Security

Curate-Me is the governance layer that sits between your application and LLM providers. Every request passes through our security chain before reaching any model. Here is exactly what we protect against, and how.

135,000+ exposed OpenClaw instances found across 82 countries, 63% vulnerable (SecurityScorecard STRIKE team, January 2026). If you run AI agents in production, security is not optional.

The Threat Landscape

Incident	Date	Severity	Impact
CVE-2026-25253 — One-click RCE via WebSocket hijacking	Jan 2026	CVSS 8.8	Remote code execution on any exposed instance
512 vulnerabilities in independent security audit (8 critical)	Jan 2026	Critical	Multiple attack vectors in default configuration
341 malicious ClawHub skills (ClawHavoc campaign)	Feb 2026	High	Supply-chain attack via skill marketplace
42,665 publicly exposed instances on Shodan	Feb 2026	High	Zero auth on internet-facing agents

These are not hypothetical risks. They are documented incidents with CVE numbers and vendor advisories from Microsoft, CrowdStrike, Kaspersky, and Sophos.

How We Block Each Attack

Known Attack	Our Defense
RCE via WebSocket hijacking (CVE-2026-25253)	Network phase separation blocks outbound during execution
Docker sandbox escape	4-tier sandbox with deny patterns prevents host access
Malicious skills (ClawHavoc)	Multi-stage scanner with VirusTotal + YARA rules
Exposed instances (42,665 on Shodan)	Agents run behind gateway auth — zero public surface
Runaway agent purchases	HITL approval queues for high-cost operations
API key / PII leakage	PII scanning intercepts secrets before they reach providers
Prompt injection	Security scanner detects injection, jailbreak, and exfiltration patterns

Security Architecture

Defense in Depth

Every layer wraps the ones inside it. An attacker must defeat all layers to reach the innermost operations. If any layer blocks, the request never proceeds further.


┌─────────────────────────────────────────────┐
│           Container Isolation                │
│  ┌───────────────────────────────────────┐  │
│  │        Governance Chain                │  │
│  │  ┌─────────────────────────────────┐  │  │
│  │  │     PII + Security Scanning     │  │  │
│  │  │  ┌───────────────────────────┐  │  │  │
│  │  │  │   Cost + Rate Limits      │  │  │  │
│  │  │  │  ┌─────────────────────┐  │  │  │  │
│  │  │  │  │   HITL Approval     │  │  │  │  │
│  │  │  │  │                     │  │  │  │  │
│  │  │  │  │  (human sign-off    │  │  │  │  │
│  │  │  │  │   before execution) │  │  │  │  │
│  │  │  │  └─────────────────────┘  │  │  │  │
│  │  │  └───────────────────────────┘  │  │  │
│  │  └─────────────────────────────────┘  │  │
│  └───────────────────────────────────────┘  │
└─────────────────────────────────────────────┘

Layer (outermost first)	What it stops
Container Isolation	Host access, sandbox escape, cross-tenant data access
Governance Chain	Unauthorized models, untracked requests, policy violations
PII + Security Scanning	Data leaks, prompt injection, jailbreak, exfiltration
Cost + Rate Limits	Budget overruns, denial-of-wallet, runaway agents
HITL Approval	High-risk operations executing without human review

Gateway Governance Chain (13 Steps)

Every LLM request passes through this chain. It short-circuits on the first denial. See the Governance Chain reference for full details including per-tier defaults and configuration.


