OpenClaw PRISM hardens tool-using LLM agent runtime
Agents
Tool-using agents built on Large Language Models (LLMs) create new failure modes beyond prompt filtering. Indirect prompt injection via fetched content, unsafe tool execution, secret leakage and tampering with local control files all show up once an agent can browse, call tools and write state. Operators need runtime controls they can deploy and audit, not just clever detections in a lab.
OpenClaw PRISM targets that gap. A zero-fork design means it plugs into an OpenClaw agent gateway without modifying upstream code. Defence in depth means layering checks at multiple points so if one control misses, another can still catch the issue. The system runs as an in-process plugin with optional sidecar services to extend scanning and enforcement.
What PRISM does
PRISM hooks ten stages of the agent lifecycle, including message ingress, prompt construction, before and after tool calls, persistence, outbound messaging, sub-agent spawning and gateway startup. It uses a two-tier scanner: fast canonicalisation and weighted heuristics first, with optional LLM-assisted classification in a scanner sidecar. A session and conversation risk engine accumulates signals with time-to-live decay and triggers staged responses once thresholds are crossed. Policy controls govern which tools can run and how, which filesystem paths are allowed, whether private networks are reachable, allowed domain tiers, and patterns that would leak secrets on outbound messages. A tamper-evident audit and operations plane chains records for integrity verification and supports hot-reloadable policy updates with a dashboard. The implementation ships as a TypeScript monorepo for Node.js, and sidecars such as the scanner, an invoke-guard proxy, a dashboard and a file monitor can be added incrementally.
Does it work?
Early numbers are encouraging. In a same-slice 80-case live benchmark on a local model, correct outcomes rose from 36 of 80 for an unprotected gateway to 73 of 80 with the full PRISM stack, with intermediate configurations showing incremental gains. The model-assisted scanner lifted classification in controlled runs to 26 of 30 compared with 15 of 30 for heuristics alone. The trade-off is latency: when the scanner is exercised, end-to-end p95 latencies climbed to about 12.5 to 15.8 seconds, although peak memory overhead in the harness was small at under 1.4 MiB. The policy engine performed well, classifying 33 of 33 policy cases correctly in the preliminary corpus. Risk accumulation with time-based decay allowed graduated actions such as warnings, blocking tools or blocking sub-agents, and reported false positives fell as layers were added.
This is practical security engineering rather than a novelty detector. The lifecycle hooks let you put controls where the risks actually occur, and the policy engine turns common sense rules into enforceable gates. The audit plane and hot-reloadable policies support real operations work: investigating incidents, verifying integrity and changing posture without downtime.
There are clear limits. PRISM does not address model poisoning, training-time corruption, full host or kernel compromise, or provide formal filesystem sandboxing or hardware-rooted integrity. Path checks are string-based and not symlink-aware. The design is tied to OpenClaw, so porting requires remapping to other frameworks. The evaluation is preliminary and relies on modest corpora, so treat the figures as indicative.
If you run OpenClaw today, there is a straightforward path. Start with the plugin-only layer to get the lifecycle hooks with minimal latency. Turn on before-tool-call policies to block dangerous execution patterns, define protected paths, restrict private-network access and set outbound secret patterns. Enable the risk engine with conservative thresholds and time-to-live decay. Add the scanner sidecar where higher coverage justifies latency, and use the audit plane with hot-reloadable policies to manage posture changes. Combine PRISM with host hardening, proper secret management and egress controls to cover what it does not.
The bigger point is architectural: distributing enforcement across the agent lifecycle, and making it auditable, measurably improves resilience. The trade-offs are explicit and tunable. That gives teams something they can ship, measure and iterate rather than another benchmark-only detector.
Additional analysis of the original ArXiv paper
📋 Original Paper Title and Abstract
OpenClaw PRISM: A Zero-Fork, Defense-in-Depth Runtime Security Layer for Tool-Augmented LLM Agents
🔍 ShortSpan Analysis of the Paper
Problem
Tool-augmented LLM agents broaden the attack surface beyond simple input filtering: malicious instructions can enter via fetched web content, tool outputs, intermediate prompts, outbound messages or tampering with local control files. These distributed risks include indirect prompt injection, unsafe tool execution, credential exfiltration and persistent state poisoning. Existing defences often operate at single boundaries and do not provide the deployable, auditable controls operators need in production agent gateways.
Approach
The authors present OpenClaw PRISM, a zero-fork runtime security layer for OpenClaw-based agent gateways implemented as an in-process plugin plus optional sidecar services. Enforcement is distributed across ten lifecycle hooks spanning message ingress, prompt construction, before-tool-call, after-tool-call, persistence, outbound messaging, sub-agent spawning and gateway startup. PRISM combines a hybrid two-tier scanner—fast canonicalisation and weighted heuristics first, with optional LLM-assisted classification in a scanner sidecar—plus a session- and conversation-scoped risk engine with TTL decay and thresholded responses. Policy controls cover tool invocation patterns, protected paths, private-network access, domain tiers and outbound secret patterns. A tamper-evident audit and operations plane provides chained audit records with integrity verification, hot-reloadable policies and an operator dashboard. The implementation is a TypeScript monorepo targeting Node.js and is modular so sidecars (scanner, invoke-guard proxy, dashboard, file monitor) may be attached incrementally.
Key Findings
- Lifecycle distribution improves blocking: in a preliminary 80-case same-slice live local-model benchmark, correct outcomes rose from 36/80 for an unprotected gateway to 73/80 for Full PRISM in the reported run, with intermediate rows showing incremental gains for heuristics, plugin-only and plugin-plus-scanner configurations.
- Scanner lift is measurable but latency-heavy: model-assisted scanning improved classification in controlled runs (scanner engine 26/30 in a mock-assisted configuration versus 15/30 for heuristics), but end-to-end p95 latencies increased from sub-millisecond for local-only rows to ~12.5 s–15.8 s when the scanner was exercised, while peak memory delta remained small (<1.4 MiB in harness).
- Policy enforcement is effective for tool governance: a proxy-policy engine classified 33/33 policy cases correctly in the preliminary corpus, demonstrating practical blocking of dangerous exec patterns and tool-abuse vectors at before-tool-call.
- Risk accumulation and staged response reduce false positives: conversation- and session-scoped risk with TTL decay enables graduated actions (warnings, blocking tools, blocking sub-agents) and helps avoid cross-session contamination; reported false-positive rates fell as more layers were added in the live unified run.
Limitations
PRISM does not address model poisoning, training-time corruption, full host or kernel compromise, or provide formal filesystem sandboxing or hardware-rooted integrity. Path checks are string-level and not symlink-aware. The scanner is a best-effort classifier and the heuristic layer cannot cover all obfuscations. The zero-fork design targets OpenClaw specifically, so portability to other frameworks requires remapping. Evaluation and benchmarks are preliminary and based on modest corpora.
Why It Matters
PRISM demonstrates a practical, deployable defence-in-depth pattern for tool-using LLM agents by combining lifecycle interception, hybrid detection, policy-enforced controls and auditable operator workflows without forking the upstream gateway. For practitioners, it shows measurable security gains from layered runtime controls and highlights trade-offs between detection coverage and latency. Its audit and hot-reloadable policy features support operational recovery and review, while its limitations underscore the need to combine PRISM with host hardening, secret management and network egress controls in production deployments.
