AgentWard (玄甲) is a full-stack security operating system purpose-built for trustworthy, scalable AI agent deployment, with native code adaptation to OpenClaw. AgentWard unifies agent onboarding, secure reasoning, and trusted execution in one cohesive security architecture, with upcoming native support for other leading mainstream agent frameworks. Its heterogeneous defense-in-depth design rearchitects the agent workflow into five coordinated security layers across startup, perception, memory, decision-making, and execution, with dynamic cross-stage protections that verify foundation integrity, block adversarial deception, stop memory tampering, and validate every autonomous decision and high-risk command — a complete, end-to-end closed security loop that delivers on the promise of "trustworthy at inception, controllable throughout the process, and reliable in outcomes".
- 🛡️ Comprehensive Risk Coverage — Heterogeneous Defense-in-Depth (DiD) architecture delivers full-scope agent security assurance, blocking diverse attack vectors across the entire agent attack surface.
- ⚡ One-Click Deployment — Plugin-native design weaves security natively into the full agent lifecycle. Enable comprehensive agent security with one click via non-intrusive integration, which guarantees seamless and fast version adaptation for OpenClaw.
- 🔒 Deterministic System-Level Controls — Delivers deterministic, fully auditable, code-enforced security that outperforms skill-based solutions depending on endogenous security, with native support for large-scale deployment and production-grade readiness.
- 🌐 Open & Extensible Security Standard — Community-driven, transparent and auditable open standard with a modular architecture designed for extensibility. Built with complete framework-algorithm decoupling for effortless integration of advanced detection algorithms, with a roadmap to extend support to general agentic systems.
-
⚡ Installation or Update
# Run the setup script bash /path/to/agent-ward/setup.sh -
✅ Verify Installation
openclaw plugins list
Then enjoy enhanced security for your OpenClaw!
AgentWard is natively and deeply integrated with the OpenClaw platform and embeds native security capabilities into the full lifecycle workflow of AI agents. Its heterogeneous defense-in-depth architecture reconstructs isolated single-point security checks into a closed-loop, coordinated system-level protection system, delivering end-to-end, full-chain trustworthy assurance for AI agents from startup through to execution.
AgentWard delivers system-level security through five tightly integrated layers that work in tandem — transforming isolated security checks into a unified, end-to-end protection system for AI agents.
| Layer | Focus |
|---|---|
| 🏗️ Foundation Scan Layer | Supply chain trust and baseline integrity |
| 🧼 Input Sanitization Layer | Prompt injection and jailbreak detection |
| 🧠 Cognition Protection Layer | Memory poisoning and context drift |
| 🎯 Decision Alignment Layer | Intent consistency before action |
| 🔧 Execution Control Layer | High-risk operation guardrails |
- 📢 Send alert messages via IM when threats are detected
- 🛑 Automatically block dangerous operations without human intervention
- 📝 Clear warning descriptions to help understand risks
- 🎚️ Each protection layer can be enabled/disabled independently
- 👁️ Supports "detection-only" mode to reduce false positive impact
- 📋 Some layers support custom rules to meet specific scenario requirements
Ensures the agent starts from a trustworthy foundation.
English Version Foundation.Scan.Layer.mp4 |
Chinese Version Foundation.Scan.Layer.ZH.mp4 |
Identifies adversarial inputs before they propagate into the agent.
English Version Input.Sanitization.Layer.mp4 |
Chinese Version Input.Sanitization.Layer.ZH.mp4 |
Protects long-term memory and contextual continuity from poisoning.
English Version Cognition.Protection.Layer.mp4 |
Chinese Version Cognition.Protection.Layer.ZH.mp4 |
Keeps agent decisions aligned with authorized user intent.
English Version Decision.Alignment.Layer.mp4 |
Chinese Version Decision.Alignment.Layer.ZH.mp4 |
Enforces safety boundaries at the point of execution.
English Version Control.Execution.Layer.mp4 |
Chinese Version Execution.Control.Layer.ZH.mp4 |
Our roadmap is structured around a multi-layered defense architecture designed to secure the entire agent lifecycle, from configuration and input processing to cognition, decision-making, and execution.
- ✅ Plugin-native modular architecture
- ✅ Base adapter suite
- ✅ Core detection engine
- ✅ Heuristic rule-based detection module
- ✅ Intent risk evaluation system
- 🚀 Trust-aware risk assessment capabilities
- 🚀 Heterogeneous OS support
- ✅ Linux
- 🚀 macOS
- 🚀 Windows
- ✅ Global and plugin-level configuration security checks
- ✅ Semantic malicious skill detection
- 🚀 Skill source verification
- 🚀 Plugin dependency analysis
- 🚀 Hybrid natural language and code vulnerability detection
- ✅ Rule-based injection and jailbreak detection
- ✅ Semantic coherence analysis for user inputs
- ✅ Fragmented malicious instruction detection
- 🚀 Multi-turn stealth attack detection
- 🚀 Secure malicious content rewriting and replacement
- 🚀 Multimodal injection attack detection
- ✅ Memory consistency evaluation and calibration
- 🚀 Malicious memory corpus construction and threat matching
- 🚀 Memory vectorization and outlier detection
- 🚀 Checkpoint-based memory recovery
- 🚀 Context drift detection and correction
- ✅ Consistency validation between agent decisions and user intent
- 🚀 Static rule filtering and compliance verification
- 🚀 Multi-step trajectory reasoning audit
- 🚀 Risk-adaptive dynamic permission allocation
- 🚀 High-risk action identification and safe rewriting
- ✅ Real-time interception and blocking of high-risk system instructions
- ✅ Behavioral intent analysis and risk assessment
- 🚀 Identity-aware dynamic permission control and access restriction
- 🚀 Pre-execution security validation for agent actions
- 🚀 Automatic rollback and recovery for abnormal execution states
- 🚀 eBPF-powered system-level observability
- 🚀 Real-time resource monitoring and adaptive restriction
- 🚀 Network payload auditing and anomaly detection
- ✅ Global information aggregation and risk discovery
- 🚀 Historical behavior-based trust profiling
- 🚀 Role-aware risk scoring and dynamic permission allocation
- 🚀 Taint propagation and end-to-end system auditing
Legend: ✅ Completed | 🚀 In Progress
Authors: Qi Li, Xinhao Deng, Yixiang Zhang, Jiaqing Wu, Yue Xiao, Rennai Qiu, Zhuoheng Zou, Jiaqi Bai, Jiaxing Song, and Ke Xu