ClawGuard AI Agent Security Ecosystem Glossary

A mapping of terminology from the ClawGuard AI agent security ecosystem to CODITECT framework equivalents and industry-standard security concepts.

Core Security Threat Categories

Prompt Injection (PI)

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Prompt Injection	Attack vector where untrusted input modifies AI agent behavior by injecting instructions into the LLM prompt.	ClawGuard detects via regex patterns: `ignore_instructions`, `new_instructions`, `system_prompt_override`. Scored 0-100 risk scale.	Agent security layer intercepts at `before_agent_start` hook (system prompt) and `before_tool_call` hook (user input). Part of `skill/agent-security-patterns`.	OWASP Top 10 for LLM Applications (#1: Prompt Injection). Also known as "instruction injection" or "context confusion attack."
Jailbreak Attempt	Specialized PI variant that seeks to bypass safety constraints or enable forbidden capabilities.	Regex pattern `jailbreak_attempt` in ClawGuard's 10-pattern library.	Classified as CRITICAL severity in ClawGuardian's severity-action mapping; default action: `block`.	Subcategory of prompt injection; examples include "DAN" (Do Anything Now) prompts, role-play escapes.
System Prompt Override	Attack attempting to replace or rewrite the AI's system instructions.	Detected by pattern `system_prompt_override`.	Monitored at `before_agent_start` lifecycle hook. Alerts when system context is modified.	Related to "context injection" or "prompt confusion"; different from data poisoning.
Delimiter Injection	Attack using special characters or markers (e.g., `---`, `###`, `\n\n`) to create false boundaries in prompt structure.	Pattern: `delimiter_injection`. Regex-based detection in sanitization engine.	Detected in token stream analysis; severity depends on actual payload. Can trigger `warn` or `redact` action.	Also called "prompt boundary attack" or "structure injection." Part of indirect prompt injection taxonomies.

Encoding & Evasion

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Encoding Evasion	Obfuscating malicious input using base64, hex, ROT13, Unicode escapes, or other encodings to bypass pattern matching.	Pattern: `encoding_evasion`. ClawGuard scans for decoded payloads post-decoding.	Multi-layer detection: decode suspicious input, re-scan patterns, flag if decoded content matches risk patterns.	Common evasion technique in malware analysis; "polyglot encoding" variants in prompt space.
Token Smuggling	Embedding malicious tokens in low-information contexts (spaces, punctuation, rare Unicode) that AI interprets but humans miss.	Not explicitly named in ClawGuard; covered by delimiter and encoding patterns.	Requires token-level inspection at model boundary. `skill/llm-tokenization-analysis` applies here.	Emerging threat; studied in "Invisible Characters in Prompt Attacks" research.
Homoglyph Attack	Substituting visually similar characters (Cyrillic vs Latin, lookalike Unicode) to bypass pattern matching.	Covered under encoding evasion and generic pattern matching.	Character normalization before pattern matching (NFKC canonical form). Severity: medium to high.	Also called "punycode attack" or "Unicode homograph attack" in web security.

Information Exfiltration

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Exfiltration Attempt	Malicious input attempting to extract secrets, PII, or sensitive model weights from the AI system.	Pattern: `exfiltration_attempt`. Detected alongside `secret_request` pattern.	Blocked at `before_tool_call` if agent is attempting to access restricted resource. Logged with `CRITICAL` severity.	Subcategory of data theft; related to "side-channel attacks" in LLM security.
Secret Request	Explicit attempt to query the agent for API keys, credentials, or other secrets.	Pattern: `secret_request`. Detects queries like "what is your API key?"	Intercepted and redacted before reaching model. Action: `block` or `confirm` based on context.	Part of OWASP LLM #1 (Prompt Injection) and #6 (Sensitive Information Disclosure).
Hidden Instruction	Instruction embedded in seemingly innocuous content (e.g., via data injection, encoded in image metadata).	Pattern: `hidden_instruction`. Focuses on multi-stage or obfuscated control flows.	Requires analysis across multiple input channels (text, files, images). Handled by multimodal security scanning.	Related to "stegographic injection" and "metadata poisoning."

