2026-01-20 · Authensor

How to Add Safety to an Existing AI Agent

To add safety to an existing AI agent, install SafeClaw (npx @authensor/safeclaw) as a sidecar gating layer — it intercepts actions between your agent and the operating system without requiring you to modify your agent's code. SafeClaw is provider-agnostic and works with Claude, OpenAI, LangChain, CrewAI, AutoGen, MCP servers, and Cursor. You define a policy file, run SafeClaw alongside your agent, and every action is evaluated against your rules before execution.

Why This Matters

Most teams build agents first and think about safety later. By the time the agent is in production, rewriting it to add safety checks at every action point is expensive and error-prone. You need a solution that wraps the agent's existing behavior without changing its internal logic. SafeClaw operates as a sidecar: it sits between your agent and the system, evaluating each proposed action against your policy. The agent doesn't need to know SafeClaw exists — it just submits actions and receives allow/deny decisions.

Step-by-Step Instructions

Step 1: Install SafeClaw Alongside Your Existing Agent

npx @authensor/safeclaw

This does not modify your agent's codebase. SafeClaw has zero third-party dependencies and installs as a standalone process. The setup wizard detects your framework (LangChain, CrewAI, AutoGen, MCP, etc.) and generates the appropriate integration configuration.

Step 2: Get Your API Key

Visit safeclaw.onrender.com. Free tier with 7-day renewable key, no credit card required. The browser dashboard includes framework-specific setup guides.

Step 3: Add the SafeClaw Integration Hook

For most frameworks, this is a single wrapper function. Here's how it works for common setups:

LangChain — Wrap your tool executor:

import { SafeClaw } from '@authensor/safeclaw';



const safeclaw = new SafeClaw({ apiKey: process.env.SAFECLAW_KEY });



// Before: tool runs directly
// After: tool runs through SafeClaw
const gatedTool = safeclaw.wrap(existingTool);

CrewAI — Per-agent policy:

from safeclaw import SafeClaw



sc = SafeClaw(api_key=os.environ["SAFECLAW_KEY"])



Wrap each agent's task execution

@sc.gate(agent="researcher")
def execute_research_task(task):
    return agent.execute(task)

MCP Server — Gate at the server boundary:

import { SafeClaw } from '@authensor/safeclaw';



const safeclaw = new SafeClaw({ apiKey: process.env.SAFECLAW_KEY });



// Gate every MCP tool call
server.setRequestHandler(CallToolRequestSchema, async (request) => {
  const decision = await safeclaw.evaluate({
    action: request.params.name,
    args: request.params.arguments
  });
  if (decision.allowed) {
    return executeTool(request);
  }
  return { error: Blocked by policy: ${decision.reason} };
});

Step 4: Create Your Policy

Start with deny-by-default. Add allow rules only for actions your agent actually needs.

Step 5: Run Simulation Mode

SAFECLAW_MODE=simulation npx @authensor/safeclaw

Run your agent through its existing workflows. The simulation log shows every action and what SafeClaw would have decided. Use this to refine your policy without disrupting your agent's current behavior.

Step 6: Switch to Enforce Mode

SAFECLAW_MODE=enforce npx @authensor/safeclaw

Your existing agent now has action-level gating. Every decision is logged to a tamper-proof SHA-256 hash chain audit trail.

Example Policy

version: "1.0"
default: deny


rules:
  # Allow the agent to read its own data sources
  - action: file_read
    path: "./data/**"
    decision: allow
    reason: "Agent reads its data directory"



- action: file_read
    path: "./config/agent.yaml"
    decision: allow
    reason: "Agent reads its own config"



# Allow writes to output only
  - action: file_write
    path: "./output/**"
    decision: allow
    reason: "Agent writes results to output"



# Block credential access
  - action: file_read
    path: "*/.env"
    decision: deny
    reason: "No credential file access"



- action: file_read
    path: "~/.ssh/**"
    decision: deny
    reason: "No SSH key access"



# Allow specific API calls
  - action: network
    domain: "api.openai.com"
    decision: allow
    reason: "LLM API"



- action: network
    domain: "api.anthropic.com"
    decision: allow
    reason: "LLM API"



- action: network
    domain: "*"
    decision: deny
    reason: "Block all other outbound"



# Allow safe shell commands
  - action: shell_exec
    command: "python3 ./scripts/process.py*"
    decision: allow
    reason: "Agent's processing script"



# Require approval for anything unusual
  - action: shell_exec
    command: "pip install *"
    decision: require_approval
    reason: "Package installs need human review"

What Happens When It Works

ALLOW — Agent reads from its designated data directory:

{
  "action": "file_read",
  "path": "./data/customers.csv",
  "decision": "ALLOW",
  "rule": "Agent reads its data directory",
  "timestamp": "2026-02-13T16:00:01Z",
  "hash": "d4e5f6g7..."
}

DENY — Agent tries to access environment variables:

{
  "action": "file_read",
  "path": "/home/deploy/.env.production",
  "decision": "DENY",
  "rule": "No credential file access",
  "timestamp": "2026-02-13T16:00:02Z",
  "hash": "h8i9j0k1..."
}

REQUIRE_APPROVAL — Agent attempts to install a Python package:

{
  "action": "shell_exec",
  "command": "pip install pandas==2.1.0",
  "decision": "REQUIRE_APPROVAL",
  "rule": "Package installs need human review",
  "timestamp": "2026-02-13T16:00:04Z",
  "hash": "l2m3n4o5..."
}

Common Mistakes

  1. Trying to add safety by modifying the agent's prompts. Adding "be safe" instructions to your system prompt is not a security control. Prompts can be overridden by injection, and language models don't reliably follow safety instructions under adversarial conditions. Safety must be enforced at the action layer, external to the agent.
  1. Rewriting the agent to add inline permission checks. This is brittle and expensive. Every new tool or action requires new permission code. A sidecar approach like SafeClaw centralizes policy evaluation, so you update one YAML file instead of modifying code across your entire agent.
  1. Deploying enforce mode without running simulation first. Your existing agent has established workflows. Jumping straight to enforce mode will break them. Simulation mode lets you see every action your agent takes and verify your policy matches reality before blocking anything.

Cross-References

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw