API live  ·  Apache 2.0  ·  204 tests passing

Your AI agent operates between
your intentions and the world. That gap is invisible. And unprotected.

Crawdad sits in that gap. Every decision your agent makes — visible. Every threat — blocked. One proxy. One env var. Nothing leaves your machine. Works with OpenClaw, Claude Code, OpenAI, LangChain, CrewAI, AutoGen, Gemini, and Grok.

View on GitHub
204+Tests passing
70+API endpoints
<10msp99 latency
0Unsafe code blocks
Data leaves your machine
live session — crawdad run
$ crawdad run
▶ Session started — claude-opus-4-6 — localhost:7750
[USER] Build a REST API for user authentication
[AGENT] I'll start by creating the project structure...
[TOOL] filesystem__write_file → auth/server.js ✓ safe
[TOOL] filesystem__write_file → auth/middleware.js ✓ safe
[TOOL] brave-search__search → "JWT best practices" ✓ safe
github__push_files — paused for your approval
Security Score: 94/100 ✓  ·  Cost: $0.04  ·  847 lines written
41,902
MCP servers exist
99.5%
fail security grading
341
malicious ClawHub skills in 2026
0
get past Crawdad
The Problem

You're running agents blind.

Every developer using AI agents today faces the same four problems. You've probably felt all of them.

You ran Claude Code for 20 minutes. What did it actually do?

Your agent made dozens of decisions. Which files did it read? Which tools did it call? Which servers did it connect to? Right now you have no way to know — unless something already went wrong.

Your agent connected to MCP servers you've never audited.

41,902 MCP servers exist. 99.5% fail basic security grading. 341 malicious ClawHub skills were discovered in 2026. Your agent may have connected to one today — silently, without your knowledge.

Your Anthropic bill arrived. You have no idea what caused it.

$180 last month. Which sessions? Which agents? Which tool calls? Without visibility into your agent's decisions, cost optimization is guesswork. You can't fix what you can't see.

Something went wrong. You can't explain what your agent decided or why.

No audit trail. No decision log. No way to replay what happened. When an agent does something unexpected, you're left guessing. Your users, your team, and your security reviewer all want answers you don't have.

The Solution

One proxy. Both problems solved.

Crawdad sits between your agent and the outside world. Set one environment variable. Your agent runs exactly as before — except now every decision is recorded, every threat is blocked, and you have complete visibility and control.

Visibility
Every session recorded as a human-readable narrative timeline
See every prompt, response, and tool call — understand why your agent made each decision
Cost breakdown per session, per tool call, per model — know exactly where your money goes
Replay any session from any point — full forensic audit trail, locally stored
Security score 0–100 for every session — know at a glance if something needs attention
Surprise detector — flags when your agent does something you didn't ask for
Protection
Every MCP server validated against our community security database before execution
Prompt injection detected and blocked — 27 pattern categories, structural deobfuscation
Malicious skills flagged before they run — cryptographic hash verification
Human-in-the-loop gates — pause before sensitive actions, approve or deny in real time
Budget enforcement — set a daily limit, Crawdad stops before you overspend
Cryptographic audit trail — Ed25519 signed, Merkle-chained, tamper-evident

Three commands. That's it.

Works with OpenClaw, Claude Code, OpenAI, LangChain, CrewAI, AutoGen, Gemini, Grok — any framework. No code changes.

1
curl -fsSL https://getcrawdad.dev/install.sh | sh
Install the Crawdad sidecar
2
export ANTHROPIC_BASE_URL=
http://localhost:7748
Point your agent at Crawdad
3
open http://localhost:7750
See your agent's decision timeline
Security Layer

Seven layers of protection — in plain English.

Every session runs through a complete security stack. Here's what each layer does and what it protects you from.

🔑

Agent Identity

Cryptographic identity for every agent. Detects impersonation attempts by compromised MCP servers mid-session.

🛡

Semantic Firewall

Detects prompt injection in both directions — 27 pattern categories with structural deobfuscation.

Policy Engine

Define what's permitted, what requires approval, and what's blocked. Shell execution, file writes, external APIs.