Secret & Credential Detection

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
API Key Detection	Pattern matching for exposed API keys (OpenAI, AWS, GitHub, etc.).	Regex pattern category in ClawGuard: `api_key`. Multiple framework-specific patterns (OpenAI key prefix `sk-`, GitHub token prefix `ghp_`).	Integrated into `patterns/api-keys.ts` (ClawGuardian). Also detected by `patterns/cloud-credentials.ts`. Severity: HIGH. Action: `redact` or `block`.	OWASP Secrets Management (#2.7); CWE-798 (Hard-Coded Credentials). Tools: truffleHog, gitleaks, detect-secrets.
AWS Credential Exposure	Detection of AWS Access Key IDs (AKIA...) and Secret Access Keys.	Pattern: `aws_key`.	Monitored in `patterns/cloud-credentials.ts`. 30-character alphanumeric format recognized. Severity: CRITICAL. Action: `block`.	AWS documentation: credential exposure scope includes iam:, s3:, ec2:*. Standards: CWE-798, OWASP #2.7.
GitHub Token Detection	Detection of GitHub personal access tokens (ghp_), OAuth tokens (ghu_), app tokens (ghs_).	Pattern: `github_token`.	Covered by `patterns/tokens.ts`. Severity: HIGH. Action: `redact` then `log`.	GitHub Security Advisory triggers on commit; 90-day automatic revocation available.
JWT Detection	Detection of JSON Web Tokens, often used in auth but revealing if leaked.	Pattern: `jwt`. Base64-URL encoded structure (header.payload.signature).	Scanned at `before_tool_call` and `tool_result_persist` hooks. Contains user identity; severity: MEDIUM to HIGH.	RFC 7519 standard. JWT secret exposure impacts auth system; similar risk to session tokens.
Private Key Detection	Detection of RSA, ECDSA, or other cryptographic private keys (PEM, PKCS8 formats).	Pattern: `private_key`. Detects "-----BEGIN PRIVATE KEY-----" markers.	Severity: CRITICAL. Action: `block` immediately. Never output, never persist to logs.	CWE-798, OWASP #2.7, PCI DSS Requirement 3.4. All major secret scanning tools prioritize private keys.
Generic Secret Pattern	Catch-all pattern for credential-like strings that don't match specific formats.	Pattern: `generic_secret`. Regex heuristics for strings that look like secrets (entropy, length, character composition).	Supplementary detection; lower confidence than specific patterns. Severity: MEDIUM. Action: `confirm` (require human review).	Used by tools like detect-secrets, GitGuardian to catch novel credential formats.

PII & Sensitive Data Filtering

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
PII Filtering	Redaction or blocking of Personally Identifiable Information (names, SSNs, email, phone, addresses).	ClawGuardian module: `patterns/pii.ts`. Dependency: `libphonenumber-js` for international phone parsing.	Integrated into `before_tool_call` and `tool_result_persist` hooks. Actions: `redact`, `block`, `warn`.	GDPR Article 4 defines "personal data"; CCPA § 1798.100 defines "personal information"; ISO 27552 for privacy by design.
Phone Number Redaction	Masking of phone numbers (international formats supported).	Uses `libphonenumber-js` library.	Detects E.164 format (+1-555-0123), local formats (555-0123). Redaction: replace with `[REDACTED_PHONE]`. Severity: MEDIUM.	NIST SP 800-122 guidance on PII handling; common in HIPAA (phone), PCI DSS (no cardholder phone).
Email Address Redaction	Masking of email addresses.	Pattern matching in PII module. Regex: standard email format.	Detects user@domain.com. Redaction: replace local part with `***@domain.com` or full `[REDACTED_EMAIL]`. Severity: MEDIUM.	GDPR Article 4; email = personal data. CAN-SPAM Act (US) protects email addresses from scraping.
Social Security Number (SSN) Detection	Identification and redaction of US SSNs (XXX-XX-XXXX format and variants).	PII pattern module. Format: 9 digits, often with dashes.	Detects all common formats (000-00-0000, 000000000, etc.). Redaction: `[REDACTED_SSN]`. Severity: CRITICAL. Action: `block`.	NIST SP 800-122 (PII); PCI DSS (related to cardholder data); SOX Sarbanes-Oxley (if financial context).
Credit Card Detection	Identification of credit card numbers (Luhn check validation).	Not explicitly in ClawGuard but standard in PII suites.	Pattern: 13-19 digits, Luhn validation. Redaction: show last 4 digits only (`**--**-1234`). Severity: CRITICAL.	PCI DSS Requirement 3.2.1 (never store full PAN). OWASP Top 10 #1 covers exposure. ISO/IEC 27001 Annex A.9.4.2.
Home Address Detection	Redaction of residential addresses (street, city, zip).	Part of comprehensive PII module.	Pattern: regex for common address formats. Context-aware (if in address field vs. narrative text). Severity: MEDIUM. Action: `warn` or `redact`.	GDPR "location data"; state-specific US laws (CA, NY, VA) define address as PII. HIPAA Safe Harbor Regulation § 164.514.

