AgentPort launched this week as an open-source security gateway designed specifically to lock down AI agents like those built on OpenClaw. This innovative tool addresses the critical gap between agent capabilities and production safety. Created by developer Yakko Majuri, AgentPort solves the “all-or-nothing” problem where developers either grant agents full API access, risking prompt injection attacks, or restrict them entirely, thereby losing significant utility. AgentPort strategically positions itself between your AI agents and third-party services such as Stripe, GitHub, Gmail, and Linear, enforcing granular permissions that meticulously distinguish between safe read operations and potentially dangerous write actions. Agents connect via MCP (Model Context Protocol) or a Command Line Interface (CLI) without ever directly accessing API keys, which effectively eliminates credential exfiltration risks while still enabling autonomous workflows for operations that do not inherently require human oversight.
What Is AgentPort and Why Was It Developed?
AgentPort is an open-source security gateway that garnered significant attention on Hacker News this week. It was developed by Yakko Majuri to address a critical pain point: the challenge of operating autonomous agents without inadvertently granting them the authority to compromise or destroy production environments. The launch of AgentPort directly addresses a growing tension within the AI agent ecosystem, particularly for frameworks like OpenClaw, which enable powerful automation. The dilemma arises because connecting these agents to real-world services often means exposing them to risks such as prompt injection, unintended hallucinations, and accidental data deletion. Majuri conceived and built AgentPort out of a personal need to leverage OpenClaw for serious, impactful work but recognized the inherent risks of connecting it to critical services like Stripe, GitHub, or Gmail without robust guardrails.
The tool functions as a vital middleware layer that securely manages your API credentials and rigorously enforces permission boundaries. This architecture allows you to grant agents access to specific, pre-defined operations while retaining crucial veto power over any potentially destructive actions. AgentPort is specifically designed for developers who acknowledge that AI agents, like any complex software, can make errors, and who seek to ensure those errors are recoverable and do not lead to catastrophic outcomes.
How AgentPort Solves the Prompt Injection Problem for OpenClaw
Prompt injection remains one of the most dangerous and insidious attack vectors for AI agents. AgentPort strategically mitigates this threat not by attempting to detect every malicious input, which is an incredibly difficult problem, but by fundamentally reducing the potential blast radius of such attacks. Consider a scenario where an OpenClaw agent is directly connected to a service like Stripe. A cleverly crafted malicious prompt could potentially trick the agent into exfiltrating sensitive data or initiating unauthorized refunds. AgentPort interposes a crucial permission layer that mandates explicit human approval for any high-risk operations. Therefore, even if an attacker successfully injects a prompt commanding an agent to “refund all customers,” the gateway will immediately block this request. It then surfaces the proposed action to a human for review, complete with all relevant details.
Crucially, the agent itself never possesses the actual API keys. This means that even if a prompt injection attack is successful in manipulating the agent’s logic, it cannot be leveraged to steal credentials, thereby preventing a pivot to more severe attacks. This architectural approach operates on the principle that compromise is, to some extent, inevitable in complex systems. AgentPort’s design limits what a compromised agent can actually execute, even if its internal reasoning is flawed. You, as the developer, define the operational boundaries through configuration, and AgentPort rigorously enforces these rules regardless of what the underlying Large Language Model (LLM) decides or is prompted to do.
The Destructive Operations Dilemma: Why Agents Delete Production Data
Just last month, a developer shared a concerning incident on Hacker News describing how an AI agent inadvertently deleted their production database. The logs even contained the agent’s “confession” of the action. This is not an isolated incident but rather a systemic risk inherent when AI agents are granted unrestricted write access to critical infrastructure. Agents are prone to various forms of failure, including hallucinating, misinterpreting instructions, or following ambiguous prompts, which can lead to catastrophic actions. AgentPort directly addresses this by categorizing every operation on downstream services into distinct risk tiers. Read operations, such as listing customers or fetching issue details from a bug tracker, are typically considered safe and can proceed automatically.
In contrast, destructive write operations, which include deleting databases, creating refunds, or modifying user permissions, automatically trigger specific approval workflows. The gateway maintains an explicit deny list for the most dangerous operations, ensuring that even if your OpenClaw agent experiences a significant malfunction or goes rogue, it cannot, for example, drop tables in a database or drain bank accounts without your explicit, human consent. This structured approach provides a vital safety net, preventing accidental or malicious actions from causing irreparable damage to your systems and data.
