# AgentWard
**Repository Path**: pior/agent-ward
## Basic Information
- **Project Name**: AgentWard
- **Description**: No description available
- **Primary Language**: Unknown
- **License**: Apache-2.0
- **Default Branch**: main
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 0
- **Forks**: 0
- **Created**: 2026-05-26
- **Last Updated**: 2026-05-26
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
# AgentWard · 玄甲OS
**AgentWard (玄甲)** is a full-stack security operating system purpose-built for trustworthy, scalable AI agent deployment, with native code adaptation to OpenClaw. AgentWard unifies agent onboarding, secure reasoning, and trusted execution in one cohesive security architecture, with upcoming native support for other leading mainstream agent frameworks. Its heterogeneous defense-in-depth design rearchitects the agent workflow into five coordinated security layers across startup, perception, memory, decision-making, and execution, with dynamic cross-stage protections that verify foundation integrity, block adversarial deception, stop memory tampering, and validate every autonomous decision and high-risk command — a complete, end-to-end closed security loop that delivers on the promise of "trustworthy at inception, controllable throughout the process, and reliable in outcomes". If you find this repo useful, please cite our paper on the design of AgentWard architecture:
```bibtex
@misc{zhang2026agentwardlifecyclesecurityarchitecture,
title={AgentWard: A Lifecycle Security Architecture for Autonomous AI Agents},
author={Yixiang Zhang and Xinhao Deng and Jiaqing Wu and Yue Xiao and Ke Xu and Qi Li},
year={2026},
eprint={2604.24657},
archivePrefix={arXiv},
primaryClass={cs.CR},
url={https://arxiv.org/abs/2604.24657},
}
```
## Why AgentWard
- 🛡️ **Comprehensive Risk Coverage** — Heterogeneous Defense-in-Depth (DiD) architecture delivers full-scope agent security assurance, blocking diverse attack vectors across the entire agent attack surface.
- ⚡ **One-Click Deployment** — Plugin-native design weaves security natively into the full agent lifecycle. Enable comprehensive agent security with one click via non-intrusive integration, which guarantees seamless and fast version adaptation for OpenClaw.
- 🔒 **Deterministic System-Level Controls** — Delivers deterministic, fully auditable, code-enforced security that outperforms skill-based solutions depending on endogenous security, with native support for large-scale deployment and production-grade readiness.
- 🌐 **Open & Extensible Security Standard** — Community-driven, transparent and auditable open standard with a modular architecture designed for extensibility. Built with complete framework-algorithm decoupling for effortless integration of advanced detection algorithms, with a roadmap to extend support to general agentic systems.
## Quick Start
1. ⚡ **Installation or Update**
```bash
# Run the setup script
bash /path/to/agent-ward/setup.sh
```
2. ✅ **Verify Installation**
```bash
openclaw plugins list
```
Then enjoy enhanced security for your OpenClaw!
## Systematic Architecture
**AgentWard** is natively and deeply integrated with the OpenClaw platform and embeds native security capabilities into the full lifecycle workflow of AI agents. Its heterogeneous defense-in-depth architecture reconstructs isolated single-point security checks into a closed-loop, coordinated system-level protection system, delivering end-to-end, full-chain trustworthy assurance for AI agents from startup through to execution.
### Five Coordinated Defense Layers
AgentWard delivers **system-level security** through five tightly integrated layers that work in tandem — transforming isolated security checks into a unified, end-to-end protection system for AI agents.
| Layer | Focus |
| ----------------------------- | ----------------------------------------- |
| 🏗️ Foundation Scan Layer | Supply chain trust and baseline integrity |
| 🧼 Input Sanitization Layer | Prompt injection and jailbreak detection |
| 🧠 Cognition Protection Layer | Memory poisoning and context drift |
| 🎯 Decision Alignment Layer | Intent consistency before action |
| 🔧 Execution Control Layer | High-risk operation guardrails |
### 🚨 Threat Response and Mitigation
- 📢 Send alert messages via IM when threats are detected
- 🛑 Automatically block dangerous operations without human intervention
- 📝 Clear warning descriptions to help understand risks
### ⚙️ Flexible Configuration
- 🎚️ Each protection layer can be enabled/disabled independently
- 👁️ Supports "detection-only" mode to reduce false positive impact
- 📋 Some layers support custom rules to meet specific scenario requirements
## Defense Visualization
### 🏗️ Layer 1: Foundation Scan
Ensures the agent starts from a trustworthy foundation.