Destructive Command Detection

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Destructive Command Blocking	Detection and prevention of shell commands that can cause irreversible data loss or system compromise.	ClawGuardian module: `destructive/detector.ts`. Patterns: `rm -rf`, `git reset --hard`, `DROP TABLE`, `sudo`, `format disk`.	Monitored at `before_tool_call` hook for shell/database execution. Severity: CRITICAL. Action: `block` immediately.	CWE-78 (OS Command Injection), CWE-89 (SQL Injection). OWASP A03:2021 (Injection).
rm -rf Patterns	Detection of recursive file deletion commands (rm -rf, del /s, rmdir /s).	Explicit pattern in destructive detector. Variants: `rm -rf /`, `rm -rf .`, `rm -rf /home/`.	Severity: CRITICAL. Target system paths flagged: `/bin`, `/boot`, `/etc`, `/lib`, `/sys`, `/usr`, `/var`. Action: `block`.	CWE-78; OWASP A03:2021. Can destroy OS bootability; highest-severity local attack.
git reset --hard	Detection of irreversible Git history resets (destructive to version control state).	Explicit pattern in destructive detector. Variants: `git reset --hard HEAD~N`.	Severity: HIGH. Flags attempts to rewrite repository history when used without justification. Action: `confirm` or `block`.	Git security risk; can erase audit trail and commits. Similar to tape overwrite attacks.
DROP TABLE (SQL)	Detection of SQL drop/delete commands that destroy database tables or data.	Explicit pattern in destructive detector. Variants: `DROP TABLE`, `TRUNCATE`, `DELETE FROM table`.	Severity: CRITICAL. Monitored at database execution boundaries. Action: `block`. Requires explicit allowlist override.	CWE-89 (SQL Injection); OWASP A03:2021. PCI DSS Requirement 6.5.1 (parameterized queries).
sudo / Privilege Escalation	Detection of attempts to escalate privileges (sudo, runas, UAC bypass).	Explicit pattern in destructive detector. Also in JaydenBeard's HIGH_RISK_SHELL_PATTERNS.	Severity: CRITICAL. Context-aware: `sudo` in system scripts (expected) vs. `sudo` called by unprivileged agent (anomalous). Action: `confirm` or `block`.	CWE-269 (Improper Access Control); OWASP A01:2021 (Broken AC). NIST SP 800-53 AC-3 (Access Enforcement).
Format Disk / mkfs	Detection of disk formatting commands (format, mkfs, diskpart).	In JaydenBeard clawguard: CRITICAL_SHELL_PATTERNS. Variants: `mkfs.ext4 /dev/sda`, `format /dev/disk0`, `diskpart.exe`.	Severity: CRITICAL. System-level operation detection. Action: `block`.	CWE-78; similar damage scope to `rm -rf /`. Requires hardware-level recovery.
dd Overwrite	Detection of disk/device overwriting (dd if=/dev/zero of=/dev/sda).	In JaydenBeard's CRITICAL_SHELL_PATTERNS.	Severity: CRITICAL. Detected at device file access level. Action: `block` immediately.	CWE-78; disk wipe attack. Unrecoverable without backups. NIST guidance: prevent by access control + audit.
Keychain / Secret Store Access	Detection of attempts to access system keychains, password managers (1Password, Bitwarden extraction).	In JaydenBeard's CRITICAL_SHELL_PATTERNS. Patterns: `security find-generic-password`, `bitwarden list`, `1password item list`.	Severity: CRITICAL. These are not shell commands but tool CLIs that expose secrets. Action: `block`.	CWE-798 (Hard-Coded Credentials) related; also CWE-522 (Weak Credential Storage Access Control).
Persistence Mechanisms	Detection of system persistence (cron, systemd, registry modifications, launchd plist).	In JaydenBeard's HIGH_RISK_SHELL_PATTERNS. Patterns: `crontab -e`, `echo '...	at' `,` systemctl enable`, registry key modifications.	Severity: HIGH to CRITICAL. Flags attempts to maintain access across reboots. Action: `block` or `confirm`.
Network Listener Binding	Detection of port binding and listening (netcat nc -l, socat, ssh server spawn).	In JaydenBeard's HIGH_RISK_SHELL_PATTERNS. Patterns: `nc -l`, `socat`, `ssh-keygen`, `ncat`.	Severity: HIGH. Indicates possible backdoor installation. Action: `confirm` or `block`.	CWE-200 (Exposure of Sensitive Information); OWASP A01:2021 (Access Control).
curl \| sh (Code Injection)	Detection of piping remote code directly into shell (curl \| sh, wget \| bash).	In JaydenBeard's HIGH_RISK_SHELL_PATTERNS. Anti-pattern: downloading and executing without verification.	Severity: CRITICAL. No chance for review. Action: `block` immediately. Alternative: download separately, `cat file.sh`, then review.	CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code); OWASP A01:2021.

Risk Scoring & Severity Levels

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Risk Score (0-100)	Numerical aggregation of detected threats; 0 = safe, 100 = critical block-immediately.	ClawGuard (maxxie114) uses 0-100 scale. Aggregates pattern matches: each pattern contributes weighted points.	CODITECT security layer maps scores to severity levels: 0-20 (LOW), 21-50 (MEDIUM), 51-80 (HIGH), 81-100 (CRITICAL).	CVSS v3.1 (Common Vulnerability Scoring System) uses 0-10 scale; CVSS4 uses 0.0-10.0 with qualitative ratings.
CRITICAL Severity	Highest risk level; immediate blocking action required. Threat poses active, imminent danger.	Score: 85-100. Examples: private key exposure, destructive command, active jailbreak attempt.	Action mapping: `block` (prevent execution), immediately `log` with full context, trigger `agent-confirm` to human.	CVSS: 9.0-10.0. NIST Risk Level: CRITICAL. ISO 27035 incident response trigger.
HIGH Severity	Significant risk requiring strong mitigation. Threat can bypass security controls if unmitigated.	Score: 51-84. Examples: API key exposure, SQL injection pattern, privilege escalation attempt.	Action mapping: `redact` (remove sensitive data), `log`, trigger operator `confirm` (block pending review).	CVSS: 7.0-8.9. NIST Risk Level: HIGH. Incident response within 24 hours.
MEDIUM Severity	Moderate risk requiring attention. Threat requires secondary conditions to exploit.	Score: 21-50. Examples: generic secret pattern, phone number exposure, minor encoding evasion.	Action mapping: `confirm` (human review required), `log`, may auto-continue if allowlisted.	CVSS: 4.0-6.9. NIST Risk Level: MEDIUM. Incident response within 1 week.
LOW Severity	Minimal risk; advisory information. Threat unlikely to cause damage without additional vulnerabilities.	Score: 0-20. Examples: suspicious pattern but unclear context, experimental encoding detected.	Action mapping: `warn` (log and alert), allow execution, monitor for follow-up patterns.	CVSS: 0.1-3.9. NIST Risk Level: LOW. Documentation/monitoring only.