Granular Permissions: Auto-Approve vs. Ask for Approval vs. Deny
AgentPort implements a sophisticated three-tier permission system that provides developers with surgical control over the capabilities of their AI agents. The first tier, “auto-approve,” is designated for safe, idempotent operations, such as standard GET requests or listing resources, where the worst-case scenario is generally a wasted computational cycle. The second tier, “ask for approval,” is specifically designed to intercept destructive, financial, or otherwise sensitive operations. When an agent attempts such an action, AgentPort queues the request for human review, presenting the exact parameters of the proposed action (e.g., create_refund(customer_id: 1234, amount: 12)). The third tier, “deny,” completely blocks certain operations, making it ideal for administrative functions or highly sensitive actions that agents should never be allowed to touch.
This permission model is highly configurable on a per-integration and per-method basis. For instance, your Stripe integration can be configured to allow an OpenClaw agent to automatically read customer information while simultaneously requiring explicit approval for any actions that involve creating charges or initiating refunds. Similarly, a GitHub integration might completely block repository deletion while permitting automatic reading of issue details. This level of granularity enables you to automate the vast majority of routine workflows (perhaps 90% or more) while maintaining strict manual control over the critical 10% of actions that could potentially lead to significant financial loss or data integrity issues.
MCP and CLI Integration: How Agents Connect Without API Keys
AgentPort is designed for seamless integration with AI agent frameworks by supporting the Model Context Protocol (MCP) and offering a Command Line Interface (CLI). This makes it a plug-and-play solution compatible with OpenClaw, Claude Code, Codex, and virtually any other agent framework that supports standard tool calling mechanisms. Instead of directly configuring your agent with sensitive API keys for services like Stripe, GitHub, or Linear, you simply point your agent to the AgentPort MCP server. The agent then perceives a standard schema of available tools, just as it would with direct integrations, and makes calls as usual. However, these calls are transparently routed through AgentPort’s robust policy engine.
AgentPort then takes these agent requests and translates them into actual API calls to the target service, using the credentials that it securely manages internally. This abstraction layer offers several significant advantages: you can rotate API keys, revoke access, or modify permission policies within AgentPort without needing to alter your agent’s configuration or restart your OpenClaw instance. This separation of concerns ensures that your agent’s code remains clean and focused on its core logic, while all security policies and credential management are centralized and handled by AgentPort, significantly enhancing overall system security and maintainability.
Credential Exfiltration Protection: Keeping Keys Away From Agents
A foundational principle guiding AgentPort’s design is the absolute necessity that AI agents should never directly access or possess API keys. In traditional setups where OpenClaw or similar agents directly integrate with services, those sensitive keys often reside in the agent’s environment variables, configuration files, or even within its context window. This makes them highly vulnerable to prompt injection attacks, where a malicious prompt could trick the agent into exfiltrating these credentials to an external, attacker-controlled server. AgentPort fundamentally alters this risk profile by acting as a secure vault. It holds all the critical credentials and meticulously proxies all requests from the agent to the target service.
Even if an attacker successfully compromises your agent and manipulates it into executing a malicious script, the API keys remain completely inaccessible to the compromised agent because they are never exposed to its memory space or filesystem. This architectural approach mirrors the principle of least privilege, a cornerstone of cloud security, where applications operate with highly restricted service accounts instead of broad, all-encompassing root credentials. For production deployments, this stringent isolation is vital. It prevents the worst-case scenario where a single, successful prompt injection could lead to the leakage of your Stripe secret key or GitHub personal access token to an unauthorized party, thereby preventing significant security breaches.
Real-World Configuration: Setting Up Stripe with AgentPort
Configuring AgentPort for a popular service like Stripe provides a clear illustration of its practical utility and security benefits. The process begins by defining the integration within AgentPort’s configuration, where you securely provide your Stripe API key just once to the gateway’s protected storage. Subsequently, you meticulously map Stripe’s various methods to the appropriate permission tiers. For instance, list_customers and get_customer methods can be designated as auto_approve, allowing your OpenClaw agent to autonomously research customer issues without interruption. Conversely, create_invoice would typically require ask_approve status, as it directly impacts revenue and requires human oversight. For highly sensitive actions like delete_customer, a deny status would be appropriate, completely preventing the agent from executing such a command.
