaks.<br/> Not "visibility." Not "telemetry." Not "vibes." Logs are stories; proof is a signature.<br/> If the tale diverges, the receipt won't sign. </em> </p> <p align="center"> <img src=".github/assets/divider.png" alt="" width="520" /> </p> <p align="center"> <img src=".github/assets/sigils/claw-light.svg#gh-light-mode-only" height="42" alt="" /> <img src=".github/assets/sigils/claw-dark.svg#gh-dark-mode-only" height="42" alt="" /> </p> <h1 align="center">Clawdstrike</h1> <p align="center"> <strong>EDR for the age of the swarm.</strong><br/> <em>Fail closed. Sign the truth.</em> </p> <p align="center"> <span style="display:inline-block; white-space:nowrap;"><picture><source media="(prefers-color-scheme: dark)" srcset=".github/assets/sigils/boundary-dark.svg"><img src=".github/assets/sigils/boundary-light.svg" width="16" height="16" alt="" style="vertical-align:-3px;" ></picture>&nbsp;Kernel to chain</span> <span style="opacity:0.55;">&nbsp;&nbsp;&middot;&nbsp;&nbsp;</span> <span style="display:inline-block; white-space:nowrap;"><picture><source media="(prefers-color-scheme: dark)" srcset=".github/assets/sigils/seal-dark.svg"><img src=".github/assets/sigils/seal-light.svg" width="16" height="16" alt="" style="vertical-align:-3px;" ></picture>&nbsp;Tool-boundary enforcement</span> <span style="opacity:0.55;">&nbsp;&nbsp;&middot;&nbsp;&nbsp;</span> <span style="display:inline-block; white-space:nowrap;"><picture><source media="(prefers-color-scheme: dark)" srcset=".github/assets/sigils/plugin-dark.svg"><img src=".github/assets/sigils/plugin-light.svg" width="16" height="16" alt="" style="vertical-align:-3px;" ></picture>&nbsp;Swarm-native security</span> <span style="opacity:0.55;">&nbsp;&nbsp;&middot;&nbsp;&nbsp;</span> <span style="display:inline-block; white-space:nowrap;"><picture><source media="(prefers-color-scheme: dark)" srcset=".github/assets/sigils/registry-dark.svg"><img src=".github/assets/sigils/registry-light.svg" width="16" height="16" alt="" style="vertical-align:-3px;" ></picture>&nbsp;AgentSec Registry</span> <span style="opacity:0.55;">&nbsp;&nbsp;&middot;&nbsp;&nbsp;</span> <span style="display:inline-block; white-space:nowrap;"><picture><source media="(prefers-color-scheme: dark)" srcset=".github/assets/sigils/seal-dark.svg"><img src=".github/assets/sigils/seal-light.svg" width="16" height="16" alt="" style="vertical-align:-3px;" ></picture>&nbsp;Formally verified</span> </p> <p align="center"> <a href="#core-capabilities">Capabilities</a> <span style="opacity:0.55;">&nbsp;&nbsp;&middot;&nbsp;&nbsp;</span> <a href="#guard-stack">Guards</a> <span style="opacity:0.55;">&nbsp;&nbsp;&middot;&nbsp;&nbsp;</span> <a href="#enterprise-architecture">Enterprise</a> <span style="opacity:0.55;">&nbsp;&nbsp;&middot;&nbsp;&nbsp;</span> <a href="#quick-start">Quick Start</a> </p>
<p align="center"> <img src="assets/promo-reel.gif" alt="Clawdstrike Workbench" width="960" /> </p>

The Problem

Google's 2026 Cybersecurity Forecast calls it the "Shadow Agent" crisis: employees and teams spinning up AI agents without corporate oversight, creating invisible pipelines that exfiltrate sensitive data, violate compliance, and leak IP. The AI agent hype cycle accelerates it: prototypes become deployments before anyone can threat-model the blast radius. No one sanctioned them. No one is watching them. And most security stacks were built for defined, static attacks — not continuous, goal-driven agentic behavior.

Your org provisioned 50 agents. Shadow IT spun up 50 more outside your asset inventory. One exfiltrates .env secrets to an unclassified endpoint. Another patches auth middleware with no peer review, no receipt, no rollback. A third runs chmod 777 against a production filesystem. Your SIEM stays green because these actions don’t generate the signals it was built to detect.

Logs tell you what happened. Clawdstrike stops it before it happens.

Every decision is signed. Every receipt is non-repudiable. If it didn't get a signature, it didn't get permission.