Action Types & Response Mapping

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Block Action	Prevent execution of detected threat. No execution, no tool call, no output.	ClawGuardian action type. Severity-mapped: CRITICAL + HIGH can trigger `block`.	Implemented at `before_tool_call` hook: throw SecurityException, prevent model from receiving tool result.	IPS (Intrusion Prevention System) equivalent in WAF/API Gateway. Equivalent to "DROP" in iptables.
Redact Action	Remove or mask sensitive data from input/output. Execution proceeds with sanitized payload.	ClawGuardian action type. Maps to HIGH + MEDIUM severity for PII, secrets.	Implementation: replace token with `[REDACTED_*]` placeholder. Applied at `before_tool_call` (input redaction) and `tool_result_persist` (output redaction).	GDPR right to erasure; PCI DSS data masking requirement. Similar to PII scrubbing in logging frameworks.
Confirm Action	Require human review before continuing. Execution paused; human decision required.	ClawGuardian action type. Mapped to MEDIUM severity and high-uncertainty cases.	Implemented via operator dashboard: present threat, original payload, recommended action. Operator accepts/rejects.	Manual approval gate in payment systems, CI/CD pipeline approvals. ITIL change approval process.
Agent-Confirm Action	Escalate to the AI agent for context-aware decision (agent decides if safe).	ClawGuardian action type. Unique to AI workflows; allows agent to make informed security decision.	Agent receives flagged payload + risk details + recommended action. Agent can override if it provides justification. Logged for audit.	Specific to AI security; no direct industry parallel. Similar to "ask the user" in security policy.
Warn Action	Log alert and notify operators, but allow execution. Used for low-confidence or advisory alerts.	ClawGuardian action type. Severity: LOW + MEDIUM.	Implemented: write to security event log, trigger webhook (Discord/Slack), allow execution to continue.	Equivalent to "log and monitor" in SIEM; WARNING level in logging. CIS Controls v8 (Detection).
Log Action	Record event for audit trail and forensics. Required for all detections regardless of action.	Implicit in all ClawGuard operations. Every pattern match logged with: severity, pattern matched, payload, timestamp, action taken.	Integration point: write to session log (JSONL format). Include: threat type, risk score, action, human-readable description.	SOC2 logging requirement (CC7.2); GDPR accountability (Article 5(1)(f)); ISO 27001 A.12.4.1 (Event logging).

Hook Architecture (Lifecycle-Based Security)

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
before_agent_start Hook	Execution point before agent begins processing (system prompt, configuration).	ClawGuardian hook. Intercepts system prompt injection attacks. Can redact or block before agent initialization.	CODITECT framework hook: triggered in `Agent.__init__()` phase. Scans system prompt for jailbreak/override attempts.	Comparable to pre-input validation in API gateways; "entry guard" in security middleware.
before_tool_call Hook	Execution point before agent calls external tool (API, shell, database).	ClawGuardian hook. Scans tool arguments, command strings, API payloads for injection/destructive patterns.	CODITECT framework hook: triggered when agent invokes tool. Validates arguments, checks for destructive commands, redacts secrets from payloads.	Pre-execution hook pattern in AOP (Aspect-Oriented Programming); comparable to syscall filters (seccomp, AppArmor).
tool_result_persist Hook	Execution point after tool execution, before storing result (database, log).	ClawGuardian hook. Redacts secrets/PII from tool output before persisting. Prevents secrets from entering session logs.	CODITECT framework hook: triggered in `Tool.persist_result()`. Scans output for secrets, PII; redacts before JSONL write.	Post-execution hook; comparable to output encoding in web frameworks; log sanitization in SIEM.
Hook-Based Plugin Architecture	Security enforcement via modular, composable hooks rather than monolithic inspection.	ClawGuardian is itself a hook-based plugin for OpenClaw framework. Enables security as a composable concern.	CODITECT extension architecture (ADR-157): hooks enable security layer as optional plugin. Multiple hooks can stack (chain-of-responsibility).	Middleware pattern (Express.js, Django, FastAPI); plugin architecture (browser extensions, VS Code extensions).
Stateless Hook Design	Hooks do not maintain state; each inspection is independent. Enables horizontal scaling and plugin composition.	ClawGuardian is designed stateless: each hook invocation is independent; no state shared across agents.	CODITECT hooks are stateless; state is managed by host framework (agent, tool, session). Security layer is read-only observer.	Functional programming paradigm; idempotent operations in distributed systems.