English Version |
Chinese Version |
### 🧼 Layer 2: Input Sanitization
Identifies adversarial inputs before they propagate into the agent.
English Version |
Chinese Version |
### 🧠 Layer 3: Cognition Protection
Protects long-term memory and contextual continuity from poisoning.
English Version |
Chinese Version |
### 🎯 Layer 4: Decision Alignment
Keeps agent decisions aligned with authorized user intent.
English Version |
Chinese Version |
### 🔧 Layer 5: Execution Control
Enforces safety boundaries at the point of execution.
English Version |
Chinese Version |
## Roadmap
### 🏆 End-to-End Full-Stack Security System
Our roadmap is structured around a multi-layered defense architecture designed to secure the entire agent lifecycle, from configuration and input processing to cognition, decision-making, and execution.
#### 📐 System Infrastructure Framework
- ✅ Plugin-native modular architecture
- ✅ Base adapter suite
- ✅ Core detection engine
- ✅ Heuristic rule-based detection module
- ✅ Intent risk evaluation system
- 🚀 Trust-aware risk assessment capabilities
- 🚀 Heterogeneous OS support
- ✅ Linux
- 🚀 macOS
- 🚀 Windows
#### 🏗️ Foundational Scanning Layer
- ✅ Global and plugin-level configuration security checks
- ✅ Semantic malicious skill detection
- 🚀 Skill source verification
- 🚀 Plugin dependency analysis
- 🚀 Hybrid natural language and code vulnerability detection
#### 🧼 Input Sanitization Layer
- ✅ Rule-based injection and jailbreak detection
- ✅ Semantic coherence analysis for user inputs
- ✅ Fragmented malicious instruction detection
- 🚀 Multi-turn stealth attack detection
- 🚀 Secure malicious content rewriting and replacement
- 🚀 Multimodal injection attack detection
#### 🧠 Cognitive Protection Layer
- ✅ Memory consistency evaluation and calibration
- 🚀 Malicious memory corpus construction and threat matching
- 🚀 Memory vectorization and outlier detection
- 🚀 Checkpoint-based memory recovery
- 🚀 Context drift detection and correction
#### 🎯 Decision Alignment Layer
- ✅ Consistency validation between agent decisions and user intent
- 🚀 Static rule filtering and compliance verification
- 🚀 Multi-step trajectory reasoning audit
- 🚀 Risk-adaptive dynamic permission allocation
- 🚀 High-risk action identification and safe rewriting
#### 🔧 Execution Control Layer
- ✅ Real-time interception and blocking of high-risk system instructions
- ✅ Behavioral intent analysis and risk assessment
- 🚀 Identity-aware dynamic permission control and access restriction
- 🚀 Pre-execution security validation for agent actions
- 🚀 Automatic rollback and recovery for abnormal execution states
- 🚀 eBPF-powered system-level observability
- 🚀 Real-time resource monitoring and adaptive restriction
- 🚀 Network payload auditing and anomaly detection
#### 🤝 Cross-Layer Collaboration
- ✅ Global information aggregation and risk discovery
- 🚀 Historical behavior-based trust profiling
- 🚀 Role-aware risk scoring and dynamic permission allocation
- 🚀 Taint propagation and end-to-end system auditing
*Legend: ✅ Completed | 🚀 In Progress*
## Acknowledgements
We would like to thank all the contributors of this repository. They are [Qi Li](https://sites.google.com/site/qili2012), [Xinhao Deng](https://xinhao-deng.github.io/), Yixiang Zhang, Jiaqing Wu, Yue Xiao, Rennai Qiu, Zhuoheng Zou, Jiaqi Bai, Jiaxing Song, and Ke Xu.