🧠

Memory Integrity

Signs and chains every memory entry. Detects planted false context and quarantines tampered entries.

🔧

Skill Attestation

Verifies cryptographic hash of every MCP server and OpenClaw skill before execution. Modified skills are blocked.

📡

Comms Governance

Detects data exfiltration, blocks PII leakage, validates trust boundaries between agents.

🔒

Privacy & Compliance

Detects and redacts 15 PII categories. Signed compliance reports for SOC 2, GDPR, HIPAA.

Zero-knowledge by architecture — raw content never reaches our servers.

OpenClaw + Claude Code + OpenAI

Built for the agents you're already running.

One env var. No changes to your existing setup. Works with every major agent framework.

🦞

OpenClaw

OpenClaw gives your agent superpowers. Crawdad tells you what it did with them — and stops the 36% of ClawHub skills that contain prompt injection.

export ANTHROPIC_BASE_URL=
http://localhost:7748
Coming to ClawHub April 2026

Claude Code

Claude Code sessions can run for hours. Crawdad records every decision — every file touched, every tool called, every MCP server connected.

export ANTHROPIC_BASE_URL=
http://localhost:7748
🤖

OpenAI + Others

GPT-4o, Gemini, Grok? Crawdad supports all major providers. LangChain, CrewAI, AutoGen — if it makes API calls, Crawdad monitors it.

export OPENAI_BASE_URL=
http://localhost:7747

How Crawdad compares

CapabilityCrawdadDefenseClawLangSmithHiddenLayer
Local-first, zero-knowledge
No code changes required
Works with any framework
MCP server validation
Session timeline dashboard
Security score per session
Free tier
OpenClaw integration

Cisco's DefenseClaw is excellent for enterprises. Crawdad is for developers who want visibility and protection today, free, with nothing leaving their machine.

Roadmap

What we're building next

The current version shows you what your agent did and blocks threats. Next: understand its reasoning, correct it mid-run, and test alternative decisions.

🧠

Reasoning Viewer

See not just what your agent did, but why. The full reasoning chain in plain English.

IN DEVELOPMENT
🔀

Decision Sandbox

Fork any decision point, run alternative paths, compare outcomes. Like git branches for agent decisions.

COMING SOON
💬

Mid-Session Correction

Interrupt your agent mid-run, clarify intent, redirect reasoning. Real-time human control.

COMING SOON
🔍

Cross-Session Query

Ask questions across all sessions. Natural language queries over your complete agent history.

COMING SOON

Get early access as each feature ships. Get your free API key →

Pricing

Start free. Scale when you're ready.

Every plan includes the full sidecar — all 7 security pillars, session timeline, MCP validation, security scores. No feature gating on the core product.

Open Source
Free forever
Full sidecar. No account required. Apache 2.0.
  • Full sidecar proxy
  • MCP server validation
  • Session timeline dashboard
  • Security score per session
  • Surprise detector
  • Cost tracking
  • Share cards
  • Local SQLite storage
  • Apache 2.0 license
Developer
$49/mo
For developers building seriously with agents.
  • Everything in Open Source
  • Live threat intelligence feed
  • Threat signatures updated daily
  • Compliance PDF reports
  • Priority MCP database updates
  • Email support
Get Started →
Team
$199/mo
For teams shipping agents to production.
  • Everything in Developer
  • Centralized team policies
  • Shared session history
  • Spending alerts across team
  • SSO / SCIM
  • Dedicated Slack support
Get Started →
Business
$799/mo
For organizations with compliance requirements.
  • Everything in Team
  • Air-gap deployment package
  • Custom guardrails policies
  • SLA guarantee
  • Dedicated security consultant
  • Custom MCP database entries
Get Started →

Enterprise — Dedicated infrastructure, VPC, on-premise, FedRAMP pathway. From $3,000/month.
Government & Defense — Air-gapped, data sovereignty, formal compliance support. From $50,000/year.
Contact andrew@getcrawdad.dev →

See your first agent session in 60 seconds.

Get your free API key. Install the sidecar. Run your agent. Open localhost:7750. You'll see things you've never seen before.

Free forever. No credit card. Apache 2.0. Nothing leaves your machine.