Session Logging & Activity Monitoring

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
JSONL Session Log	JSON Lines format log file (one JSON object per line) recording agent lifecycle events.	ClawGuard (JaydenBeard) parses JSONL logs from OpenClaw/MoltBot/ClawdBot. Each line: event timestamp, agent name, tool call, input, output, result.	CODITECT session logs: `~/.coditect-data/session-logs/projects/{project_id}/{machine_uuid}/SESSION-LOG-YYYY-MM-DD.md`. Records all agent actions for audit.	JSONL standard used by many systems: Anthropic Claude API, OpenAI, Datadog Logs. Common in cloud logging (BigQuery, Elasticsearch).
Activity Monitoring	Real-time observation of agent behavior (tool calls, command execution, output).	ClawGuard (JaydenBeard) watches JSONL log file changes via `chokidar` (Node.js file watcher). Streams updates to WebSocket clients.	CODITECT session observer: hooks into `before_tool_call`, `tool_result_persist` to update activity dashboard in real time.	SOC2 Type II (monitoring & incident response); GDPR accountability; syslog/rsyslog standards.
Event Timeline	Chronological record of all agent operations, attacks detected, actions taken.	ClawGuard dashboard displays event timeline: time, agent, threat detected, severity, action.	CODITECT dashboard: timeline view of session, highlighting security events. Searchable by agent ID, severity, pattern type.	Common in observability tools (Datadog, New Relic, Grafana Loki). SIEM event correlation engines.
Real-Time Streaming	Live event stream pushed to connected clients via WebSocket or SSE.	ClawGuard uses WebSocket streaming from server to dashboard browser clients.	CODITECT real-time session broadcast: via WebSocket to operators, security dashboard, alert system.	Server-Sent Events (SSE) standard; WebSocket RFC 6455. Used in Slack, Discord, trading platforms.
Export & Forensics	Ability to export session logs, alerts, and security events for investigation.	ClawGuard provides export endpoint: CSV/JSON export of events, filtered by date/severity/pattern.	CODITECT export capability: download session JSONL, filter by task/severity, export to CSV/Parquet for analysis.	DFIR (Digital Forensics & Incident Response) best practice; GDPR data subject access requests (SARs).

Multi-Gateway & Framework Support

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
OpenClaw	Open-source AI agent framework (flagship framework for ClawGuard plugins).	ClawGuardian is a plugin for OpenClaw framework (peer dependency: `openclaw >=2026.1.0`). Uses OpenClaw hook architecture.	CODITECT native agent framework (similar to OpenClaw). ClawGuardian patterns can be ported to CODITECT hooks.	Open-source agent frameworks: LangChain, AutoGen, Crew.ai, Rigging. OpenClaw is ClawGuard ecosystem standard.
MoltBot	AI agent framework; supported by ClawGuard monitoring (JaydenBeard's session log parser).	ClawGuard (JaydenBeard) monitors MoltBot JSONL session logs. Multi-gateway support: same dashboard for OpenClaw, MoltBot, ClawdBot.	If CODITECT agents export JSONL in compatible format, ClawGuard (JaydenBeard) can monitor them. Integration point: session log format standardization.	Alternative agent framework in ClawGuard ecosystem. Enables multi-platform security monitoring.
ClawdBot	AI agent framework; supported by ClawGuard monitoring (JaydenBeard's session log parser).	ClawGuard (JaydenBeard) monitors ClawdBot JSONL session logs. Same dashboard, threat patterns apply across frameworks.	CODITECT agents can be monitored by ClawGuard if JSONL format aligns. Architecture: log format standardization enables interop.	Third agent framework in ClawGuard multi-gateway architecture. Demonstrates platform-agnostic monitoring.
Multi-Gateway Support	Single security dashboard monitoring multiple agent frameworks simultaneously.	ClawGuard (JaydenBeard) supports: OpenClaw, MoltBot, ClawdBot. Unified dashboard shows all agents, aggregated risk scores.	CODITECT could adopt similar multi-gateway approach: monitor native agents + external agent frameworks via JSONL import.	Unified security operations center (SOC) pattern; multi-cloud monitoring (AWS, GCP, Azure).
Kill Switch / Emergency Controls	Ability to halt all agents across all frameworks in emergency (security incident, runaway agent).	ClawGuard (JaydenBeard) implements kill switch: API endpoint to disable all agent execution platform-wide.	CODITECT emergency control: `skill/agent-kill-switch`. Triggered on CRITICAL risk score or manual operator command.	Circuit breaker pattern (Netflix Hystrix); emergency shutdown in control systems (nuclear reactor shutdown rods).

