BAAI Open-Source ClawKeeper: Using Agents to Supervise Agents

Zhiyuan, together with BUPT and CAICT, released ClawKeeper v1.0. Using a three-layer architecture of Skill-Plugin-Watcher, it provides full-lifecycle security protection for OpenClaw agents, directly addressing the high-risk attack surface of local general-purpose agents.
OpenClaw’s security problems have finally received a systematic response.
Recently, the Beijing Academy of Artificial Intelligence, together with Beijing University of Posts and Telecommunications and the China Academy of Information and Communications Technology, released ClawKeeper v1.0 — an open-source security framework specifically designed for the OpenClaw agent ecosystem. The project is open-sourced on GitHub, and the paper has been published simultaneously.
This is not yet another “security best practices guide,” but a runnable real-time defense system where agents supervise other agents.
How dangerous is OpenClaw, really?
To understand the value of ClawKeeper, we first need to grasp how challenging the problems it aims to solve are.
Current mainstream AI agents roughly fall into three categories:
application-layer agents (like those on Doubao or Qianwen),
cloud sandbox agents (Manus, HaloMate),
and local agents (Claude Code, Gemini CLI).
The first two have limited capabilities or are restricted within sandboxes; the third category can operate on local resources but uses a zero-trust approach — every command requires explicit user approval.
OpenClaw is an outlier. In its default configuration, it imposes no restrictions or authorization requirements on skill invocation and command execution, making it a truly “omnipotent local agent.” The more capable it is, the greater the attack surface.
The numbers speak for themselves. According to a security analysis report by NSFOCUS this April, OpenClaw-related CVEs peaked in February 2026, revealing sandbox escape and command execution issues. The severity distribution is worrying:
- Critical (12%) — may lead to remote code execution, administrator privilege acquisition, or direct API key leakage
- High (58%) — involving sandbox escape, privilege escalation, and large-scale data leaks
- Total: 70% of vulnerabilities
By type: improper authorization (CWE-285) accounts for 42%, OS command injection (CWE-78) for 22%, and path traversal (CWE-22) for 18%. The main attack surfaces are plugin integrations and external webhooks — points of interaction between agents and external systems.

The supply chain situation is equally grim. In February 2026, security firm Snyk scanned 3,984 third-party skills from ClawHub and skills.sh, finding that 13.4% (534 skills) contained severe security issues — including malware, credential theft, and prompt injection — and 36.8% (1,467 skills) had at least one vulnerability such as hardcoded API keys.
The most notable event was the “ClawHavoc” supply-chain poisoning attack from late January to mid-February this year. Attackers distributed malware disguised as legitimate skills (Atomic macOS Stealer) via ClawHub. It was jointly uncovered by Trend Micro and OpenSourceMalware. This is not a theoretical risk — it was a real-world attack.
In short, OpenClaw’s current security state is:
an almost unprotected local omnipotent agent running an ecosystem where one-third of the skills have security flaws — and attackers are already targeting it.
ClawKeeper’s Three-Layer Defense Architecture
ClawKeeper adopts a “defense-in-depth” approach, but instead of simply building a wall around OpenClaw, it introduces three coordinated defensive layers: Skill, Plugin, and Watcher.
The ingenious part is that it leverages OpenClaw’s own extension mechanisms for protection — securing agents in an agent-native way.
Layer 1: Skill (Skill-Level Defense)
This innermost layer directly targets the agent’s skill execution process — essentially an additional “security checkpoint” for every skill invocation.
It performs two main tasks:
- Real-time validation of skill I/O, intercepting abnormal parameters and suspicious outputs;
- Static analysis of skill code during the loading phase to identify potential malicious patterns.
Given that more than one-third of ClawHub’s skills have known vulnerabilities, this layer is absolutely necessary.
For developers, it means you don’t have to manually audit every third-party skill. ClawKeeper does runtime screening for you. It’s not a replacement for manual reviews but effectively blocks obvious risks.
Layer 2: Plugin (Plugin-Level Defense)
The plugin layer secures interactions between agents and external systems — the most vulnerable area.
Key defenses include webhook integration (Discord, Slack, Matrix) permission checks, API credential protection, and sanitization of external inputs. Remember the 42% of authorization flaws? The plugin layer specifically addresses those.
It functions like middleware in traditional web applications — intercepting all inbound and outbound communications and filtering them according to predefined policies. Unlike fixed rules, these policies can dynamically adapt to the deployment environment, which is vital for managing local AI clusters.
Layer 3: Watcher (Observer-Level Defense)
The outermost layer — and arguably the most interesting part of ClawKeeper.
Watcher is a set of independent monitoring agents that don’t participate in business logic. They observe behavioral patterns of other agents. When detecting anomalies — such as an agent suddenly reading unrelated files, accessing unauthorized network addresses, or executing commands inconsistent with its intent — Watcher triggers alarms or blocks the action.
This is the essence of “using agents to supervise agents.” Conventional rule engines only match known attack patterns, while Watcher agents understand context — determining if a behavior is reasonable in the current scenario. For example, if a document-organizing agent tries to read ~/.ssh/, you’d have to manually set a blacklist rule in a traditional system, but Watcher can simply recognize that “something’s off.”
