AI Agents Are Powerful.
Most of Them Are Insecure by Default.

Microsoft, Cisco, CrowdStrike, and Gartner all agree: AI agents open new attack surfaces. Pinchy is the layer that closes them — without sacrificing what makes agents useful.

What the industry is saying about AI agent security.

Full System Access

Typical agent engines grant shell access, file system access, and network access out of the box. No permission layer. Every agent can do everything the host user can do.

Credential Exposure

API keys, SSH keys, cloud credentials, all accessible to agents running on the host. One prompt injection away from exfiltration. Microsoft's Security Blog calls this a critical risk.

No Audit Trail

What did the agent do? When? Why? Without cryptographic logging, you can't answer these questions. Gartner describes AI agents as "insecure by default."

"A chatbot can say something harmful, but an AI agent can do something harmful."

Cisco Security Blog

"This flexibility introduces a new class of security threat: agentic tool chain attacks."

CrowdStrike

A security layer that doesn't compromise power.

Pinchy sits between your users and OpenClaw. Every request goes through authentication, permission checks, and audit logging before OpenClaw ever sees it.

User
Web UI, Telegram
Pinchy
Auth + Permissions + Audit
Agent Engine
Tool Execution (sandboxed)
Model
Anthropic, OpenAI, Ollama

Defense in depth. Not security theater.

Docker Network Isolation

The agent engine runs inside a Docker container with no exposed ports. It's only reachable through Pinchy's authenticated WebSocket bridge. Agents never communicate directly with the outside world — every request passes through Pinchy's permission layer first.

Works today

AES-256-GCM Key Encryption

All API provider keys (Anthropic, OpenAI, Google) are encrypted at rest with AES-256-GCM. Keys are decrypted only when needed for model requests, never stored in plaintext.

Works today

Agent Permissions (Allow-List Model)

Agents start with zero tools. Admins explicitly enable each tool — an allow-list, not a deny-list. A marketing agent gets "Search the web" and "Draft an email." It doesn't get the tools to read your Odoo invoices. Every capability is granted deliberately by an admin who accepts that responsibility.

Works today

Session Isolation

Every user gets their own conversation sessions per agent. No cross-user access to conversations. WebSocket connections are authenticated via cookie-based session validation on every upgrade.

Works today

Groups & Role-Based Access

Organize users into groups (Engineering, HR, Legal) and restrict each agent to the groups that should see it. Enterprise feature — combine with Agent Permissions for two layers of defense.

Works today

Cryptographic Audit Trail

Every tool call, every message, every action — logged with a per-row HMAC-SHA256 signature, each row chained to its predecessor. Append-only via PostgreSQL triggers that reject UPDATE, DELETE, and TRUNCATE. Export to CSV. Your compliance team will love this.

Works today

Verify the Audit Trail Yourself

Tamper-evidence is only worth something if you can test the claim. Most platforms that market "tamper-evident" logs give you no way to check. Pinchy hands you the verifier: an admin endpoint (/api/audit/verify) recomputes every signature and every chain link on demand, reporting exactly which rows were altered and where the chain broke. A scheduled job runs the same check continuously and raises an alarm on any mismatch. Nothing to take on trust — you, or your auditor, run the check.

Works today

Zero Tools by Default

Unlike raw agent engines that give everything away, Pinchy agents start with nothing. No shell, no file access, no network tools. Every capability must be explicitly granted by an admin. The shell tool exists for power users who need it — but it's a conscious decision, not a default.

Works today

Gateway Token Isolation

The agent gateway is only reachable internally. The gateway token is auto-generated at startup and stored in a separate, scoped file. No manual credential management, no exposure risk.

Works today

Fail-Closed by Design, Including Future Tools

Default-deny is not just the starting point, it is the standing rule. Anything an admin has not granted stays denied, and that covers built-in tools OpenClaw adds in future releases: a platform update never silently widens what your agents can do. New capabilities are opt-in, per agent.

Works today

Security Hardening

A continuous line of defensive fixes ships with each release. Recent examples: attachment downloads enforce per-user ownership, deactivating a user immediately revokes their active sessions, the file-write path resolves symlinks before writing, CSV exports neutralize spreadsheet formula injection, and outbound web fetches cap response size to bound memory use.

Works today

Same agent power.
Proper governance.

Agent engines are powerful, flexible, and open source — but they're built for individual developers, not enterprise teams. Pinchy doesn't dilute that power. It wraps it in the security layer regulated industries require, so your AI agents can be deployed the same way you'd deploy any other production workload.

Ready to deploy AI agents safely?

Book a call and we'll walk through the security architecture with your team.

Or email us: info@heypinchy.com