Request arrives
    │
    ▼
┌──────────────────┐  blocked   ┌─────────────────┐
│ 1. Plan          │───────────▸│ 403 no plan     │
│    Enforcement   │            │                 │
└───────┬──────────┘            └─────────────────┘
        │ pass
        ▼
┌──────────────────┐  too large ┌─────────────────┐
│ 2. Body Size     │───────────▸│ 413 payload     │
│    Limit         │            │ too large       │
└───────┬──────────┘            └─────────────────┘
        │ pass
        ▼
┌──────────────────┐  blocked   ┌─────────────────┐
│ 3. Rate          │───────────▸│ 429 + IETF      │
│    Limit         │            │ headers         │
└───────┬──────────┘            └─────────────────┘
        │ pass
        ▼
┌──────────────────┐  denied    ┌─────────────────┐
│ 4. Plan          │───────────▸│ 403 feature not │
│    Entitlement   │            │ in plan         │
└───────┬──────────┘            └─────────────────┘
        │ pass
        ▼
┌──────────────────┐  over cap  ┌─────────────────┐
│ 5. Reasoning     │───────────▸│ 400 reasoning   │
│    Token Cap     │            │ cap exceeded    │
└───────┬──────────┘            └─────────────────┘
        │ pass
        ▼
┌──────────────────┐  over      ┌─────────────────┐
│ 6. Cost          │───────────▸│ 402 per-request │
│    Estimate      │  budget    │ limit exceeded  │
└───────┬──────────┘            └─────────────────┘
        │ pass
        ▼
┌──────────────────┐  over      ┌─────────────────┐
│ 7. Hierarchical  │───────────▸│ 402 budget      │
│    Budget        │  budget    │ exceeded        │
└───────┬──────────┘            └─────────────────┘
        │ pass
        ▼
┌──────────────────┐  over      ┌─────────────────┐
│ 8. Runner        │───────────▸│ 402 session     │
│    Session Budget│  budget    │ budget exceeded │
└───────┬──────────┘            └─────────────────┘
        │ pass
        ▼
┌──────────────────┐  found     ┌─────────────────┐
│ 9. PII           │───────────▸│ 400 PII         │
│    Scan          │  PII       │ detected        │
└───────┬──────────┘            └─────────────────┘
        │ clean
        ▼
┌──────────────────┐  unsafe    ┌─────────────────┐
│10. Content       │───────────▸│ 400 content     │
│    Safety        │            │ blocked         │
└───────┬──────────┘            └─────────────────┘
        │ safe
        ▼
┌──────────────────┐  threat    ┌─────────────────┐
│11. Security      │───────────▸│ 400 threat      │
│    Scanner       │  found     │ blocked         │
└───────┬──────────┘            └─────────────────┘
        │ safe
        ▼
┌──────────────────┐  denied    ┌─────────────────┐
│12. Model         │───────────▸│ 403 model       │
│    Allowlist     │            │ not allowed     │
└───────┬──────────┘            └─────────────────┘
        │ allowed
        ▼
┌──────────────────┐  needs     ┌─────────────────┐
│13. HITL          │───────────▸│ 202 queued      │
│    Gate          │  approval  │ for review      │
└───────┬──────────┘            └─────────────────┘
        │ auto-approved
        ▼
  Forward to provider

Plan Enforcement — Verify the org has an active subscription plan
Body Size Limit — Reject payloads exceeding the plan’s size cap (e.g. 1 MB Free, 50 MB Enterprise)
Rate Limiting — Per-org, per-key request throttling (IETF RateLimit-* headers)
Plan Entitlement — Check that the requested feature (streaming, extended thinking, etc.) is available on the org’s plan
Reasoning Token Cap — Enforce maximum reasoning/thinking tokens per request by plan tier
Cost Estimation — Estimated cost checked against per-request cost limit
Hierarchical Budget — Check org → team → key daily budget hierarchy
Runner Session Budget — Enforce per-session spend caps for managed runner workloads
PII Scanning — 14 regex patterns for SSN, credit cards, API keys, IBAN, email, phone, and more
Content Safety — Block harmful, illegal, or policy-violating content
Security Scanner — Prompt injection, jailbreak, and data exfiltration detection
Model Allowlist — Enforce which models each org can use
HITL Gate — Flag high-cost or sensitive requests for human approval

Sandbox Isolation (4 Tiers)

Every managed runner session runs in an isolated sandbox:

Tier	Filesystem	Network	Use Case
READ_ONLY	Read project files, write only /tmp	None during execution	Analysis, reporting
WRITE_RESTRICTED	Explicit path patterns only	Allowlisted domains only	Controlled automation
WRITE_PROJECT	Anywhere in project tree	Bridge network	Development tasks
FULL_ACCESS	Unrestricted	Full network	Trusted admin only

Always-blocked paths (regardless of tier): .env, *.pem, *.key, .git/config, ~/.ssh/*, ~/.aws/*.

Network Phase Separation

Agent execution is divided into phases with different network access:


         ┌──────────┐     ┌───────────────┐     ┌───────────┐
  Time   │  SETUP   │────▸│  EXECUTION    │────▸│ TEARDOWN  │
  ────▸  │          │     │               │     │           │
         │ Network: │     │ Network: OFF  │     │ Network:  │
         │   ON     │     │               │     │   ON      │
         │          │     │ No outbound   │     │           │
         │ Install  │     │ connections.  │     │ Upload    │
         │ deps,    │     │ Agent runs    │     │ artifacts,│
         │ download │     │ locally only. │     │ push      │
         │ models   │     │               │     │ results   │
         └──────────┘     └───────────────┘     └───────────┘

During execution, agents cannot make outbound network calls. This prevents data exfiltration, C2 communication, and unauthorized API calls.

Human-in-the-Loop (HITL)

Trigger	Default Threshold
Cost > threshold	$10/request
External API calls	Always
File deletions	Always
Git push	Always
New skill installation	CAUTION-rated

Approval queues visible in the dashboard with SLA tracking. Auto-deny after 24 hours (configurable).

Compliance

Immutable audit trail for every agent action
EU AI Act: Medication dosage scanning, VAT/IBAN detection, risk classification
SOC 2 compatible log structure (Enterprise plan)
GDPR: Data residency options, PII scanning, right to deletion
Export formats: JSON, PDF