Most AI safety research operates at the model level: alignment training, RLHF, input filtering, and output classifiers. These approaches assume the primary risk is what the model says. As AI agents increasingly do things, that assumption breaks down. A model that executes shell commands, modifies files, calls external APIs, or browses the web on your behalf creates a fundamentally different risk profile. The gap between "the model said something problematic" and "the model deleted your credentials directory" is not a matter of degree.
This is the problem AgentWall sets out to address. The paper, by Ashwin Aravind, introduces a runtime interception layer for local AI agents, sitting between the agent's intent and the host environment's execution surface. It is a practically motivated piece of work, aimed squarely at the developer who is running Claude Code or Cursor against their own filesystem with no meaningful guardrails beyond the model's own judgment.
The Core Problem: Action-Time Safety
The threat model here is worth taking seriously. Local AI coding agents have privileged access to the developer's environment almost by design. They need to read and write files, run tests, install packages, and sometimes call external services. This access is what makes them useful. It is also what makes adversarial manipulation, whether through prompt injection in a file the agent reads or simply through an ambiguous instruction, potentially catastrophic rather than merely embarrassing.
Existing mitigations largely fall into two categories: model-level refusals (the model declines to do something dangerous) and sandboxing (running the agent in an isolated container). Model-level refusals are unreliable under adversarial pressure and vary across models and versions. Sandboxing is effective but imposes significant operational friction and often breaks the workflows developers actually want. AgentWall proposes a middle path: a policy-enforcing proxy that intercepts every proposed action, evaluates it against an explicit declarative policy, and either permits, blocks, or escalates to human approval.
Architecture and Design
The implementation has two faces. First, AgentWall operates as an MCP (Model Context Protocol) proxy, sitting between the agent and any MCP tool server. Second, it ships as a native plugin for OpenClaw. This dual approach means it covers the major local agent environments: Claude Desktop, Cursor, Windsurf, Claude Code, and OpenClaw, all through a single install.
The policy model is declarative. Users define what operations are permitted, which require explicit human approval, and which are outright blocked. The paper describes this as an "explicit declarative policy" evaluated at action time, before anything reaches the host environment. Every action is also logged to a complete execution trail, enabling audit and replay. This observability component is arguably as important as the enforcement itself: developers running agents in complex workflows often have no clear record of what the agent actually did, which makes debugging and incident response difficult.
Key architectural properties include:
- Interception at the MCP protocol layer, before tool execution
- Declarative policy evaluation with permit, block, and human-approval outcomes
- Sub-millisecond overhead per action evaluation
- Full execution trail for audit and replay
- Single-command installation across supported environments
Results and Benchmarks
The paper reports 92.9% policy enforcement accuracy across 14 benchmark tests. The sub-millisecond overhead claim is credible for a policy evaluation step that does not involve model inference, since declarative policy matching against a structured action representation is computationally cheap. The benchmark suite of 14 tests is, however, quite small. This is an honest limitation of early-stage tooling research, but it means the accuracy figure should be treated as indicative rather than definitive. Coverage of adversarial cases, edge cases in policy specification, and interactions between overlapping policy rules would all need substantially more test coverage before the 92.9% figure carries strong weight.
The human approval pathway is interesting and underexplored in the paper. Requiring human sign-off for sensitive operations is sensible, but the latency and UX implications depend heavily on how that approval is surfaced. If the agent blocks on a terminal prompt mid-task, the friction may cause developers to approve operations reflexively rather than thoughtfully, which defeats the purpose. This is a known problem in security UX and the paper does not address it in depth.
Limitations and Open Questions
Several questions remain open. Policy specification is non-trivial. Writing a declarative policy that correctly captures the developer's intent without being either too permissive or too restrictive requires careful thought, and the paper does not discuss tooling for policy authoring, testing, or iteration. A policy that blocks legitimate operations will be disabled quickly; one that permits too much provides false assurance.
The threat model also has scope limitations. AgentWall intercepts actions at the MCP layer, which means it is effective against agents that use MCP-compliant tool calls. Agents that bypass this layer, or future agent architectures that interact with the environment through different abstractions, would not be covered. The paper is appropriately scoped to the current MCP ecosystem, but this is worth flagging as the tooling space evolves rapidly.
There is also the question of policy completeness. Declarative policies are only as good as the policy author's ability to anticipate the action space. Novel or compound actions that fall outside the policy's categories may be misclassified. The 7.1% failure rate in the benchmark, while not alarming, likely reflects exactly these boundary cases.
The open-source release is a genuine contribution. Runtime safety tooling for agents is an area where community scrutiny and iteration matter more than any single paper's results. Having a working implementation that developers can inspect, extend, and break is more valuable than a higher accuracy figure on a small benchmark.
For anyone running local AI agents against real infrastructure, AgentWall represents a pragmatic and low-friction step toward action-time safety. The research community has spent considerable energy on model alignment; the execution environment has received far less attention. This paper makes a reasonable case that the gap is worth closing, and provides a concrete starting point for doing so.
Full paper: arXiv:2605.16265