Of course, using AI to supervise AI raises its own reliability question. ClawKeeper mitigates this by running Watchers in isolated, restricted processes and enabling cross-verification among them. Not perfect, but pragmatically sound.
How Does ClawKeeper Compare?
Agent security isn’t a new topic. In recent months, numerous open-source projects have appeared in this domain:
| Project | Core Concept | Focus | |----------|---------------|--------| | ClawKeeper | Three-layer Skill + Plugin + Watcher architecture | Full-lifecycle protection for the OpenClaw ecosystem | | ClawAegis (Ant Group + Tsinghua) | Deep defense via full-chain plugin | Five-phase coverage, general-purpose agent framework | | MCP Guardian | Security-first middleware | Protection at the MCP protocol layer | | ShieldAgent | Verifiable security-policy reasoning | Formal-verification approach | | LlamaFirewall (Meta) | Guardrail system | General LLM agent protection |
ClawKeeper’s distinguishing trait is clear: it’s tailor-made for OpenClaw. That’s both its strength and limitation — the targeting ensures precise defense, but reduces applicability to other frameworks.
Compared to Ant/Tsinghua’s ClawAegis, ClawKeeper’s Watcher mechanism is a notable innovation. ClawAegis focuses on conventional rule- and policy-based defenses, while ClawKeeper adds agent-level behavior monitoring — theoretically improving adaptability against unknown attacks. However, ClawAegis is more universal and not tied to a specific agent framework.
These projects aren’t mutually exclusive. In real-world deployments, it’s entirely feasible to use MCP Guardian at the protocol layer and ClawKeeper at the OpenClaw runtime layer for deeper overall defense.
What This Means for Developers
If you’re building agent applications with OpenClaw, ClawKeeper is practically mandatory for now. Why? Because OpenClaw’s default security model is too permissive, and manually auditing every third-party skill is unrealistic.
ClawKeeper is particularly suitable for local-agent cluster deployments — such as enterprise internal multi-agent collaboration systems. In such setups, agents communicate frequently, the attack surface is wide, and external cloud-based protection isn’t viable. ClawKeeper’s local deployment and Watcher mechanism are a perfect fit.
For developers using APIs to call various models to power agents, security must start at the model-call layer. For instance, if you use an aggregator like OpenAI Hub to invoke GPT, Claude, and Gemini APIs, build security constraints directly into the system prompt, then pair that with ClawKeeper’s runtime protection to create full-chain safeguarding from model execution to runtime.
A typical secure invocation example:
from openai import OpenAI
client = OpenAI(
base_url="https://api.openai-hub.com/v1",
api_key="your-api-key"
)
# Embed security constraints in the system prompt
response = client.chat.completions.create(
model="gpt-4o",
messages=[
{
"role": "system",
"content": (
"You are an agent subject to security policies. Before performing any file operation, "
"verify path legitimacy. Do not access sensitive directories outside the user home, "
"and do not execute system commands that are not on the whitelist. "
"All external API calls must go through a secure proxy layer."
)
},
{
"role": "user",
"content": "Help me organize the files in ./documents directory."
}
]
)
print(response.choices[0].message.content)
Of course, prompt-level constraints are only the first line of defense — easily bypassed by prompt injection. Real protection must come from runtime frameworks like ClawKeeper performing hard interception at the execution level.
The Bigger Picture
The release of ClawKeeper is not an isolated event — it’s part of the broader awakening across the industry regarding agent security.
In March, the newly amended Cybersecurity Law explicitly mandated stronger AI risk monitoring, assessment, and supervision. The policy signal is clear: agents can’t just run unchecked.
From the tech community’s response, Q1 2026 marks an explosion of agent-security frameworks — ClawKeeper, ClawAegis, MCP Guardian, ShieldAgent, LlamaFirewall… almost a new one every week. This reveals two truths:
- Agent security problems have indeed reached a level demanding urgent resolution.
- The industry still lacks unified standards and best practices — everyone’s exploring.
For the OpenClaw ecosystem, ClawKeeper is a positive sign. The security of any open-source project largely depends on whether its community acknowledges the issues and invests resources to fix them. The joint effort by Zhiyuan, BUPT, and CAICT shows that academia and standard-setting bodies are taking OpenClaw’s security seriously.
Still, we should remain clear-eyed — ClawKeeper v1.0 is only a starting point. Agent security is an ever-evolving battle: attacks that can be blocked today might bypass defenses tomorrow. The effectiveness of the Watcher mechanism must be continuously proven under real attacks, and the coordination cost between layers needs extensive benchmarking to assess performance impacts.
Nonetheless, having something is better than nothing. Given OpenClaw’s near “bare” default state, ClawKeeper at least provides developers an immediately usable security baseline.
References
- 36Kr — Zhiyuan releases ClawKeeper security framework: using agents to supervise agents — Official announcement
- Zhihu column — ClawKeeper: installing a three-layer firewall for OpenClaw agents — Technical architecture details



