Agents are fundamentally insecure, there’s no getting around it. You can put OpenClaw in a box but for it to do anything useful it still needs some access to the outside world, and any untrusted tokens that go into its context are a threat.

Claude’s auto mode classifier is probably the best ‘firewall’ out there right now, but it’s a non deterministic layer with a failure rate of 17%.