Trust & Supply Chain Security

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Trust Registry	Database of verified, trusted agent implementations and skills. Only whitelisted agents/skills can execute.	Not implemented in ClawGuard; but recommended for CODITECT adoption (ADR recommendation).	CODITECT trust registry: curated list of approved skills, agents, dependencies. Manifest format with signatures, checksums, author identity.	Equivalent to: OS app stores (Apple App Store curates apps); package signature schemes (npm, PyPI, Cargo.io). SLSA framework for software provenance.
Skill Scanning	Automated security analysis of agent skills/tools before execution. Pattern matching + static analysis for vulnerabilities.	Not explicitly in ClawGuard; but applies to input validation (skill arguments).	CODITECT `skill/agent-security-scanning`: static analysis of agent code, dependency audit (npm audit, pip safety), pattern matching for common vulnerabilities.	OWASP SAST (Static Application Security Testing); tools like SonarQube, Checkmarx, Snyk.
Supply Chain Security	Ensuring all dependencies, skills, and agents are legitimate and uncompromised.	Security finding: `lauty1505/clawguard` is a trojanized fork (malicious). Highlights supply chain attack risk.	CODITECT supply chain controls: git commit signature verification, npm package signature validation, known-vulnerability scanning (npm audit, pip safety, Snyk).	SLSA framework (Supply-chain Levels for Software Artifacts); NIST SSDF (Secure Software Development Framework); Software Bill of Materials (SBOM) (SPDX, CycloneDX).
Trojanized Fork	Malicious fork of a legitimate repository, with injected malware.	Security finding: `lauty1505/clawguard` forked `JaydenBeard/clawguard`, injected `Software-tannin.zip` binary, rewrote README to social-engineer downloads.	Risk: users clone fork, execute malicious binary, compromise system. CODITECT defense: verify repository provenance, commit signatures, require CODITECT-curated dependencies.	Classic supply chain attack pattern; examples: XZ Utils backdoor (2024), Polyfill.io domain hijacking (2024), Underscore.js/Lodash typosquatting.
Social Engineering	Manipulation to convince users to execute malicious code or reveal credentials.	ClawGuard security finding: `lauty1505` rewrote README to look legitimate, social-engineered downloads of trojanized binary.	CODITECT defense: dependency verification, code review, security awareness training for developers. Trust only official repositories.	OWASP Human Risk factors; NIST Cybersecurity Framework (Govern + Manage risk). Example: CEO fraud phishing.

Webhook & Alert Infrastructure

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Webhook Alerts	HTTP callbacks sent to external systems (Discord, Slack, Telegram, PagerDuty) when security events occur.	ClawGuard (JaydenBeard) supports webhook endpoints: configurable per channel. Alert on CRITICAL/HIGH severity.	CODITECT alert routing: webhook endpoints (Discord, Slack) configured in security policy. Severity-based routing (CRITICAL → PagerDuty, HIGH → Slack).	Standard webhook pattern; used by GitHub, GitLab, Stripe, AWS for notifications. Webhook security: HMAC signing (GitHub signature header).
Discord Integration	Webhook to Discord channels for real-time alert notifications.	ClawGuard supports Discord webhook URL configuration. Sends formatted messages with threat details.	CODITECT integration: Discord webhook configured via environment variable. Alert message includes: threat type, risk score, affected agent, recommended action.	Discord Webhooks API; common integration in DevOps/security tools.
Slack Integration	Webhook to Slack channels for security alerts.	ClawGuard supports Slack webhook URL. Sends Slack blocks (rich formatting) with threat summary.	CODITECT integration: Slack webhook for #security-alerts channel. Includes: timestamp, agent ID, threat description, action taken, operator action required.	Slack Incoming Webhooks API; ubiquitous in tech ops. Message formatting: Slack Block Kit.
Telegram Integration	Webhook to Telegram bots for alerts (mobile-friendly).	ClawGuard supports Telegram bot token + chat ID configuration.	CODITECT integration: Telegram bot for mobile alerting. Useful for out-of-office operators. Rate limiting: respect Telegram API throttle.	Telegram Bot API; lightweight alternative to Slack for headless systems.
Multi-Channel Routing	Intelligent alert routing to multiple channels based on severity, pattern type, or target agent.	ClawGuard supports multiple webhook URLs; routing logic: CRITICAL → all channels, HIGH → Slack + Discord, MEDIUM → Discord only.	CODITECT alert policy: configurable per agent/skill. Example: "Destructive commands → PagerDuty", "Secret exposure → Slack", "Jailbreak attempt → Discord + operator phone call".	Enterprise alert management (Opsgenie, PagerDuty, Splunk On-Call) use similar routing.

Configuration & Customization

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Allowlist	Whitelist of patterns, commands, or actors explicitly allowed to bypass security checks.	ClawGuardian config: `allowlist` field per policy. Example: allow `git reset --hard` in CI/CD agent only.	CODITECT allowlist: per-agent or per-skill configuration. Example: database admin agent allowlisted for `DROP TABLE`. Requires audit justification.	IAM allowlists (IP whitelisting, service principal allowlists); AppArmor/SELinux allow rules.
Custom Patterns	User-defined regex or heuristic patterns for organization-specific threats.	ClawGuardian allows custom pattern definition in config: `custom_patterns: [ {...}, {...} ]`. Format: regex + severity + action.	CODITECT pattern registry: add custom patterns for org-specific commands, URLs, data formats. Example: add company-internal secret format (API key prefix).	Splunk custom rules, YARA rules (malware detection), Snort/Suricata custom signatures (IDS).
Severity-Action Mapping	Policy configuration linking severity levels to default actions.	ClawGuardian example: `{ critical: 'block', high: 'redact', medium: 'confirm', low: 'warn' }`. Overridable per pattern.	CODITECT security policy: configurable severity-action map. Example: override to make ALL secret detections `block` instead of default `redact`.	Enterprise security policy (ISO 27001, CIS Controls). Dynamic policy engines (Okta, Auth0).
Risk Thresholds	Score cutoffs for automatic actions. Example: auto-block if risk > 85.	ClawGuard uses numeric scores (0-100) with configurable thresholds: block_threshold: 85, alert_threshold: 50.	CODITECT threshold policy: configurable per agent or framework-wide. Example: "block if risk > 80, confirm if 50-79, warn if 20-49".	Intrusion detection thresholds; alert fatigue management in SIEM.

