How to Secure Microsoft Semantic Kernel Agents

SafeClaw by Authensor enforces deny-by-default policies on every plugin function call in Microsoft Semantic Kernel, intercepting invocations before they execute. Semantic Kernel uses plugins with kernel functions that the AI can invoke — SafeClaw gates each function call against your YAML policy, ensuring only authorized operations proceed.

How Semantic Kernel Plugin Execution Works

Semantic Kernel organizes capabilities into plugins, each containing one or more kernel functions decorated with @kernel_function. When the AI decides to call a function, Semantic Kernel resolves the plugin name and function name, marshals the arguments, and invokes the function. The execution path is: AI model -> function calling response -> Kernel invokes plugin function -> result returned to model. SafeClaw intercepts at the kernel invocation step.

AI Model → Plugin.Function Call → [SafeClaw Policy Check] → KernelFunction.invoke() or Deny

Quick Start

npx @authensor/safeclaw

Creates a safeclaw.yaml in your project. SafeClaw maps Semantic Kernel's plugin_name-function_name convention directly to policy rules.

Step 1: Define Plugin-Level Policies

# safeclaw.yaml
version: 1
default: deny

policies:
  - name: "sk-email-plugin"
    description: "Control email plugin functions"
    actions:
      - tool: "EmailPlugin-read_inbox"
        effect: allow
      - tool: "EmailPlugin-search_emails"
        effect: allow
      - tool: "EmailPlugin-send_email"
        effect: deny
      - tool: "EmailPlugin-delete_email"
        effect: deny

- name: "sk-file-plugin"
    description: "Control file operations"
    actions:
      - tool: "FilePlugin-read_file"
        effect: allow
        constraints:
          path_pattern: "data/|docs/"
      - tool: "FilePlugin-write_file"
        effect: allow
        constraints:
          path_pattern: "output/**"
      - tool: "FilePlugin-delete_file"
        effect: deny

- name: "sk-database-plugin"
    description: "Control database access"
    actions:
      - tool: "DatabasePlugin-query"
        effect: allow
        constraints:
          operation: "SELECT"
      - tool: "DatabasePlugin-execute"
        effect: deny

- name: "sk-math-plugin"
    description: "Allow safe computation"
    actions:
      - tool: "MathPlugin-*"
        effect: allow

Step 2: Integrate with Semantic Kernel's Function Invocation Filter

Semantic Kernel provides function invocation filters — the ideal integration point for SafeClaw:

from semantic_kernel import Kernel
from semantic_kernel.filters import FunctionInvocationContext
from safeclaw import SafeClaw

safeclaw = SafeClaw("./safeclaw.yaml")

async def safeclaw_filter(context: FunctionInvocationContext, next):
    """SafeClaw function invocation filter for Semantic Kernel."""
    tool_name = f"{context.function.plugin_name}-{context.function.name}"
    args = {k: str(v) for k, v in context.arguments.items()}

decision = safeclaw.evaluate(tool_name, args)

if not decision.allowed:
        context.result = FunctionResult(
            function=context.function.metadata,
            value=f"Action denied by SafeClaw: {decision.reason}",
        )
        return

await next(context)

kernel = Kernel()
kernel.add_filter("function_invocation", safeclaw_filter)

This filter runs before every plugin function invocation, giving SafeClaw full visibility and control.

Step 3: TypeScript / .NET Integration

For Semantic Kernel in TypeScript:

import { Kernel } from "@microsoft/semantic-kernel";
import { SafeClaw } from "@authensor/safeclaw";

const safeclaw = new SafeClaw("./safeclaw.yaml");

kernel.addFunctionInvocationFilter(async (context, next) => {
  const toolName = ${context.function.pluginName}-${context.function.name};
  const decision = safeclaw.evaluate(toolName, context.arguments);

if (!decision.allowed) {
    context.result = Denied: ${decision.reason};
    return;
  }

await next(context);
});

Step 4: Agent-Specific Plugin Policies

Semantic Kernel supports multiple agents with different plugin sets. Define policies per agent:

policies:
  - name: "research-agent-plugins"
    agent: "research_agent"
    actions:
      - tool: "SearchPlugin-*"
        effect: allow
      - tool: "FilePlugin-read_file"
        effect: allow
      - tool: "FilePlugin-write_file"
        effect: deny

- name: "action-agent-plugins"
    agent: "action_agent"
    actions:
      - tool: "FilePlugin-write_file"
        effect: allow
        constraints:
          path_pattern: "output/**"
      - tool: "EmailPlugin-send_email"
        effect: allow
        constraints:
          to_domain: "company.com"

Step 5: Audit Plugin Invocations

npx @authensor/safeclaw audit --last 50 --filter plugin=EmailPlugin

The hash-chained audit log captures every plugin function invocation with the full plugin name, function name, arguments, and decision.

Why SafeClaw

• 446 tests covering policy evaluation, edge cases, and audit integrity
• Deny-by-default — unlisted plugin functions are automatically blocked
• Sub-millisecond evaluation — invisible latency in Semantic Kernel's function pipeline
• Hash-chained audit log — tamper-evident trace of every plugin invocation
• Works with Claude AND OpenAI — supports Azure OpenAI and all Semantic Kernel connectors

Related Pages

• How to Add Safety Controls to AutoGen Agents
• How to Secure Your OpenAI GPT Agent
• How to Add Safety Gating to LangChain Agents
• How to Add Safety Gating to OpenAI Assistants API