ClawGuard

Local AI that safely touches the world — with zero token exposure

Comment

Inspiration

AI agents are gaining the ability to act on our behalf — booking meetings, sending emails, managing repos. But today, most agent frameworks hand OAuth tokens directly to the model or its runtime. One prompt injection, one hallucinated tool call, and an agent with calendar.events scope can delete 800 meetings in 11 seconds. There is no guardrail between "schedule a meeting" and "nuke the calendar."

The gap between those two actions should not be zero.

We built ClawGuard to prove that sovereign local AI and airtight token security aren't mutually exclusive. Your AI reasons on your device. When it needs to touch the real world, every request routes through Auth0 Token Vault. The model never sees a token, never knows Token Vault exists, and can't reason about circumventing what it can't see.

What it does

ClawGuard is a sovereign AI agent platform with a strict architectural boundary: local AI never sees OAuth tokens.

Your AI (powered by OpenClaw / WebLLM) runs entirely on-device for reasoning and conversation. When it needs to interact with Google Calendar, Slack, or GitHub, every request routes through a cloud intermediary that uses Auth0 Token Vault as the sole credential broker.

Five fail-safe layers protect every external action:

  1. Permission Preview (Dry-Run Mode) -- Before any token exchange, ClawGuard runs a dry-run preview showing exact scopes, connection, and risk level. Nothing fires until the user says go.

  2. Anomaly Shield (Auto-Pause on Suspicious Patterns) -- Rate limits, suspicious hour detection, and high-risk verb blocking. On violation: agent freezes, user gets push consent notification.

  3. CIBA Consent (Second-Device Approval) -- High-risk actions escalate to Client-Initiated Backchannel Authentication. The user must physically approve on their phone before any token is issued.

  4. Instant Revoke (One-Click Kill Switch) -- Bulk token revocation across all federated connections via the Auth0 Management API. One DELETE call severs all agent access in under 2 seconds.

  5. Live Audit Trail (Real-Time SSE Dashboard) -- Every Token Vault exchange, revocation, CIBA request, and anomaly streams to a live dashboard over Server-Sent Events.

Bonus features include an offline queue with graceful degradation, a built-in attack simulation mode with 5 red team scenarios, and an interactive token lifecycle visualizer.

How we built it

  • Next.js 16.2.2 with App Router and Turbopack for the cloud intermediary
  • Auth0 AI SDK (@auth0/ai 6.0.0) with @auth0/ai-langchain 5.0.0 for Token Vault integration
  • LangGraph (@langchain/langgraph 0.4.9) for agent orchestration with tool wrapping via Auth0AI.withTokenVault() and Auth0AI.withAsyncAuthorization()
  • React 19.2.4 + Tailwind CSS v4 for the frontend
  • Server-Sent Events for real-time audit streaming
  • Lazy agent initialization pattern to prevent build failures when env vars aren't set

The architecture enforces a single chokepoint: Token Vault is the only door to the outside world. Every guardrail -- preview, anomaly detection, CIBA, revoke, audit -- attaches to this one point.

Challenges we ran into

  1. Dynamic tool wrapping -- Getting Auth0AI.withTokenVault() to compose cleanly with Auth0AI.withAsyncAuthorization() for CIBA step-up required understanding the exact chaining order. CIBA wraps Token Vault, not the other way around.

  2. Build-time env vars -- Auth0AI reads environment variables at construction time. We solved this with lazy getters (getCalendarTool(), etc.) that defer initialization to first request.

  3. Offline-to-online replay -- Ensuring queued requests replay through the full security pipeline (not just the API call) on reconnect, with fresh tokens from Token Vault.

Accomplishments that we're proud of

  • Built a complete 5-layer fail-safe pipeline where every external API call is mediated by Auth0 Token Vault, and the local AI has zero awareness of tokens or authorization infrastructure.
  • The attack simulation mode runs 5 real red team scenarios through the actual security pipeline, generating live audit entries that demonstrate each layer blocking threats in real time.
  • Achieved true sovereign AI with graceful degradation -- the agent works offline, queues requests locally, and replays them through the full security pipeline with fresh tokens on reconnect.
  • Single-chokepoint architecture means one DELETE call to the Auth0 Management API instantly severs all agent access across every connection. Revocation is not a distributed systems problem.

What we learned

  • Authorization works best when the model has zero awareness of it. Early prototypes passed token metadata into the AI context. This was a mistake -- the moment a model reasons about its own access, it can reason about circumventing it.
  • Scoped token exchange via withTokenVault() is a natural anomaly detection surface. One chokepoint means one place to attach rate limiting, pattern detection, and CIBA escalation.
  • Revocation is only instant when tokens are centralized. On-device token caching makes revocation a distributed systems nightmare. With Token Vault, one Management API call severs everything.
  • The less the model knows about authorization, the more secure the system is.

What's next for ClawGuard

  • Support for additional OAuth providers beyond Google, Slack, and GitHub
  • Fine-grained per-tool anomaly policies with ML-based pattern detection
  • Multi-agent orchestration where multiple sovereign AI agents share a single Token Vault chokepoint with independent audit trails
  • On-device model upgrades via WebLLM for stronger local reasoning without compromising the token isolation boundary
  • Community-contributed attack simulation scenarios for broader red team coverage

Built With

  • auth0
  • langchain
  • langgraph
  • sdk
Share this project:

Updates