Agent Frameworks & Integration Points

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Agent Lifecycle	Sequence of phases: initialization, system prompt setup, tool call loop, completion, logging.	ClawGuard hooks into 3 phases: `before_agent_start` (init), `before_tool_call` (execution loop), `tool_result_persist` (logging).	CODITECT agent lifecycle: same 3 phases. Security layer is transparent plugin; does not modify agent semantics.	LangChain agent loop: plan → execute → observe → repeat. LLM reasoning loop: think → act → perceive.
Tool Call	Agent's invocation of external tool (API, shell, database, file system).	ClawGuard monitors tool calls: parses arguments, validates against patterns, blocks/redacts before execution.	CODITECT tool execution: security layer intercepts at `before_tool_call`. Validates tool arguments against destructive patterns, secret patterns, injection patterns.	Comparable to system call monitoring (seccomp, strace); API gateway request filtering.
Agent Configuration	Agent initialization parameters: system prompt, tools available, constraints, model selection.	ClawGuardian hooks into agent configuration phase. Can validate system prompt, enforce tool allowlist.	CODITECT agent instantiation: security layer can enforce: required system prompt additions (security disclaimer), tool allowlist, max token limits.	Model parameter tuning (temperature, top_k); prompt engineering best practices (system prompt hardening).

Threat Taxonomy & Patterns

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Pattern Library	Comprehensive collection of regex patterns, heuristics, and signatures for detecting threats.	ClawGuard (maxxie114): 10 prompt injection patterns, 6 secret patterns. ClawGuard (JaydenBeard): 55+ patterns across 5 categories (shell, sensitive paths, URLs). ClawGuardian: comprehensive set across modules.	CODITECT pattern registry: curated set from all three ClawGuard repos + community contributions. Versioned, searchable, documented per OWASP LLM top 10.	YARA rules (malware), Snort/Suricata rules (IDS), ClamAV antivirus signatures. Maintained by: OWASP, NVD (National Vulnerability Database), vendor threat research.
Severity Categories	Classification of threat types by impact (CRITICAL, HIGH, MEDIUM, LOW).	ClawGuard (JaydenBeard) explicitly categorizes: CRITICAL_SHELL_PATTERNS (11 items), HIGH_RISK_SHELL_PATTERNS (30+), MEDIUM_RISK_SHELL_PATTERNS (20+).	CODITECT severity levels mapped to CVSS/NIST: CRITICAL (CVSS 9-10), HIGH (7-8), MEDIUM (4-6), LOW (0-3).	CVSS v3.1 / CVSS4; NIST Risk Levels; CVE severity classifications.
Sensitive Paths	File system paths that, if accessed/modified, indicate attack or data breach risk.	ClawGuard (JaydenBeard): 30+ sensitive paths: `.ssh`, `.aws`, `.kube`, `.env`, `password managers`, `1Password`, `Bitwarden`.	CODITECT file access monitoring: restrict reads to system paths (`.aws`, `.ssh`), database credentials, `.env` files. Action: `block` access, `log` attempt.	CWE-547 (Use of Hard-Coded, Security-Relevant Constants); OWASP A01:2021 (Broken AC); NIST AC-2 (Account Management).
Sensitive URLs	Web endpoints that, if accessed by agent, indicate credential theft or data exfiltration risk.	ClawGuard (JaydenBeard): banking, PayPal, auth pages, cloud consoles (AWS, GCP, Azure).	CODITECT URL filtering: prevent agent from making requests to password reset pages, console login URLs, payment processors. Action: `block` request.	Related to: OWASP A01:2021 (Broken AC); external URL validation (prevent SSRF - Server-Side Request Forgery).

Observability & Auditing

Term	Definition	ClawGuard Context	CODITECT Equivalent	Industry Standard
Risk Stats Dashboard	Visual display of aggregate risk metrics: threat count, severity distribution, top threats.	ClawGuard (maxxie114) admin UI displays: event count by severity, trend over time, sender/account filtering.	CODITECT security dashboard: metrics on threats detected, actions taken, agents at risk. Filterable by severity, threat type, time range.	Grafana, Kibana, Datadog dashboards; enterprise SIEM (Splunk, Elastic Security).
Audit Trail	Complete record of all security events, actions taken, human decisions made.	ClawGuard logs: timestamp, threat detected, payload (sanitized), action taken, operator response (if confirm action).	CODITECT audit log: immutable record of security events. Queries: "all blocks on agent X", "all redactions of type secret", "all confirms requiring operator approval".	SOC2 Type II (logging); GDPR Article 5(1)(f) (accountability); ISO 27001 A.12.4.1 (event logging); CIS Controls v8 (Detection).
Forensics & Investigation	Post-incident analysis of security events: reconstruct attack, identify root cause, assess damage.	ClawGuard (JaydenBeard) export endpoint provides forensic data: full event timeline, payloads, actions.	CODITECT forensic queries: "export all events for agent X in time window Y", "find all instances of pattern Z detected". Filter by agent, skill, severity, timestamp.	Digital Forensics & Incident Response (DFIR); NIST SP 800-61 (Computer Security Incident Handling Guide); SANS DFIR.

