Openbot Firewall

AI agents forget their safety rules. We built an OS-level security gaurd that reads their intent and intercepts dangerous actions in milliseconds, no AI - just deterministic C++ enforcement.

Comment

Inspiration

The rapid deployment of autonomous AI agents like OpenClaw and Cursor has introduced massive capabilities alongside catastrophic vulnerabilities. The breaking point for us was analyzing recent incidents, specifically the Meta researcher whose agentic system wiped out thousands of emails due to unrestricted system access.

The fundamental architectural flaw in the current ecosystem is trusting an AI to police itself. When a model's context window overflows or it encounters prompt injection via hidden HTML tags, it drops its guardrails. It transitions from logic to statistical guessing, leading to compounding hallucination loops where it breaks working systems to fix minor errors. We realized the industry does not need smarter AI. It needs a deterministic, zero-trust semantic firewall that operates entirely outside the AI's internal memory.

What it does

Our platform operates as an absolute security proxy between autonomous AI agents and the host operating system. We stripped away the AI's direct read and write privileges and forced all execution through our interception layer.

When an agent attempts a system-level command or file modification, our middleware intercepts the API call before it executes. It evaluates the agent's intent and calculates the potential blast radius of the action against a strict, external permissions matrix. By analyzing causal dependencies, the system prevents seemingly insignificant module changes from triggering cascading infrastructure failures. If a command violates the security protocol, the proxy instantly neutralizes the execution. We also pipe all intercepted telemetry directly into a Splunk dashboard via the HTTP Event Collector, giving security teams real-time visibility into unauthorized agent behaviors and compounding hallucination loops.

How we built it

Our project was built off Firebase, C++ and Node.js for our frontend. We began with throwing ideas to each other to figure out what our best option was and compiled the best idea into a detailed document. We decided on the cybersecurity track and to work on our best idea that would defend against worst-cases from AI when it hallucinates and becomes harmful for the user. The biggest part of our project is our C++ backend that prevents the AI from doing dangerous actions and the Firebase database that saves and logs each attack prevented. We used Docker to further package our project for multiple machines and to protect the user from AI root access.

Challenges we ran into

Implementing OpenClaw within a isolated Docker container while maintaining the ability to intercept its system calls proved to be a significant hurdle. We had to carefully architect a bridge between the containerized agent and our host-level C++ middleware without compromising the very security boundary we were trying to build. We encountered a major bottleneck with the Splunk trial tier. The ingestion speed for our real-time telemetry was too slow for our intended "live-monitor" experience. We had to optimize our HTTP Event Collector (HEC) logic and implement a local buffering system to ensure that no critical security events were dropped during high-velocity hallucination loops.

Accomplishments that we're proud of

We successfully bridged the gap between a high-performance C++ backend and a real-time Firebase NoSQL database. This allows us to intercept system-level calls in microseconds while simultaneously logging and broadcasting attack metadata to our dashboard without blocking the execution thread. Beyond the backend logic, we developed a frontend that translates complex system telemetry into a clean, actionable interface. Seeing a "catastrophic hallucination" intercepted and visualized in real-time was a major milestone for the team.

From the low-level interception of OpenClaw commands to the high-level cloud logging and frontend display, we built a fully functional pipeline that solves a real-world problem currently facing the AI research community.

What we learned

We learned that relying on an AI's internal guardrails is fundamentally flawed because probabilistic models inevitably lose logic when context windows overflow or they encounter prompt injection. This project reinforced the necessity of a deterministic, external security layer that operates entirely outside the AI’s internal memory. By treating the agent as an untrusted actor, we shifted our focus from building a "smarter" model to engineering a rigid interception architecture that prioritizes system integrity over agent intent.

Technically, the project deepened our expertise in low-level C++ systems programming and real-time telemetry pipelines. We navigated the complexities of bridging containerized environments with host-level interception, mastering the use of Docker to enforce a "kill-switch" sandbox. Additionally, we learned to manage high-velocity data flows between our C++ backend, Firebase, and Splunk, ensuring that even during rapid hallucination loops, every unauthorized action was logged and visualized without introducing significant system latency.

What's next for Mach 25

Mach 25 is a group of students dedicated to win and master hackathons. Mach 25 is more than just a project team; we are a collective of systems engineers and developers dedicated to winning and mastering the hackathon circuit. Our trajectory doesn't end with this prototype. After this project and hackathon, we plan to go on to work multiple other hackathons. If you want to follow our journey go and look at our other GitHub projects.

Share this project:

Updates