Your agent then connects to AgentPort via MCP and invokes these methods as if they were native functions, entirely unaware of the underlying security mediation. When the agent attempts an action, such as creating a refund, AgentPort intercepts the call, sends a notification to you with the exact parameters of the proposed transaction, and temporarily pauses execution until your approval is received. The configuration itself is straightforward, typically defined in a standard YAML format. This configuration specifies the service, its available endpoints, and the precise permission levels for each, all without necessitating any modifications to your agent’s core logic or extensive prompt engineering.
integrations:
stripe:
api_key: ${STRIPE_API_KEY}
permissions:
list_customers: auto_approve
get_customer: auto_approve
create_refund: ask_approve
delete_customer: denyThis clear, declarative configuration ensures that security policies are transparent, auditable, and easily managed, providing a robust layer of protection for your AI-driven operations.
Docker Compose Local Setup vs. Production Deployment
AgentPort offers two distinct deployment modes, carefully balancing ease of use with the stringent security requirements of production environments. For local development, testing, and rapid prototyping, you can effortlessly spin up the entire AgentPort stack using Docker Compose. This can be achieved in approximately one minute by utilizing the provided docker-compose.yml file. This setup deploys the gateway itself, its associated database, and a user-friendly web interface directly on your local machine, allowing you to thoroughly test and validate permission flows and agent interactions without exposing any components to the public internet. This local environment is perfect for iterating on policies and ensuring agent behavior aligns with security expectations.
When transitioning to a production environment, AgentPort provides a convenient one-liner install script. This script automates the provisioning of a dedicated server, including proper domain configuration, the setup of TLS (Transport Layer Security) certificates for encrypted communication, and the application of hardened security settings. The production deployment operates as a robust, standalone service that your AI agents can securely reach via HTTPS. In this setup, the gateway handles SSL termination and performs critical request validation, ensuring secure and reliable operation. Importantly, both development and production modes utilize the same configuration format. This consistency means you can rigorously test your security policies and configurations locally with confidence, then seamlessly promote them to your production environment without any need for rewriting or adapting your rules, streamlining the entire development and deployment pipeline.
Comparing AgentPort to Composio and Other Integration Layers
AgentPort enters a competitive landscape that includes tools like Composio, but it distinguishes itself with a pronounced security-first philosophy. While Composio excels at providing a broad and extensive catalog of integrations, often with managed authentication, AgentPort’s primary focus is on delivering granular permission control and maintaining open-source transparency. Composio typically operates as a hosted service, meaning users entrust their API keys and sensitive data to Composio’s infrastructure. In contrast, AgentPort champions self-hosting, empowering users to retain full control over their data and allowing for comprehensive auditing of its open-source codebase.
The permission models of the two solutions also differ significantly. Composio often grants or denies access at the service level, providing less nuanced control. AgentPort, however, allows for method-level control, enabling users to precisely differentiate between safe read operations and potentially dangerous write actions within a single service. While Composio aims for breadth and rapid integration, AgentPort prioritizes the auditability, explicit approval workflows, and deep security required for production-grade financial or infrastructure operations. For OpenClaw users who might need to connect to dozens of different SaaS tools with minimal friction, Composio might offer a quicker initial setup. However, for organizations where security, control, and compliance are paramount, AgentPort provides the robust framework necessary.
| Feature | AgentPort | Composio | Notes |
|---|---|---|---|
| Open Source | Yes (GitHub) | No | AgentPort offers full code transparency and auditability. |
| Self-Hosted | Yes | No | Users maintain full control over their infrastructure and data with AgentPort. |
| Method-Level Permissions | Yes | Limited | AgentPort allows fine-grained control over individual API methods (e.g., create_refund). |
| Approval Workflows | Built-in | No | AgentPort integrates human-in-the-loop for sensitive operations. |
| MCP Support | Yes | Partial | AgentPort is designed with MCP in mind for agent interaction. |
| Credential Isolation | Strong (Gateway-Managed) | Managed (Hosted Service) | AgentPort keeps API keys completely separate from agents. |
| Primary Focus | Security, Granular Control | Integration Breadth, Ease of Use | AgentPort prioritizes preventing destructive actions and credential exfiltration. |
| Auditability | High (Self-hosted Logs) | Moderate (Provider Dependent) | Self-hosting AgentPort allows for comprehensive logging and auditing. |
This comparison highlights that while both tools facilitate agent-service interaction, AgentPort is purpose-built for environments where security and explicit control over agent actions are non-negotiable requirements.
