OpenClaw PRISM: A Zero-Fork, Defense-in-Depth Runtime Security Layer for Tool-Augmented LLM Agents

TL;DR

OpenClaw PRISM introduces a comprehensive, zero-fork runtime security layer for tool-augmented LLM agents, enhancing security through multi-layered enforcement, heuristic-LLM scanning, and tamper-evident auditing, without relying on new detection models.

Contribution

The paper presents OpenClaw PRISM, a novel runtime security framework that integrates heuristic and LLM-based scanning, policy enforcement, and audit capabilities for secure LLM agent deployment.

Findings

Preliminary benchmarks show effective security coverage.

Low runtime overhead in microbenchmarks.

Enhanced operational recoverability demonstrated.

Abstract

Tool-augmented LLM agents introduce security risks that extend beyond user-input filtering, including indirect prompt injection through fetched content, unsafe tool execution, credential leakage, and tampering with local control files. We present OpenClaw PRISM, a zero-fork runtime security layer for OpenClaw-based agent gateways. PRISM combines an in-process plugin with optional sidecar services and distributes enforcement across ten lifecycle hooks spanning message ingress, prompt construction, tool execution, tool-result persistence, outbound messaging, sub-agent spawning, and gateway startup. Rather than introducing a novel detection model, PRISM integrates a hybrid heuristic-plus-LLM scanning pipeline, conversation- and session-scoped risk accumulation with TTL-based decay, policy-enforced controls over tools, paths, private networks, domain tiers, and outbound secret patterns, and a tamper-evident audit and operations plane with integrity verification and hot-reloadable policy management. We outline an evaluation methodology and benchmark pipeline for measuring security effectiveness, false positives, layer contribution, runtime overhead, and operational recoverability in an agent-runtime setting, and we report current preliminary benchmark results on curated same-slice experiments and operational microbenchmarks. The system targets deployable runtime defense for real agent gateways rather than benchmark-only detection.