Security
Curate-Me is the governance layer that sits between your application and LLM providers. Every request passes through our security chain before reaching any model. Here is exactly what we protect against, and how.
135,000+ exposed OpenClaw instances found across 82 countries, 63% vulnerable (SecurityScorecard STRIKE team, January 2026). If you run AI agents in production, security is not optional.
The Threat Landscape
| Incident | Date | Severity | Impact |
|---|---|---|---|
| CVE-2026-25253 — One-click RCE via WebSocket hijacking | Jan 2026 | CVSS 8.8 | Remote code execution on any exposed instance |
| 512 vulnerabilities in independent security audit (8 critical) | Jan 2026 | Critical | Multiple attack vectors in default configuration |
| 341 malicious ClawHub skills (ClawHavoc campaign) | Feb 2026 | High | Supply-chain attack via skill marketplace |
| 42,665 publicly exposed instances on Shodan | Feb 2026 | High | Zero auth on internet-facing agents |
These are not hypothetical risks. They are documented incidents with CVE numbers and vendor advisories from Microsoft, CrowdStrike, Kaspersky, and Sophos.
How We Block Each Attack
| Known Attack | Our Defense |
|---|---|
| RCE via WebSocket hijacking (CVE-2026-25253) | Network phase separation blocks outbound during execution |
| Docker sandbox escape | 4-tier sandbox with deny patterns prevents host access |
| Malicious skills (ClawHavoc) | Multi-stage scanner with VirusTotal + YARA rules |
| Exposed instances (42,665 on Shodan) | Agents run behind gateway auth — zero public surface |
| Runaway agent purchases | HITL approval queues for high-cost operations |
| API key / PII leakage | PII scanning intercepts secrets before they reach providers |
| Prompt injection | Security scanner detects injection, jailbreak, and exfiltration patterns |
Security Architecture
Defense in Depth
Every layer wraps the ones inside it. An attacker must defeat all layers to reach the innermost operations. If any layer blocks, the request never proceeds further.
┌─────────────────────────────────────────────┐
│ Container Isolation │
│ ┌───────────────────────────────────────┐ │
│ │ Governance Chain │ │
│ │ ┌─────────────────────────────────┐ │ │
│ │ │ PII + Security Scanning │ │ │
│ │ │ ┌───────────────────────────┐ │ │ │
│ │ │ │ Cost + Rate Limits │ │ │ │
│ │ │ │ ┌─────────────────────┐ │ │ │ │
│ │ │ │ │ HITL Approval │ │ │ │ │
│ │ │ │ │ │ │ │ │ │
│ │ │ │ │ (human sign-off │ │ │ │ │
│ │ │ │ │ before execution) │ │ │ │ │
│ │ │ │ └─────────────────────┘ │ │ │ │
│ │ │ └───────────────────────────┘ │ │ │
│ │ └─────────────────────────────────┘ │ │
│ └───────────────────────────────────────┘ │
└─────────────────────────────────────────────┘| Layer (outermost first) | What it stops |
|---|---|
| Container Isolation | Host access, sandbox escape, cross-tenant data access |
| Governance Chain | Unauthorized models, untracked requests, policy violations |
| PII + Security Scanning | Data leaks, prompt injection, jailbreak, exfiltration |
| Cost + Rate Limits | Budget overruns, denial-of-wallet, runaway agents |
| HITL Approval | High-risk operations executing without human review |
Gateway Governance Chain (15 Stages)
Every LLM request passes through this chain. It short-circuits on the first denial. See the Governance Chain reference for full details including per-tier defaults and configuration.