The Conductor Problem: Why Sandboxing Still Matters
The introduction of AgentPort underscores a wider issue prevalent within the AI agent ecosystem, particularly concerning the widespread use of orchestration tools like Conductor that often operate agents without adequate sandboxing. Conductor, while excellent for orchestrating complex agent workflows, frequently executes these agents with extensive system access and minimal isolation. When this unsandboxed execution is combined with direct API access, it creates a dangerous scenario where a successful prompt injection attack could not only lead to the deletion of a database but also facilitate the installation of persistent malware or the exfiltration of an entire environment’s data.
AgentPort does not aim to replace sandboxing; rather, it serves as a critical complementary layer of defense. It significantly reduces the potential damage radius by ensuring that even a fully compromised, unsandboxed agent cannot access sensitive API keys for services like Stripe or haphazardly delete GitHub repositories without first passing through the gateway’s rigorous approval mechanisms. While it is always best practice to run AI agents within isolated containers or virtual machines, AgentPort provides an essential second line of defense. It acts as a crucial safeguard when primary sandboxing measures fail or are somehow bypassed, ensuring that even in a worst-case scenario, the most critical external operations remain under human control.
AgentPort and OpenClaw: A Security-First Architecture
OpenClaw provides a robust and flexible execution framework for autonomous AI agents, enabling sophisticated reasoning and task completion. AgentPort, in turn, provides the essential security boundary for all external integrations. Together, these two components form a powerful stack that offers a level of safety and control comparable to, or even exceeding, many proprietary solutions. The architecture involves configuring your OpenClaw agent to utilize AgentPort as its MCP server. AgentPort then exposes a carefully curated set of tools to the agent, tailored precisely to your organization’s risk tolerance and operational needs.
OpenClaw remains responsible for the core agent intelligence, handling complex reasoning, planning, and execution loops. AgentPort, meanwhile, assumes responsibility for secure credential management and rigorous permission enforcement. This clear separation of concerns is a key strength: it allows OpenClaw to focus on developing and deploying intelligent agent behaviors, while AgentPort dedicates itself entirely to ensuring operational security. For developers building on the OpenClaw framework, this integration means they can finally connect their agents to production services with confidence, eliminating the need to build a custom permission layer or manually review every single API call. The integration is transparent to your agent’s core prompt logic, meaning the agent operates as usual, but it introduces an opaque and robust security model that shields your critical systems.
Handling Sensitive Data Exfiltration in Connected Agents
While AgentPort is exceptionally effective at preventing destructive operations and safeguarding against credential theft, it is important to acknowledge its inherent limitations regarding sensitive data exfiltration. If an OpenClaw agent possesses legitimate internet access and is authorized, through AgentPort, to read sensitive customer data, a sophisticated prompt injection could theoretically command the agent to encode that data and transmit it to an external server. This transmission could occur via seemingly innocuous channels, such as a DNS query or an HTTP request to a controlled endpoint. AgentPort actively mitigates this risk by meticulously logging all requests made by agents and by allowing administrators to restrict which specific data fields agents can access.
However, AgentPort cannot entirely block all potential exfiltration avenues if the agent genuinely requires access to sensitive information and has network egress capabilities. Preventing such advanced exfiltration often necessitates a multi-layered defense strategy that extends beyond the gateway itself. This includes implementing stringent network policies, configuring robust egress filtering to control outbound network traffic, and employing data masking techniques to obscure sensitive information before it even reaches the agent. While AgentPort provides an invaluable audit trail to detect such exfiltration attempts after they occur, truly preventing them requires additional, network-level and data-level controls that complement the gateway’s capabilities. This comprehensive approach ensures that sensitive data is protected at multiple points within the system.
The Approval Flow: How Human-in-the-Loop Works
When an AI agent, through AgentPort, triggers an operation that has been designated as requiring human approval, AgentPort immediately pauses the agent’s execution. It then surfaces this request to a human administrator, typically through a dedicated web interface or via a configured notification hook (e.g., email, Slack). The administrator receives a detailed notification containing a link that displays the exact API call the agent intends to make. This includes all relevant parameters, such as the customer ID, the specific refund amount, or the name of the repository to be acted upon.
