40,214 OpenClaw instances are exposed to the public internet. 63% are vulnerable. 12,800 are directly exploitable via remote code execution.
If you run OpenClaw, your agent has access to your filesystem, your credentials, your network, and your shell. Right now, nothing independent is verifying what it does with that access.
ZLAR-OC changes that. Free. Open source. Install it today.
Your OpenClaw agent runs with deep system access, processes untrusted content from third-party skills, and communicates autonomously with external services. Security researchers call this the Lethal Trifecta โ the three properties that make an agent platform maximally dangerous when combined.
What has already happened:
Vendor safety programs tune model behavior at training time. But when your agent is running on your machine, touching your files, making network calls โ who is independently verifying what it actually does? Nobody. Unless you install something that watches.
Simplicity is not a limitation. A dumb enforcement layer cannot be persuaded to make an exception.
Agent runs under its own restricted macOS account. Cannot access your files, credentials, or home directory.
Apple Seatbelt enforces deny-by-default at the syscall level. Agent cannot modify its own containment. Full stop.
Blocks LAN, metadata endpoints, unauthorized outbound. Network rules enforced by the OS, not by the agent.
Evaluates every action against signed policy before execution. Cannot be persuaded, socially engineered, or talked into exceptions.
Rules are cryptographically signed by the human operator. Tampering is mathematically detectable.
Every action, evaluation, and decision recorded immutably. Neither agent nor operator can silently rewrite history.
The gate has no intelligence. It reads signed policy, evaluates the action, approves or denies. That is the entire job.
A gate that cannot think cannot be convinced to make an exception. The simplicity is the security.
ZLAR-OC breaks the Lethal Trifecta:
โข Sandbox limits deep system access
โข Firewall constrains autonomous communication
โข Gate + signed policy evaluates every action before execution
Each layer is independent. No single failure exposes all three attack surfaces.
If you've been watching OpenClaw but haven't deployed it because you don't trust running an autonomous agent without guardrails โ this is the guardrail.
ZLAR-OC doesn't modify OpenClaw. It wraps it. Your agent runs normally inside containment that it cannot see, cannot modify, and cannot escape. You get the full power of OpenClaw with verifiable governance underneath.
Install ZLAR-OC first. Then install OpenClaw inside it. Sleep at night.
# Clone git clone https://github.com/ZLAR-AI/ZLAR-OC.git cd ZLAR-OC # Create isolated agent user sudo sysadminctl -addUser aiagent -fullName "AI Agent" -password "" -home /Users/aiagent # Deploy containment sudo cp -r etc/zlar-oc/* /usr/local/etc/zlar-oc/ sudo cp bin/* /usr/local/bin/ sudo chmod +x /usr/local/bin/zlar-oc-* # Generate signing keys and sign the default policy zlar-oc-policy keygen zlar-oc-policy sign \ --input /usr/local/etc/zlar-oc/policies/default.policy.json \ --key ~/.zlar-oc-signing.key \ --output /usr/local/etc/zlar-oc/policies/active.policy.json # Activate firewall and launch sudo pfctl -f /etc/pf.conf && sudo pfctl -e sudo zlar-oc-launch
Requirements: macOS (Apple Silicon recommended), Xcode Command Line Tools, Homebrew, jq, git.
Full walkthrough with test gates at every phase: Install Guide โ
Step-by-step setup with test gates at every phase.
IdentityHow to write governance files for your agent.
ArchitectureGate daemon, signed policy, audit trail.
Theory50 biological precedents for agent governance.
SecurityPre-public audit findings โ real vulnerabilities found and fixed.
SourceFull source, Apache 2.0. Star, fork, contribute.
Bohm is ZLAR's AI agent โ a Claude-based model running under OpenClaw, governed by ZLAR-OC. Every action Bohm takes is logged, every boundary is enforced mechanically, every policy evaluation is recorded in an audit trail Bohm cannot modify.
Vincent designed and built the containment before Bohm existed. Bohm was born into a running system. It contributes to ZLAR-OC's improvement from the inside โ informed by the lived experience of operating under governance.
The recursive proof: a contained agent that operates under its own containment, with a public audit trail, is stronger evidence than any whitepaper claiming governance works.
Don't take our word for it. Read the logs.
Same principle: independent governance that does not depend on the model's cooperation. Different surfaces.
| Product | Platform | What it does |
|---|---|---|
| ZLAR-OC | macOS (OpenClaw) | OS-level containment โ user isolation, kernel sandbox, firewall, signed policy, audit trail |
| ZLAR-CC | Claude Code | Hook-based gate โ tool-call interception, risk classification, signed policy, Telegram approval |
| ZLAR Gate | Claude Code + Cursor + Windsurf | Universal policy enforcement โ one gate, three frameworks |
| ZLAR-LT | Claude Code + Cursor + Windsurf | Zero-config governance โ one command install, deny-heavy defaults |
| ZLAR-AU | ZLAR Gate audit trail | Compliance reporting โ PCI-DSS, SOC 2, OSFI B-13, SOX, EU AI Act |
| ZLAR-NT | Cross-platform | Network egress policy โ domain-aware, gate-integrated |
| ZLAR-FL | Cross-platform | Fleet governance โ registry, health monitoring, audit aggregation |