ClawLess: A Security Model of AI Agents

TL;DR

ClawLess introduces a formal security framework for AI agents that enforces verified policies to mitigate risks from potentially adversarial autonomous agents, bridging formal models with practical enforcement.

Contribution

It presents a novel security model and enforcement mechanism for AI agents, ensuring security even if the agent behaves adversarially, using a formal policy system and kernel-level enforcement.

Findings

Formal security policies can be dynamically expressed and enforced.

The system ensures security guarantees under worst-case adversarial scenarios.

Practical enforcement is achieved via a user-space kernel with syscall interception.

Abstract

Autonomous AI agents powered by Large Language Models can reason, plan, and execute complex tasks, but their ability to autonomously retrieve information and run code introduces significant security risks. Existing approaches attempt to regulate agent behavior through training or prompting, which does not offer fundamental security guarantees. We present ClawLess, a security framework that enforces formally verified policies on AI agents under a worst-case threat model where the agent itself may be adversarial. ClawLess formalizes a fine-grained security model over system entities, trust scopes, and permissions to express dynamic policies that adapt to agents' runtime behavior. These policies are translated into concrete security rules and enforced through a user-space kernel augmented with BPF-based syscall interception. This approach bridges the formal security model with practical enforcement, ensuring security regardless of the agent's internal design.