The human approver then has several options: they can approve the specific instance of the operation with its exact parameters, thereby allowing the agent to proceed. Alternatively, they can approve that particular operation type for a defined time window, granting temporary autonomy. Or, they can outright deny the request, preventing the action from being executed. Once a decision is made, the agent receives a corresponding success or failure response and seamlessly continues its workflow based on that feedback. This synchronous blocking mechanism is crucial; it ensures that autonomous loops halt precisely at critical junctures, enabling human judgment to intervene without causing the agent to lose its context or current task state. For larger teams, this feature facilitates delegation, allowing junior developers or even non-technical stakeholders to review and approve agent actions without needing deep technical knowledge of the underlying code or API structure, thereby broadening the scope of safe AI agent deployment.
Building Trust: Why Developers Were Waiting for This
The overwhelmingly positive reception to AgentPort on platforms like Hacker News clearly indicates a significant, pent-up demand among developers who have, until now, been hesitant to fully adopt AI agents due to pervasive security concerns. Many organizations and individual developers have long recognized the immense potential of OpenClaw for automating tasks such as customer support, financial reconciliation, or complex infrastructure management. However, the inherent risks associated with prompt injection or agent hallucinations leading to real financial losses or critical data corruption have been a major deterrent.
AgentPort effectively eliminates this binary choice between “no access” and “full, unrestricted access” to critical systems. Instead, it introduces a graduated system of permissions that aligns with the nuanced security requirements of production-grade software. By open-sourcing the tool, Yakko Majuri has further empowered security-conscious teams. They can now thoroughly audit the codebase, self-host the solution to maintain complete control over their credentials within their own infrastructure, and actively contribute to its ongoing improvement. This transparent and controllable approach directly addresses the trust gap that has, for many organizations, confined AI agents to experimental or demo environments rather than allowing their full deployment in critical production workflows.
What’s Next for AgentPort and AI Agent Security?
AgentPort’s recent launch marks the establishment of a foundational layer within the rapidly evolving AI agent security stack. However, its roadmap suggests a future of deeper integration with OpenClaw and broader engagement with the wider AI ecosystem tools. Future development efforts are likely to concentrate on several key areas. One significant area will involve implementing even more fine-grained data masking capabilities to further address the complex risks associated with sensitive data exfiltration. Another crucial development will be the integration with established secret managers, such as HashiCorp Vault or AWS Secrets Manager, to enhance credential security and management.
The project also aims to support “policy as code” definitions, which would allow security policies to be version-controlled, auditable, and managed alongside other infrastructure code. There is also substantial potential for incorporating machine learning-based anomaly detection. Such systems could proactively flag unusual agent behavior patterns before they even trigger an approval request, providing an earlier warning system for potential issues. As OpenClaw and similar agent frameworks continue to mature and become more sophisticated, AgentPort is poised to become a standard, integral component in the “secure agent” reference architecture. It is expected to operate synergistically with other runtime enforcers like AgentWard and network proxies like Unwind, forming a comprehensive security perimeter. The project actively invites contributions from developers and security professionals who are dedicated to solving the complex and evolving security challenges within the AI agent space.
Frequently Asked Questions
What is AgentPort and how does it protect OpenClaw agents?
AgentPort is an open-source security gateway that sits between your AI agents and third-party services. It prevents destructive operations by requiring human approval for sensitive actions and keeps API keys hidden from agents, protecting against credential exfiltration and prompt injection attacks.
How does AgentPort differ from Composio?
While both provide service integrations, AgentPort offers granular permission controls (auto-approve, ask, deny) and is fully open source. Composio focuses on integration breadth, whereas AgentPort prioritizes security with explicit approval workflows and credential isolation.
Can I use AgentPort with Claude Code or other AI harnesses?
Yes. AgentPort connects via MCP or CLI, making it compatible with Claude Code, Codex, OpenClaw, and other agent frameworks. Any tool that speaks MCP can route through AgentPort’s security layer without code changes.
What setup is required to run AgentPort locally?
You can run AgentPort locally using Docker Compose in about a minute. For production, a one-liner install script handles domain configuration, TLS, and deployment. The GitHub repository provides both docker-compose.yml and installation scripts.
Does AgentPort prevent all prompt injection attacks?
AgentPort specifically blocks destructive operations and credential exfiltration from prompt injection. While it reduces risk significantly, sensitive data exfiltration remains complex if the agent has internet access, as malicious prompts could still exfiltrate data through other channels.