Using SafeClaw with OpenAI Agents: Sandboxed Execution Policy
Scenario
You are building an automated agent powered by OpenAI's function-calling API. The agent runs scheduled tasks: it reads data files, processes them with shell scripts, writes results to an output directory, and posts summaries to a Slack webhook. It runs unattended on a server, meaning no human is watching every action in real time.
SafeClaw enforces a sandboxed execution policy so the agent operates within strict boundaries. Every action is evaluated locally with sub-millisecond latency, and the tamper-proof audit trail records every decision for post-run review.
Threat Model
An unattended OpenAI agent without action-level gating can:
- Escape its working directory by reading or writing files outside the designated sandbox, potentially accessing credentials, SSH keys, or system configuration.
- Execute arbitrary shell commands beyond its intended script, including privilege escalation via
sudo, reverse shells, or destructive operations. - Reach unintended network endpoints by making HTTP requests to domains outside the expected Slack webhook, leaking data or downloading malicious payloads.
- Modify its own configuration by overwriting agent config files or policy definitions if filesystem access is too broad.
- Accumulate drift over time as the model's outputs evolve across API versions, producing actions that were never anticipated during development.
Recommended Policy
# OpenAI Agent Sandbox Policy
policy:
name: "openai-agent-sandbox"
default: DENY
rules:
# --- File Read ---
- action: file_read
path: "/opt/agent/input/**"
decision: ALLOW
- action: file_read
path: "/opt/agent/config/agent.yaml"
decision: ALLOW
# --- File Write ---
- action: file_write
path: "/opt/agent/output/**"
decision: ALLOW
- action: file_write
path: "/opt/agent/logs/**"
decision: ALLOW
- action: file_write
path: "/opt/agent/config/**"
decision: DENY
# --- Shell Exec ---
- action: shell_exec
command: "python3 /opt/agent/scripts/process.py*"
decision: ALLOW
- action: shell_exec
command: "python3 /opt/agent/scripts/transform.py*"
decision: ALLOW
- action: shell_exec
command: "sudo*"
decision: DENY
- action: shell_exec
command: "chmod*"
decision: DENY
- action: shell_exec
command: "curl*"
decision: DENY
# --- Network ---
- action: network
domain: "hooks.slack.com"
decision: ALLOW
- action: network
domain: "api.openai.com"
decision: ALLOW
- action: network
domain: "*"
decision: DENY
Example Action Requests
1. Agent reads an input CSV (ALLOW)
{
"action": "file_read",
"path": "/opt/agent/input/daily-report-2026-02-13.csv",
"agent": "openai-gpt4-agent",
"timestamp": "2026-02-13T06:00:01Z"
}
// Decision: ALLOW — path matches /opt/agent/input/**2. Agent writes processed results (ALLOW)
{
"action": "file_write",
"path": "/opt/agent/output/summary-2026-02-13.json",
"content": "{\"total\": 1523, \"anomalies\": 3}",
"agent": "openai-gpt4-agent",
"timestamp": "2026-02-13T06:01:12Z"
}
// Decision: ALLOW — path matches /opt/agent/output/**3. Agent attempts to overwrite its own config (DENY)
{
"action": "file_write",
"path": "/opt/agent/config/agent.yaml",
"content": "model: gpt-4\npermissions: admin",
"agent": "openai-gpt4-agent",
"timestamp": "2026-02-13T06:02:00Z"
}
// Decision: DENY — /opt/agent/config/** is explicitly denied for writes4. Agent posts to Slack (ALLOW)
{
"action": "network",
"domain": "hooks.slack.com",
"method": "POST",
"agent": "openai-gpt4-agent",
"timestamp": "2026-02-13T06:03:00Z"
}
// Decision: ALLOW — hooks.slack.com is in the network allowlist5. Agent attempts to reach an external API (DENY)
{
"action": "network",
"domain": "pastebin.com",
"method": "POST",
"agent": "openai-gpt4-agent",
"timestamp": "2026-02-13T06:03:30Z"
}
// Decision: DENY — domain not in allowlist, wildcard catch-all denies6. Agent tries to escalate privileges (DENY)
{
"action": "shell_exec",
"command": "sudo apt-get install netcat",
"agent": "openai-gpt4-agent",
"timestamp": "2026-02-13T06:04:00Z"
}
// Decision: DENY — sudo* is explicitly deniedSetup Steps
- Install SafeClaw on the server running your OpenAI agent:
npx @authensor/safeclaw- Select the "Automated Agent" template during wizard setup. This starts with a restrictive policy designed for unattended execution.
- Define the sandbox boundaries. Set the input directory, output directory, and allowed scripts. Map these to the exact paths your agent uses in production.
- Lock shell commands to specific scripts. Instead of allowing broad
python3, allow only the exact scripts your agent needs:python3 /opt/agent/scripts/process.pyandpython3 /opt/agent/scripts/transform.py*.
- Restrict network to known endpoints. Your agent needs
api.openai.comfor model inference andhooks.slack.comfor notifications. Deny everything else.
- Integrate SafeClaw into your agent code. Before executing any function call returned by the OpenAI API, pass the action through SafeClaw's evaluation:
import { evaluate } from "@authensor/safeclaw";
const decision = await evaluate({
action: "shell_exec",
command: functionCall.arguments.command,
agent: "openai-gpt4-agent"
});
if (decision.result === "ALLOW") {
executeCommand(functionCall.arguments.command);
}
- Run in simulation mode for your first few scheduled runs. Review the audit trail in the browser dashboard to confirm decisions match expectations.
- Switch to enforcement mode and monitor. The SHA-256 hash chain audit trail provides a tamper-proof record for every action, accessible via the dashboard or API export.
Cross-References
- SafeClaw Quickstart Guide — Full installation and first-run walkthrough
- OpenAI Integration Reference — API-level integration patterns for function calling
- Deny-by-Default Architecture — Why SafeClaw blocks everything unless explicitly allowed
- Audit Trail and Hash Chain — Technical details on tamper-proof logging
- Network Action Rules — Domain allowlisting and wildcard patterns
Try SafeClaw
Action-level gating for AI agents. Set it up in your browser in 60 seconds.
$ npx @authensor/safeclaw