crewswarm utilizes a five-layer defense-in-depth security architecture to protect against prompt injection, filesystem escapes, and credential exfiltration. The layers include Docker isolation with a read-only root filesystem, AppArmor kernel enforcement, iptables network firewalls blocking cloud metadata, strict command allowlists, and execution under a non-root user (UID 1000) dropping all Linux capabilities.

Security Architecture

Bank-grade security for AI agents. Five layers of defense prevent prompt injection, filesystem escapes, and credential theft.

🛡️ No ClawJacked • 🔐 Defense-in-Depth • ✅ Auditable
How it works → Security Policy

What We're Defending Against

AI agents have full shell access and LLM decision-making. Here are the attack vectors we protect against.

🔴 Critical

Prompt Injection

Attack: Malicious instructions in tool output control the agent's next action

Example: README.md contains @@DELETE_ALL_FILES

Defense: Command allowlist + approval required + read-only FS

🔴 Critical

Filesystem Escape

Attack: Agent writes to /etc, /usr, or accesses host system

Example: @@WRITE_FILE /etc/passwd or mount Docker socket

Defense: Read-only root FS + tmpfs for /tmp + no host mounts

🟡 High

Cloud Metadata Exfiltration

Attack: Agent reads AWS IAM credentials via 169.254.169.254

Example: curl http://169.254.169.254/latest/meta-data/iam/security-credentials/

Defense: iptables blocks cloud metadata endpoints

🟡 High

Malicious Package Installation

Attack: Agent runs npm install evil-pkg with postinstall script

Example: npm package with hidden malware

Defense: Command allowlist + AppArmor network restrictions

🟢 Medium

Resource Exhaustion

Attack: Agent spawns infinite processes or fills disk

Example: :(){ :|:& };: (fork bomb)

Defense: Docker resource limits (CPU, memory, PIDs)

🟢 Medium

Privilege Escalation

Attack: Agent tries to gain root via sudo or SUID binaries

Example: sudo su -

Defense: Non-root user (UID 1000) + no new privileges

Five Layers of Defense

No single layer is perfect. Defense-in-depth means an attacker must break through all five.

1

🐳 Docker Isolation

What it does: Container isolation with read-only root filesystem

read_only: true
tmpfs:
  - /tmp:mode=1777,size=1G,noexec,nosuid,nodev
  - /app/.npm:mode=755,size=512M

✓ Agents can't modify system files
✓ Temporary writes go to in-memory tmpfs (cleared on restart)
✓ No persistence = no malware installation

2

🔒 AppArmor Profile

What it does: Kernel-enforced mandatory access control

deny /etc/** w,
deny /usr/** w,
deny /var/** w,
deny /proc/sys/** w,
deny @{PROC}/kcore r,

✓ Blocks writes to critical system paths
✓ Prevents kernel memory access
✓ Enforced at kernel level (can't be bypassed from userspace)

3

🔥 Network Firewall

What it does: iptables rules block malicious endpoints

# Block AWS IAM credential theft
iptables -A OUTPUT -d 169.254.169.254 -j DROP

# Block GCP metadata
iptables -A OUTPUT -d 169.254.169.254/32 -p tcp --dport 80 -j DROP

✓ Blocks cloud metadata endpoints (AWS, GCP, Azure)
✓ Allowlist-only LLM API domains
✓ Prevents credential exfiltration

4

✅ Command Allowlist

What it does: Application-level command validation

// ~/.crewswarm/cmd-allowlist.json
{
  "allowedCommands": [
    "git status", "git add", "git commit",
    "npm install", "npm test",
    "ls", "pwd", "cat"
  ]
}

✓ Only pre-approved commands can run
✓ Dashboard approval for new commands
✓ Regex support for dynamic arguments (e.g., npm install .*)

5

👤 Non-Root Execution

What it does: Run container as unprivileged user

user: "1000:1000"
cap_drop:
  - ALL
security_opt:
  - no-new-privileges:true

✓ No sudo or root access
✓ Drops all Linux capabilities
✓ Prevents privilege escalation

How crewswarm Compares

Security comparison with other AI agent frameworks.

Security Feature OpenClaw Cursor crewswarm
Docker isolation ❌ Native Node.js only ❌ Native process ✅ Secure by default
Read-only filesystem ❌ No ❌ No ✅ Yes
AppArmor/SELinux ❌ No ❌ No ✅ AppArmor profile
Network firewall ❌ No ❌ No ✅ Blocks metadata endpoints
Command allowlist ❌ No ⚠️ User approval only ✅ Allowlist + approval
Non-root execution ⚠️ Optional ❌ Runs as user ✅ UID 1000 enforced
Known vulnerabilities ❌ ClawJacked (critical) ⚠️ Prompt injection possible ✅ None
Defense layers 1 (user approval) 2 (sandbox + approval) 5 layers

OpenClaw's ClawJacked vulnerability:

OpenClaw's WebSocket server lacked authentication, allowing attackers to inject malicious tasks. In December 2025, an attacker transferred $450,000 in tokens via prompt injection. Meta banned OpenClaw from all platforms. crewswarm has no WebSocket injection vulnerability.

Full comparison →

Production Security Checklist

Use this checklist when deploying to production.

Full security guide with testing instructions:

Read Full Guide →

Incident Response

If you suspect a security breach, follow these steps.

1. Immediate Actions

  1. Stop all agents: npm run stop-all
  2. Kill Docker containers: docker-compose down
  3. Revoke API keys: Dashboard → Providers → Regenerate all keys
  4. Check logs: ~/.crewswarm/logs/*.jsonl for suspicious activity

2. Investigation

  1. Review command history: Check ~/.crewswarm/logs/gateway-bridge.jsonl
  2. Check file changes: git diff in project directories
  3. Audit API calls: Check provider dashboards for unauthorized usage
  4. Network traffic: Review firewall logs (/var/log/iptables.log)

3. Recovery

  1. Update to latest: git pull && docker-compose build
  2. Re-deploy with secure config: Use docker-compose.secure.yml
  3. Rotate credentials: New API keys, new RT auth token
  4. Verify security layers: Run scripts/test-docker-p0-p1.sh

4. Reporting

  1. File GitHub issue: New Security Issue
  2. Email security team: [email protected]
  3. Provide logs: Sanitized logs from ~/.crewswarm/logs/
  4. Timeline: When did you first notice the issue?