| Stage | What it blocks or controls |
|---|---|
| Plan enforcement | Inactive subscriptions, plan quota, model entitlement |
| Body size limit | Payloads above tier or org byte limits |
| Rate limit | Per-org and per-key RPM bursts |
| Plan entitlement | Legacy plan-level request or budget limits |
| Reasoning token cap | Excessive extended-thinking token budgets |
| Cost estimate | Per-request, daily, and monthly cost limits |
| Hierarchical budget | Org, team, and API-key budget hierarchy |
| Runner session budget | Per-session spend for managed runners |
| PII scan | Secrets, credentials, personal data, and financial identifiers |
| Content safety | Basic prompt injection and jailbreak patterns |
| Security scan | Advanced injection, exfiltration, and encoded payloads |
| AI classifier | Beta ML classifier for high-risk prompts |
| Model allowlist | Unauthorized models after alias resolution |
| Skill allowlist | Unapproved MCP tools, skills, or agent capabilities |
| HITL gate | High-cost or sensitive requests requiring human approval |
Sandbox Isolation (4 Tiers)
Every managed runner session (private beta) runs in an isolated sandbox:
| Tier | Filesystem | Network | Use Case |
|---|---|---|---|
| READ_ONLY | Read project files, write only /tmp | None during execution | Analysis, reporting |
| WRITE_RESTRICTED | Explicit path patterns only | Allowlisted domains only | Controlled automation |
| WRITE_PROJECT | Anywhere in project tree | Bridge network | Development tasks |
| FULL_ACCESS | Unrestricted | Full network | Trusted admin only |
Always-blocked paths (regardless of tier): .env, *.pem, *.key, .git/config, ~/.ssh/*, ~/.aws/*.
Network Phase Separation
Agent execution is divided into phases with different network access:
┌──────────┐ ┌───────────────┐ ┌───────────┐
Time │ SETUP │────▸│ EXECUTION │────▸│ TEARDOWN │
────▸ │ │ │ │ │ │
│ Network: │ │ Network: OFF │ │ Network: │
│ ON │ │ │ │ ON │
│ │ │ No outbound │ │ │
│ Install │ │ connections. │ │ Upload │
│ deps, │ │ Agent runs │ │ artifacts,│
│ download │ │ locally only. │ │ push │
│ models │ │ │ │ results │
└──────────┘ └───────────────┘ └───────────┘During execution, agents cannot make outbound network calls. This prevents data exfiltration, C2 communication, and unauthorized API calls.
Human-in-the-Loop (HITL)
| Trigger | Default Threshold |
|---|---|
| Cost > threshold | $10/request |
| External API calls | Always |
| File deletions | Always |
| Git push | Always |
| New skill installation | CAUTION-rated |
Approval queues visible in the dashboard with SLA tracking. Auto-deny after 24 hours (configurable).
Data Handling
Curate-Me processes LLM requests as a reverse proxy. Here is exactly what we store and for how long.
| Data Type | Stored | Retention | Notes |
|---|---|---|---|
| Request metadata (model, timestamp, token count, cost) | Yes | Per-plan (7d / 30d / 90d / 1yr+) | Used for cost tracking, audit trail, and dashboard visibility |
| Prompt content | Configurable | Same as metadata | Stored by default for trace replay. Disable per-org via governance policy. |
| Response content | Configurable | Same as metadata | Same as prompts. Configurable per-org. |
| PII scan results | Yes (redacted form only) | Same as metadata | Detected PII patterns are logged but original content is redacted. |
| Provider API keys | Encrypted at rest | Until revoked | AES-256 envelope encryption. Never logged or exposed in traces. |
| Curate-Me API key hashes | Yes | Until revoked | Keys are bcrypt-hashed. Plaintext is shown once at creation time. |
| User accounts | Yes | Until deletion requested | Email, name, org membership. No passwords stored (OAuth only). |
We do not train on your data. Customer prompts, responses, and provider keys are never used for model training, fine-tuning, or any purpose beyond serving the request and populating the audit trail.
Deletion: Request data deletion via security@curate-me.ai or the dashboard API. Deletion propagates to MongoDB within 24 hours and to backups within 7 days.
Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 on the storage volume). Provider credentials use envelope encryption with a separate key.
Responsible Disclosure
If you discover a security vulnerability, please report it to security@curate-me.ai. We commit to:
- Acknowledge receipt within 24 hours
- Provide an initial assessment within 72 hours
- Work with you to understand and resolve the issue before public disclosure
- Credit researchers who follow responsible disclosure (unless anonymity is preferred)
We do not pursue legal action against researchers who report vulnerabilities in good faith.
Compliance
- Immutable audit trail for every agent action
- EU AI Act: Medication dosage scanning, VAT/IBAN detection, risk classification
- SOC 2 compatible log structure (Enterprise plan)
- GDPR: Data residency options, PII scanning, right to deletion
- Export formats: JSON, PDF