AI Agent OPSEC — Runtime Classified Data Enforcer

Prevent your AI agent from leaking classified terms to external APIs, subagents, or logs. Term registry + runtime redaction + pre-publish audit. Zero dependencies, zero network calls.

Audits

Pass

ClawScanPass

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install ai-agent-opsec

AI Agent OPSEC — Runtime Classified Data Enforcer

Keep your secrets out of web searches, external LLM calls, and subagent spawns.

Side Effects (Declared)

Type	Path	Description
READS	`<workspace>/classified/classified-terms.md`	Your term registry — add terms here once, protected everywhere
WRITES	`<workspace>/memory/security/classified-access-audit.jsonl`	Append-only audit log; auto-rotates at 1MB; never contains original sensitive text
NETWORK	None	Zero external calls. Fully local.

Important: Add classified/ and memory/security/ to your .gitignore to prevent accidental commits.

Setup

Create classified/classified-terms.md in your workspace root
Add one term per line (blank lines and # comments ignored)
Require and use the enforcer before any external call

const ClassifiedAccessEnforcer = require('./src/ClassifiedAccessEnforcer');
const enforcer = new ClassifiedAccessEnforcer('/path/to/workspace');

// Before any external API call
const { safe, payload } = enforcer.gateExternalPayload(userQuery, 'web_search');

// Before spawning a subagent
const { task } = enforcer.redactTaskBeforeSpawn(taskString, 'ResearchAgent');

See README.md for full documentation.