ClawGuard: Building a Runtime Security Line of Defense for Tool-Augmented LLM Agents

This article introduces ClawGuard, a runtime security framework for tool-augmented LLM agents, whose core goal is to defend against indirect prompt injection attacks. Its key design philosophy is to transform uncertain alignment dependencies into a deterministic rule execution mechanism, enabling effective protection without modifying the model or infrastructure, thus providing a pragmatic enhancement path for agent security.

With the widespread application of tool-augmented LLM agents in complex tasks, indirect prompt injection attacks have become a new security threat. Unlike direct prompt injection, malicious instructions are hidden in trusted content returned by tools (such as web pages, files, MCP server data, etc.). When the agent incorporates these contents into the conversation history, the malicious instructions constructed by attackers will be executed, which may lead to unauthorized operations, sensitive information leakage, and other harms.

The research team identified three types of indirect prompt injection attack channels:

1. Web and Local Content Injection: Malicious instructions are embedded in web page or local file content and treated as trusted input by the agent;
2. MCP Server Injection: Attack instructions are implanted in the data returned by the MCP server (a bridge connecting the agent to external services);
3. Skill File Injection: Untrusted external skill files become attack vectors. A common feature of these channels is that malicious instructions are disguised in the "observation data" trusted by the agent, bypassing traditional input filtering mechanisms.

ClawGuard's design philosophy is to transform uncertain alignment dependencies into deterministic rule execution. Traditional defenses rely on model alignment training, but their effectiveness is hard to guarantee and easy to bypass. ClawGuard does not judge whether an instruction is malicious; instead, it restricts the agent's permissions at the behavioral level: by enforcing a user-confirmed set of rules, it ensures that even if malicious instructions are injected, operations beyond the authorized scope cannot be executed. Its advantages include: deterministic defense, auditable rules, and transparent mechanism.

ClawGuard's technical implementation includes three key links:

1. Automatic Derivation of Task-Specific Access Constraints: Extract the minimum required permissions from the user's goal (e.g., "summarize a PDF" only grants read permission for that document);
2. Rule Execution at Tool Call Boundaries: Intercept tool calls, check compliance with access constraints, and block unauthorized operations;
3. Unified Defense Across Multiple Channels: Defense occurs at tool call boundaries, covering all attack channels. ClawGuard does not require modifying the model or infrastructure and can be transparently integrated into existing systems.

The research team validated ClawGuard's effectiveness on 5 advanced LLMs through three benchmark tests: AgentDojo, SkillInject, and MCPSafeBench. The results show that the framework can effectively block indirect prompt injection attacks in all test scenarios while keeping the agent's normal functions unaffected, achieving a "zero-compromise" balance between security and usability.

ClawGuard's implications for the agent ecosystem include:

1. Deterministic Defense Mechanism: More reliable than uncertain methods relying on model alignment;
2. Principle of Least Privilege: Dynamically derive the minimum necessary permissions based on user goals to reduce the attack surface;
3. Non-Intrusive Security Enhancement: Improve security without modifying the model or reconstructing infrastructure.

ClawGuard's limitations include: currently, it only protects at the tool call level; for non-tool call pure conversational attacks (such as social engineering inducement), other mechanisms are needed; in complex task scenarios, the automatic derivation of access constraints may require more refined manual adjustments. Future directions will focus on balancing automation and refined control, as well as expanding the defense scope.