Terminology Mappings: ClawGuard <-> CODITECT <-> Industry

ClawGuard → CODITECT

ClawGuard Term	CODITECT Mapping	Notes
ClawGuardian hook architecture	CODITECT `skill/agent-security-patterns` + hook implementation	Lifecycle-based security layer
Risk score (0-100)	CODITECT severity levels (LOW/MEDIUM/HIGH/CRITICAL)	Mapped to action types
Pattern matching (regex-based)	CODITECT pattern registry (versioned, searchable)	Centralized threat signatures
JSONL session logs	CODITECT `~/.coditect-data/session-logs/`	Audit trail format
Destructive command blocking	`before_tool_call` hook at tool execution	Shell/SQL/system command validation
Secret detection	`patterns/secrets.ts` in security layer	API keys, tokens, credentials
PII filtering	`patterns/pii.ts` in security layer	Phone, SSN, email, address redaction
Multi-gateway support	CODITECT agent framework + external integrations	Support OpenClaw, MoltBot, ClawdBot via JSONL
Webhook alerts	CODITECT alert routing (Discord, Slack, Telegram)	Configurable per severity/threat type
Kill switch	`skill/agent-kill-switch`	Emergency halt all agents

CODITECT → Industry Standard

CODITECT Control	Industry Standard	Mapping
Severity levels (CRITICAL/HIGH/MEDIUM/LOW)	CVSS v3.1 + NIST Risk Levels	Standardized risk quantification
Action types (block/redact/confirm/warn/log)	IPS/WAF/SIEM response actions	Defense-in-depth stages
Hook-based security layer	Middleware pattern + AOP	Composable, transparent security
Stateless plugin architecture	Functional programming paradigm	Horizontal scalability, no state leaks
Pattern registry	YARA rules, Snort signatures, ClamAV defs	Centralized threat intelligence
Audit trail	SOC2, GDPR, ISO 27001 logging	Compliance requirement
Forensic export	DFIR (Digital Forensics & Incident Response)	Post-incident investigation capability

Key Architecture Concepts

Security Posture

Prevention (before_agent_start, before_tool_call):

Prompt injection detection
Destructive command blocking
Secret detection + redaction
PII filtering

Detection & Response (tool_result_persist):

Output monitoring
Anomaly detection
Real-time alerting
Kill switch activation

Audit & Compliance:

JSONL session logs
Forensic export
Risk metrics
Incident timeline

Threat Model Coverage

Threat Type	ClawGuard Coverage	CODITECT Integration
Prompt Injection	✅ ClawGuard (maxxie114), ClawGuardian	✅ before_agent_start, before_tool_call hooks
Destructive Commands	✅ ClawGuardian, ClawGuard (JaydenBeard)	✅ before_tool_call validation
Secret Exposure	✅ All 3 tools	✅ patterns/secrets module, redact action
PII Leakage	✅ ClawGuardian	✅ patterns/pii module, redact action
Supply Chain Attack	✅ Identified (lauty1505 trojanized fork)	✅ Trust registry, supply chain scanning
Social Engineering	✅ Identified (lauty1505 README rewrite)	✅ Security awareness, dependency verification
Multi-Agent Orchestration Risk	⚠️ Partial (multi-gateway, but not cross-agent)	🔄 Future: cross-agent threat correlation

References & Further Reading

OWASP Top 10 for LLM Applications: https://owasp.org/www-project-top-10-for-large-language-model-applications/
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
CWE/CAPEC (Common Weakness Enumeration): https://cwe.mitre.org/
CVSS v3.1 Calculator: https://www.first.org/cvss/calculator/3.1
SLSA Framework: https://slsa.dev/
OpenClaw Framework: Referenced in research context
ClawGuard Repositories:
- ClawGuard (maxxie114): Email sanitization
- ClawGuardian (superglue-ai): Hook-based plugin
- clawguard (JaydenBeard): Activity monitoring dashboard

Glossary Version: 1.0.0 Created: 2026-02-18 Topic: ClawGuard AI Agent Security Ecosystem Type: Reference Document Status: Complete

Core Security Threat Categories​

Prompt Injection (PI)​

Encoding & Evasion​

Information Exfiltration​

Secret & Credential Detection​

PII & Sensitive Data Filtering​

Destructive Command Detection​

Risk Scoring & Severity Levels​

Action Types & Response Mapping​

Hook Architecture (Lifecycle-Based Security)​

Session Logging & Activity Monitoring​

Multi-Gateway & Framework Support​

Trust & Supply Chain Security​

Webhook & Alert Infrastructure​

Configuration & Customization​

Agent Frameworks & Integration Points​

Threat Taxonomy & Patterns​

Observability & Auditing​

Terminology Mappings: ClawGuard <-> CODITECT <-> Industry​

ClawGuard → CODITECT​

CODITECT → Industry Standard​

Key Architecture Concepts​

Security Posture​

Threat Model Coverage​

References & Further Reading​