OpenClaw Security Model
Public trust model for running OpenClaw through ArgoBox instead of giving agents blind infrastructure access.
OpenClaw Security Model
The main security claim of ArgoBox is simple:
OpenClaw should request actions through ArgoBox instead of receiving direct infrastructure trust.
That means the system is designed around a bounded control plane, not around raw shell access.
Core Principle
OpenClaw can reason about work, but ArgoBox decides whether the requested action is allowed, requires approval, or should be denied.
The security value is not “the model is safe.” The security value is “the model is constrained.”
Enforcement Layers
1. Capability Gating
Agents receive scoped access, not blanket authority.
Examples:
- an agent may be allowed to list containers
- the same agent may not be allowed to restart VMs
- a home automation agent may be limited to approved Home Assistant actions
2. Approval Queue
Privileged mutations should require a human approval step.
Examples:
- restarting a service
- changing infrastructure state
- triggering an automation with real-world consequences
Read-only actions can remain immediate when they are explicitly classified as safe.
3. Audit Trail
Every action should leave a record that answers:
- who asked
- what was requested
- whether approval was required
- what ran
- what happened
An agent that cannot be audited should not be trusted with mutations.
4. Rate Limits
Agents should not have infinite request or mutation budgets.
Rate limits help contain:
- runaway loops
- repeated failed actions
- accidental flooding of infrastructure targets
5. Visible Operator Path
Hermes and ArgoBox should preserve a human-comprehensible execution path.
The operator should be able to tell:
- what the agent wanted
- what the system classified as privileged
- what required approval
- what actually executed
Threats This Model Is Trying to Reduce
- prompt-influenced agent behavior causing unintended mutations
- accidental privilege creep across homelab subsystems
- blind trust in raw shell or SSH access
- missing audit evidence after something changes
- autonomous loops that move faster than the operator can see
What This Model Does Not Promise
This model does not claim:
- that LLMs are intrinsically trustworthy
- that approval eliminates every bad decision
- that every adapter is equally hardened
- that ArgoBox can safely expose every infrastructure action by default
ArgoBox should be honest about unsupported or not-yet-hardened surfaces.
Recommended First Proof
The first proof should be one boring privileged workflow:
- OpenClaw requests a mutation
- ArgoBox classifies it as privileged
- the request enters the approval queue
- the operator approves it
- the action executes
- the audit trail records the result
If that loop is solid, the trust story is credible.
If that loop is fuzzy, broader autonomy claims should be treated as marketing, not as security.