Faith Claw – 자율 AI 에이전트를 위한 보안 미들웨어(OpenClaw)

Security middleware for OpenClaw autonomous agents. Faith Claw sits between your agent and its tools. Every action gets risk-scored before it executes. Injection payloads get caught before they reach memory. Behavioral drift detection catches multi-turn manipulation that single-action scanners miss entirely. In February 2026, security researchers found 341 malicious skills out of 2,857 checked on ClawHub. CVE-2026-25253 allows attackers to push arbitrary commands through the AI gateway. Faith Claw was built specifically to address this. | Threat | Coverage | |---|---| | Malicious ClawHub skills | ✅ Pre-flight scanner | | Prompt injection via tools | ✅ Runtime interceptor | | Data exfiltration attempts | ✅ Runtime + hard rules | | Injection payloads in memory | ✅ Memory scanner | | Multi-turn behavioral manipulation | ✅ Drift detector | | Privilege escalation | ✅ Risk scoring + path rules | | Audit log tampering | ✅ SHA-256 hash chaining | OpenClaw session starts ↓ [PRE-FLIGHT] faithclaw-check — scans all installed skills ↓ Session runs ↓ [RUNTIME] faithclaw-intercept — risk-scores every tool call ↓ [MEMORY] faithclaw-memory — scans content before storing ↓ [DRIFT] faithclaw-drift — detects multi-turn manipulation ↓ [AUDIT] audit.jsonl — immutable hash-chained log Every action is scored across three signals: - Base score — action type (read=10, write=30, network=50, exec=70, delete=80) - Context multipliers — unknown destination ×2.0, scraped origin ×1.5, outside workspace ×1.8 - Anomaly score — deviation from historical baseline (+0 to +25) | Score | Decision | |---|---| | 90 | Hard block | git clone https://github.com/KirpalS99/faith-claw cp -r faith-claw ~/.openclaw/workspace/skills/ chmod +x faith-claw/bins/* export FAITHCLAW_LOG_DIR=/app/memory/faithclaw export FAITHCLAW_POLICY=strict # strict | standard | permissive docker-compose up That's it. Faith Claw loads at highest workspace precedence and activates automatically. By default Docker gives you a fresh environment every restart. Faith Claw uses named volumes so your audit logs and baselines survive: volumes: faithclaw-memory: # audit log, drift baseline, preflight reports agent-memory: # agent leads, tasks, history The container resets. The data does not. | Tool | What it does | |---|---| faithclaw-check --scan-skills | Pre-flight scan of all skills | faithclaw-check --verify-log | Verify audit log hash chain | faithclaw-intercept | Risk-score an action | faithclaw-intercept --passthrough | Wrap a shell command | faithclaw-memory --scan-write --content | Scan before memory write | faithclaw-memory --scan-file | Scan existing memory file | faithclaw-drift --session-start | Record session baseline | faithclaw-drift --check | Check behavioral drift | faithclaw-drift --report | Print drift history | Edit policy-rules.json to tune thresholds and whitelisted domains for your workflow. | Mode | PAUSE behavior | |---|---| strict | Auto-block after 60s timeout | standard | Wait indefinitely for input | permissive | Auto-approve after 60s | faith-claw/ ├── SKILL.md ← OpenClaw skill definition ├── policy-rules.json ← Hard rules and thresholds ├── docker-compose.yml ← Docker + persistent volumes ├── README.md └── bins/ ├── faithclaw-check ← Pre-flight scanner + log verifier ├── faithclaw-intercept ← Runtime action interceptor ├── faithclaw-memory ← Memory write scanner └── faithclaw-drift ← Behavioral drift detector - Faith Claw intercepts tool calls, not internal reasoning. A sufficiently sophisticated prompt injection that manipulates agent intent without triggering tool calls can still cause harm if the agent has broad permissions. - Drift detection needs ~5 sessions to build a reliable behavioral baseline. First-session anomaly scores are conservative. policy-rules.json whitelisted domains need to be updated for your specific workflow. Issues and PRs welcome. Especially interested in: - Additional injection pattern signatures - OpenClaw version compatibility testing - Integration with other agent frameworks (LangChain, CrewAI, AutoGen) MIT