Security researchers flagged critical gaps in autonomous AI agents — prompt injection, data exfiltration, unvetted skills, no access control. Crawdad is the runtime security API that fixes all of them. Post-quantum ready, air-gap deployable, cryptographically auditable. Works with OpenClaw, LangChain, CrewAI, AutoGen, and any agent framework.
Autonomous AI agents run shell commands, control browsers, read files, and send emails — all with the user's full permissions. Security researchers have documented the gaps:
Malicious instructions embedded in data can hijack the agent's capabilities. No semantic firewall exists to detect or block them.
Third-party skills can exfiltrate data without user awareness. No content filtering or PII detection exists.
Skills are directories with a markdown file. No hash verification, no attestation, no capability policy enforcement.
Agents run with the user's full permissions. No identity verification, no policy engine, no action authorization.
Documented by CrowdStrike, Cisco, Microsoft Security, Giskard, and Penligent. OWASP formalized 10 risk categories for agentic AI (ASI01–ASI10).
Crawdad wraps your agent in a complete security layer. One API call before every inbound message, tool execution, and outbound response.
Ed25519 + CRYSTALS-Kyber1024 hybrid keypairs, step-ca PKI, mTLS, forward secrecy. DID documents, encrypted credential vaults, three-level kill switch, and purpose-bound scoped tokens.
Structural deobfuscation, 27 injection patterns, output guard with exfiltration detection, instruction density scoring. ZK policy proofs — verify decisions without revealing rules.
5-factor risk scoring, Rule of Two enforcement, behavioral baselines with anomaly detection. Byzantine fault detection with auto-isolation of compromised agents.
Merkle-chained entries with Ed25519 signatures, firewall-gated writes, surgical rollback, compaction seals, and write anomaly detection.
SHA-256 manifest verification, static analysis, capability policies, version validation, typosquat detection, runtime monitoring, and SBOM analysis.
Signed envelopes, delegation chains with scope reduction, content filtering, collusion detection, cascade breakers, quarantine zones, and provenance tracking.
15-category PII detection, 4 transform modes, consent management, DSAR engine, 10-jurisdiction compliance, differential privacy, and reporting.
Beyond the core pillars, Crawdad includes hardened security features designed for real-world multi-agent systems.
No agent holds untrusted input + sensitive data + code execution simultaneously. Auto-deny on violation.
Per-agent fan-out limits with auto-trip on >50% error rate. Three isolation levels: Soft, Hard, Quarantine.
Trust decay (10%/hop, floor 0.1) prevents trust laundering where untrusted data gains trust through intermediaries.
Validates multi-hop delegations for monotonic scope reduction, depth limits, and circular prevention.
Cryptographic seals over compacted memory with SHA-256 hashes, composite provenance, and tamper-evident verification.
CycloneDX bills of materials with semver vulnerability matching, license policy enforcement, and risk scoring.
Laplace and Gaussian noise mechanisms for aggregate queries with privacy budget tracking and exhaustion enforcement.
Per-tenant data isolation, scoped API keys, admin management endpoints, and configurable agent quotas.
pip install crawdad-sdk. Get an API key. The Python SDK wraps all 90+ endpoints with type hints, error handling, and context manager support.
OpenClaw runs shell commands, controls browsers, reads your files, and sends your emails — autonomously, on a loop, with your full permissions.
CVE-2026-25253 (CVSS 8.8) let any website take over any OpenClaw machine through a single malicious link. It was disclosed in January 2026.
Crawdad wraps every OpenClaw agent in seven security layers. It activates the moment you install it. No configuration. No code changes. Your agents keep working — now with a security layer they cannot override.
Run the install command. Crawdad downloads the skill and provisions a free API key automatically.
Every inbound message is scanned for prompt injection. Every tool call is authorized through a policy engine. Every outbound response is filtered for PII and credentials.
Full audit trail of every security decision. Kill switch for any agent. Upgrade when you need more API calls.
Three deployment modes for every security requirement.
Zero config. Get an API key and start securing agents in 30 seconds. We handle the infrastructure.
Docker Compose deployment on your own infrastructure. Your data never leaves your network.
Fully offline. No external dependencies. USB-deployable. Built for classified environments and zero-trust networks.
Every plan includes all 7 security pillars, all 90+ API endpoints, and the full Python SDK. No feature gating.
Enterprise — Dedicated infrastructure, VPC deployment, on-premise, custom SLAs. Starting at $3,000/month.
Government & Defense — Air-gapped deployment, FedRAMP pathway, data sovereignty. Starting at $50,000/year.
Contact us →
Get your API key in 10 seconds. Start with 10,000 free API calls. No credit card required.
Free tier — 10,000 calls/month, 5 agents, all features. No credit card.