CrowdStrike and Cisco flagged OpenClaw's security gaps — prompt injection, data exfiltration, unvetted skills, no access control. Crawdad is the open-source runtime trust layer that fixes all of them. Works with OpenClaw, LangChain, CrewAI, AutoGen, and any agent framework.
OpenClaw has 68K+ GitHub stars and runs on thousands of machines. CrowdStrike, Cisco, and security researchers have all flagged the same gaps:
Malicious instructions embedded in data can hijack the agent's capabilities. No semantic firewall exists to detect or block them.
Cisco found third-party skills that exfiltrated data without user awareness. No content filtering or PII detection exists.
Skills are directories with a markdown file. No hash verification, no attestation, no capability policy enforcement.
Agents run with the user's full permissions. No identity verification, no policy engine, no action authorization.
Sources: CrowdStrike, Cisco, Microsoft Security, Giskard, Penligent — documented across multiple security advisories and CVE-2026-25253.
Crawdad wraps your OpenClaw agent (or any agent) in a complete security layer. Every pillar addresses a real vulnerability that exists today.
Ed25519 keypairs, DID documents, encrypted credential vaults, three-level kill switch, and purpose-bound scoped tokens with automatic expiry.
Structural deobfuscation, 27 injection patterns, output guard with exfiltration detection, and instruction density scoring for slow escalation attacks.
5-factor risk scoring, Rule of Two enforcement, behavioral baselines with anomaly detection, and configurable permit/escalate/deny decisions.
Merkle-chained entries with Ed25519 signatures, firewall-gated writes, surgical rollback, compaction seals, and write anomaly detection.
SHA-256 manifest verification, static analysis, capability policies, version validation, typosquat detection, runtime monitoring, and SBOM analysis.
Signed envelopes, delegation chains with scope reduction, content filtering, collusion detection, cascade breakers, quarantine zones, and provenance tracking.
15-category PII detection, 4 transform modes, consent management, DSAR engine, 10-jurisdiction compliance, differential privacy, and reporting.
Beyond the core pillars, Crawdad includes hardened security features designed for real-world multi-agent systems.
No agent holds untrusted input + sensitive data + code execution simultaneously. Auto-deny on violation.
Per-agent fan-out limits with auto-trip on >50% error rate. Three isolation levels: Soft, Hard, Quarantine.
Trust decay (10%/hop, floor 0.1) prevents trust laundering where untrusted data gains trust through intermediaries.
Validates multi-hop delegations for monotonic scope reduction, depth limits, and circular prevention.
Cryptographic seals over compacted memory with SHA-256 hashes, composite provenance, and tamper-evident verification.
CycloneDX bills of materials with semver vulnerability matching, license policy enforcement, and risk scoring.
Laplace and Gaussian noise mechanisms for aggregate queries with privacy budget tracking and exhaustion enforcement.
Per-tenant data isolation, scoped API keys, admin management endpoints, and configurable agent quotas.
pip install crawdad-sdk[openclaw]. The Python SDK wraps all 70+ endpoints with type hints, error handling, and context manager support. The OpenClaw middleware intercepts inbound, outbound, and tool execution.
Single binary, SQLite persistence, zero external dependencies. Deploy in seconds.
Pull and run. Persistent volume for SQLite. Done.
Production Helm chart with HPA, secrets, PVC, and ingress.
One-click deploy. Already running in production.
Clone, build, run. Rust 1.75+, that's it.
Built for OpenClaw, works with any agent framework. Open source. BSL 1.1 licensed. pip install crawdad-sdk[openclaw].