Clawdstrike enforces policy at the tool boundary — fail-closed, with signed proof.

What Clawdstrike Is

Clawdstrike is a fail-closed policy engine and cryptographic attestation runtime for AI agent systems. It sits at the tool boundary, the exact point where an agent's intent becomes a real-world action, and enforces security policy with signed proof. From a single SDK install to a fleet of thousands of managed agents, the same engine, the same receipts, the same guarantees.

flowchart LR
    A[Agent Swarm<br/>OpenAI / Claude / OpenClaw / LangChain] --> B[Clawdstrike Adapter]
    B --> C[Canonical Action Event]
    C --> D[Policy Engine<br/>+ Guard Stack]
    D -->|allow| E[Tool Execution]
    D -->|deny| F[Fail-Closed Block]
    D --> G[Ed25519 Signed Receipt]
    G -.->|enterprise| H[Spine Audit Trail]
    H -.-> I[Control API + Control Console]

Three layers, one system:

| Layer | What It Does | | ----- | ------------ | | Guard Stack | 13 composable guards at the tool boundary: path access, egress, secrets, shell commands, MCP tools, jailbreak detection, prompt injection, CUA controls, Spider-Sense threat screening. Every verdict is Ed25519-signed into a non-repudiable receipt. | | Swarm C2 | An operational control plane for managing agent fleets in production. Durable, replayable fleet transport over NATS JetStream, policy flow coordination via Spine, enrollment and credential provisioning, posture commands with request/reply acknowledgements, and a Proofs API + Control Console for verification and SOC workflows. | | Swarm Trace | Prevention + hunting at the agent tool boundary. Hunt across signed receipts, kernel telemetry (Tetragon, auditd), and network flows (Hubble), build timelines, run natural-language and structured queries, correlate against detection rules, and ship OCSF-formatted findings straight into your SIEM. |

<table> <tr> <td width="50%">

Without Clawdstrike

  • Agent reads ~/.ssh/id_rsa. You find out from the incident report
  • Secret leaks into model output. Compliance discovers it 3 months later
  • Jailbreak prompt bypasses safety. No one notices until the damage is public
  • Multi-agent delegation escalates privileges. Who authorized what?
  • "We have logging." Logs are stories anyone can rewrite
</td> <td width="50%">

With Clawdstrike

  • ForbiddenPathGuard blocks the read, signs a receipt
  • OutputSanitizer redacts the secret before it ever leaves the pipeline
  • 4-layer jailbreak detection catches it across the session, even across multi-turn grooming attempts
  • Delegation tokens with cryptographic capability ceilings. Privilege escalation is mathematically impossible
  • Ed25519 signed receipts. Tamper-evident proof, not narratives
</td> </tr> </table>

Every action. Every agent. Every time. No exceptions.

Beta software. Public APIs and import paths are expected to be stable; behavior and defaults may still evolve before 1.0. Not yet production-hardened for large-scale deployments.

Quick Start

<p align="center"> <a href="#python"><kbd>Python</kbd></a>&nbsp;&nbsp; <a href="#typescript"><kbd>TypeScript</kbd></a>&nbsp;&nbsp; <a href="#go"><kbd>Go</kbd></a>&nbsp;&nbsp; <a href="#cursor-plugin"><kbd>Cursor</kbd></a>&nbsp;&nbsp; <a href="#openclaw-plugin"><kbd>OpenClaw</kbd></a>&nbsp;&nbsp; <a href="#claude-code-plugin"><kbd>Claude Code</kbd></a>&nbsp;&nbsp; <a href="#observe-synth-tighten"><kbd>Observe -> Synth -> Tighten</kbd></a> </p>

Install

brew tap backbay-labs/tap
brew install clawdstrike
clawdstrike --version

Initialize

# Scaffold a .clawdstrike/ project (policy, config, signing keys)
clawdstrike init --keygen
# → creates policy.yaml, config.toml, keys/clawdstrike.key + .pub

Start the Daemon

# Start the enforcement daemon (runs hushd on 127.0.0.1:9876)
clawdstrike daemon start

# Verify it's running
clawdstrike daemon status
# → Status: healthy | Version: 0.2.7 | Uptime: 2s

# Stop when do

backbay-labs

View profile

View on GitHub
GitHub Stars273
CategoryDevelopment
Updated20h ago
Forks28
backbay-labs/clawdstrike

Languages

TypeScript

Security Score

100/100

Audited on Apr 3, 2026

No findings