Skip to main content

Security Architecture

profClaw is designed with a defense-in-depth model. Security is enforced at multiple independent layers - a failure in one layer does not compromise the system.

Security Components

Security Modes

Five modes from deny (no tools) to full (unrestricted). Configured per channel, user, or globally.

Guards

FsGuard (path traversal), SsrfGuard (SSRF/network), PromptGuard (injection), AuditScanner.

Audit Logging

Immutable audit trail of all tool calls, approvals, and security events.

Device Pairing

QR code pairing and DM verification for unknown senders.

Plugin Sandbox

Permission model for plugins, static code scanning, and trust tiers.

Security Modes

profClaw supports five security modes. The active mode applies globally but can be overridden per user or per chat channel.
ModeTools AvailableWrite/Exec BehaviorBest For
denyNoneAll tool calls blockedRead-only chat, unknown users
sandboxLimitedDocker-isolated execution onlyUntrusted input, shared deployments
standardStandard tierReads auto-approved; writes shown to userMost deployments (default)
askFull tierAll write/exec operations require approvalProduction, sensitive codebases
fullFull tierAll tools execute without promptsTrusted local development only
full mode disables all approval gates. Only use it in environments where every user with access is fully trusted. Never expose full mode to public-facing endpoints.
Configure globally or per-channel: 
# settings.yml
security:
  mode: standard           # global default
  channels:
    slack:
      mode: ask            # stricter for Slack
    webchat:
      mode: standard

Risk Levels

All security events are classified by a numeric risk score. Scores are computed by the PromptGuard and AuditScanner based on detected patterns.
LevelScoreDefault Behavior
LOW0-24Logged only
MEDIUM25-49Logged, surfaced in audit dashboard
HIGH50-74Logged, may block depending on active mode
CRITICAL75-100Blocked and alerts sent

Default Security Configuration

Out of the box, profClaw runs in standard mode. These are the defaults applied when no security: block is present in settings.yml: 
security:
  mode: standard          # standard is safe for most deployments
  fsGuard:
    enabled: true
    allowedPaths:
      - "{{ workdir }}"   # project directory
      - "{{ tmpdir }}"    # system temp
  ssrfGuard:
    enabled: true
    allowedHosts: []      # no private/internal hosts by default
  promptGuard:
    enabled: true
    blockThreshold: 25    # block inputs scoring >= 25
    warnThreshold: 10
  auditLog:
    enabled: true
    retention: 90         # days

Security Responsibilities

LayerYour ResponsibilityprofClaw’s Default
NetworkSet allowedHosts for external servicesBlock all private IPs via SsrfGuard
FilesystemExtend allowedPaths for needed directoriesBlock secrets, system files, parent paths
AuthenticationConfigure your auth providerVerify tokens per request
SecretsStore in env vars, not settings.ymlNever log or expose key values
ModelsChoose trusted AI providersValidate all tool call parameters with Zod

Hardening Checklist

  • Set security.mode to ask or strict
  • Set WEBHOOK_BASE_URL to your actual domain (not localhost)
  • Restrict chat channels with allowedChannels and allowedUsers
  • Set ssrfGuard.allowedHosts explicitly if the agent needs to call internal APIs
  • Enable device pairing for unknown sender verification
  • Review audit logs regularly with profclaw logs --audit
  • Use sandbox mode to isolate tool execution in Docker containers
  • Set per-user rate limits via RATE_LIMIT_* env vars
  • Enable plugin sandboxing for any untrusted plugins
  • Use separate API keys per tenant where possible
  • standard mode is safe and is the recommended default even locally
  • full mode is only appropriate for solo developer machines with no external access
  • Run profclaw doctor --security to verify your configuration

Reporting Security Issues

Found a vulnerability? Email: security@profclaw.ai Please do not open public GitHub issues for security vulnerabilities. We aim to respond to security reports within 48 hours.