Autonomous AI agents are no longer a research curiosity. They browse the web, write and execute code, read your files, send emails, and call external APIs — all on your behalf.
That’s enormously powerful. It’s also a significant security problem nobody is talking about enough.
A new paper caught our attention this week: ClawKeeper — a real-time security framework for autonomous agents. It’s one of the clearest frameworks we’ve seen for thinking about agent safety in production systems.
The problem
When you give an AI agent tool access, you’re essentially handing it a set of keys. Shell execution. File system access. API credentials. The agent needs these to be useful — but model errors, prompt injections, or malicious third-party tools can turn that access into a real system-level threat.
Data leakage. Privilege escalation. An agent that gets manipulated into doing something it shouldn’t.
Current safeguards are patchy at best — most address one stage of the agent lifecycle and ignore the rest.
What ClawKeeper does
The researchers propose three complementary protection layers:
1. Skill-based protection — security policies are injected directly into the agent’s instructions. Before the agent even starts, it knows the rules: what environments it can touch, what boundaries it cannot cross.
2. Plugin-based protection — a runtime enforcer that monitors behavior as it happens. It hardens configuration, detects threats proactively, and keeps watching throughout execution.
3. Watcher-based protection — the most interesting one. A fully decoupled system-level middleware that observes the agent from the outside, with no coupling to the agent’s internal logic. It can halt a dangerous action mid-execution or require human confirmation before proceeding.
Think of it like this: Skill layer is the rulebook. Plugin layer is the manager watching over your shoulder. Watcher layer is the kill switch on the wall.
Why this matters for builders
If you’re deploying AI agents in any real business context — customer service, internal automation, data pipelines — you need to think about this now, not after something goes wrong.
The Watcher paradigm in particular is worth stealing. Decoupling your safety logic from your agent logic means you can update, swap, or escalate your safety mechanisms without touching the agent itself. That’s good engineering.
At Dirac, this is how we think about production agent deployments. Capability and safety aren’t opposites — a trustworthy agent is a more useful agent.
Read the paper: arxiv.org/abs/2603.24414