Security Model
Microsoft, Cisco, CrowdStrike, and Gartner all agree: AI agents open new attack surfaces. Pinchy is the layer that closes them — without sacrificing what makes agents useful.
The Reality
Typical agent engines grant shell access, file system access, and network access out of the box. No permission layer. Every agent can do everything the host user can do.
API keys, SSH keys, cloud credentials, all accessible to agents running on the host. One prompt injection away from exfiltration. Microsoft's Security Blog calls this a critical risk.
What did the agent do? When? Why? Without cryptographic logging, you can't answer these questions. Gartner describes AI agents as "insecure by default."
"A chatbot can say something harmful, but an AI agent can do something harmful."
Cisco Security Blog
"This flexibility introduces a new class of security threat: agentic tool chain attacks."
CrowdStrike
How Pinchy Solves This
Pinchy sits between your users and OpenClaw. Every request goes through authentication, permission checks, and audit logging before OpenClaw ever sees it.
Security Features
The agent engine runs inside a Docker container with no exposed ports. It's only reachable through Pinchy's authenticated WebSocket bridge. Agents never communicate directly with the outside world — every request passes through Pinchy's permission layer first.
Works todayAll API provider keys (Anthropic, OpenAI, Google) are encrypted at rest with AES-256-GCM. Keys are decrypted only when needed for model requests, never stored in plaintext.
Works todayAgents start with zero tools. Admins explicitly enable each tool — an allow-list, not a deny-list. A marketing agent gets "Search the web" and "Draft an email." It doesn't get the tools to read your Odoo invoices. Every capability is granted deliberately by an admin who accepts that responsibility.
Works todayEvery user gets their own conversation sessions per agent. No cross-user access to conversations. WebSocket connections are authenticated via cookie-based session validation on every upgrade.
Works todayOrganize users into groups (Engineering, HR, Legal) and restrict each agent to the groups that should see it. Enterprise feature — combine with Agent Permissions for two layers of defense.
Works todayEvery tool call, every message, every action — logged with a per-row HMAC-SHA256 signature, each row chained to its predecessor. Append-only via PostgreSQL triggers that reject UPDATE, DELETE, and TRUNCATE. Export to CSV. Your compliance team will love this.
Works todayTamper-evidence is only worth something if you can test the claim. Most platforms that market "tamper-evident" logs give you no way to check. Pinchy hands you the verifier: an admin endpoint (/api/audit/verify) recomputes every signature and every chain link on demand, reporting exactly which rows were altered and where the chain broke. A scheduled job runs the same check continuously and raises an alarm on any mismatch. Nothing to take on trust — you, or your auditor, run the check.
Unlike raw agent engines that give everything away, Pinchy agents start with nothing. No shell, no file access, no network tools. Every capability must be explicitly granted by an admin. The shell tool exists for power users who need it — but it's a conscious decision, not a default.
Works todayThe agent gateway is only reachable internally. The gateway token is auto-generated at startup and stored in a separate, scoped file. No manual credential management, no exposure risk.
Works todayDefault-deny is not just the starting point, it is the standing rule. Anything an admin has not granted stays denied, and that covers built-in tools OpenClaw adds in future releases: a platform update never silently widens what your agents can do. New capabilities are opt-in, per agent.
Works todayA continuous line of defensive fixes ships with each release. Recent examples: attachment downloads enforce per-user ownership, deactivating a user immediately revokes their active sessions, the file-write path resolves symlinks before writing, CSV exports neutralize spreadsheet formula injection, and outbound web fetches cap response size to bound memory use.
Works todayOur Position
Agent engines are powerful, flexible, and open source — but they're built for individual developers, not enterprise teams. Pinchy doesn't dilute that power. It wraps it in the security layer regulated industries require, so your AI agents can be deployed the same way you'd deploy any other production workload.
Book a call and we'll walk through the security architecture with your team.
Or email us: info@heypinchy.com