Inside Clawdius.

What we built, how it works, and why every decision was made the way it was.

EVERYTHING INCLUDED

One tier. Every feature.
No capability gates on security.

Every bot on the platform is equally protected. Security is not a premium feature.

Security

10

Prompt Guard

Immutable system prompt, injected at container level

Output Scanner

30+ credential patterns scanned on every response

Tool Blocker

OS-level command restrictions via seccomp profiles

Input Audit

Credential detection on inbound messages

Vault Secret Matching

SHA-256 cross-reference against stored secrets

Circuit Breakers

Rate limits, spend limits, token caps -- proxy-enforced

Memory Gatekeeping

Write confirmation, content scanning, injection detection

Kill Switch

Instant bot shutdown from dashboard

Audit Logging

Every security event logged with full context

Incident Response

Automatic containment, self-assessment, recovery

Wallet & DeFi

10

Privy Integration

Embedded wallet with delegated signing

Circle Integration

Programmable wallet with developer-controlled signing

ERC-4337 Smart Accounts

Gasless transactions, batch operations, recovery

Uniswap V4 Swaps

Token swaps across 6 EVM chains

Hyperliquid Trading

Perpetual futures + spot with withdrawal-locked agent wallet

x402 Payments

Autonomous API payments via USDC -- no keys needed

MoonPay On-Ramp

Fiat to crypto directly in the dashboard

ERC-7710 Spending Controls

On-chain delegation with 36 caveat enforcers

Recovery Addresses

Per-chain fund sweep on deletion

Tiered Verification

4-tier auth from chat confirmation to dashboard re-auth

Agent Identity

5

ERC-8004 Identity

On-chain NFT registry with reputation and validation

ERC-8128 Signed HTTP

Per-request cryptographic authentication

A2A Protocol

Google Agent-to-Agent compatibility built in

AgentCard

Public JSON identity discoverable by other agents

Per-Sender Reputation

Trust scores, auto-blocking, coordinated attack defense

Intelligence

6

50+ Pre-Built Skills

Ships smart on day one

Secure Skill Rebuilding

Discovers tools, rebuilds from scratch -- zero third-party code

5-Layer Memory System

Pinned facts, cold archive, temporal awareness, pattern recognition

Scheduled Task Manager

Bot-owned automation with dashboard oversight

Credential Rotation

Detect expired keys, guide rotation, execute autonomously

Per-Bot Email (AgentMail)

Your bot gets its own email address

Infrastructure

6

AWS Fargate Containers

Isolated, auto-scaling, no shared resources

Encrypted EFS Storage

Per-bot encrypted file system

AWS Secrets Manager Vault

Hardware-backed credential storage

Replay Attack Prevention

Webhook deduplication + financial idempotency keys

Cross-Bot Isolation

EFS access points, IAM scoping, network isolation

Graceful Degradation

Every dependency failure has a fallback plan

Most platforms show you a feature grid and ask you to trust them. We would rather show you the architecture and let you decide for yourself. This page is a technical walkthrough of every layer in the Clawdius stack, from the proxy that intercepts every message to the on-chain identity that makes your bot verifiable by anyone, anywhere.

Five security layers sit between your bot and the outside world. Not five bullet points on a marketing page — five infrastructure-enforced boundaries, each operating independently, each with its own failure mode and recovery path. The proxy scans thirty credential patterns on every outbound message. The container runs behind seccomp profiles that restrict OS-level commands. The vault cross-references every value against stored secrets using SHA-256 hashing. None of this touches your bot’s code. None of it can be disabled from inside the container.

Your bot gets a real wallet — not a simulated balance, not an API key to someone else’s account. A cryptographic key pair managed by Privy’s hardware-backed infrastructure, with spending controls enforced on-chain through ERC-7710 delegation. The blockchain itself limits what the bot can spend, on which tokens, on which contracts, for how long. If the bot tries to exceed its limits, the smart contract reverts the transaction. Not our code. Math.

Every HTTP request your bot sends is cryptographically signed with its wallet. Every bot gets an on-chain identity through ERC-8004 — a permanent, discoverable record on Ethereum mainnet backed by the Ethereum Foundation, MetaMask, Google, and Coinbase. Twenty-four thousand agents are already registered. Other agents and services can look up your bot, verify its signatures, and decide whether to trust it. No bearer tokens. No shared secrets. The wallet is the authentication.

What follows is the full technical breakdown. Code samples are real patterns from the Clawdius codebase. Every claim on this page can be verified in the architecture, in the smart contracts, or in the standards we build on.

For the builders

Open standards. Real code. No black boxes.

Every security layer, every ERC integration, every SDK abstraction — built on standards you can audit, extend, and trust. The code samples below are real patterns from the Clawdius codebase.

architecture / proxy-flow
Telegram --> [Proxy Lambda] --> [ECS Fargate Container] --> [Proxy Lambda] --> Telegram
| | |
Input Audit (L4) Prompt Guard (L1) Output Scanner (L2)
Vault Match (L5) Tool Blocker (L3) Vault Match (L5)
| | |
Circuit Breakers seccomp profiles Audit Logging
Rate + Spend limits Command validation Event trail
| | |
[AWS Secrets Manager] [Encrypted EFS] [DynamoDB]

The Security Stack

Five layers of infrastructure-enforced security between your bot and the outside world. The proxy intercepts every message in and out. The container enforces OS-level restrictions. The agent never touches any of it.

Scan layers: rate_limit, input_validation, prompt_guard, output_regex, vault_match. Actions: allow, redact, block. Every scan result is logged to DynamoDB with full context.

proxy/security/output-scanner.ts
// 30+ patterns. Here's a taste.
const CREDENTIAL_PATTERNS = [
  { name: 'aws_access_key',    regex: /AKIA[0-9A-Z]{16}/ },
  { name: 'anthropic_key',     regex: /sk-ant-[a-zA-Z0-9_-]{20,}/ },
  { name: 'github_token',      regex: /(ghp|gho|ghs|github_pat)_[a-zA-Z0-9_]{20,}/ },
  { name: 'stripe_key',        regex: /(sk|pk|rk)_(live|test)_[a-zA-Z0-9]{10,}/ },
  { name: 'jwt',               regex: /eyJ[a-zA-Z0-9_-]{10,}\.eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]+/ },
  { name: 'ssh_private_key',   regex: /-----BEGIN (RSA|OPENSSH|EC|DSA) PRIVATE KEY-----/ },
  { name: 'eth_private_key',   regex: /0x[0-9a-fA-F]{64}/ },
  // ... 23 more patterns
] as const;

// Scan result: { action: 'allow' | 'redact' | 'block' }
// Runs on EVERY outbound message at the proxy layer.
// The agent never sees the original value.

ERC-7710 Delegation

Granular, revocable on-chain permissions. Your bot can spend up to $X/day, only on approved tokens, only on approved contracts. The blockchain enforces it — not our code. 36 audited caveat enforcer contracts from MetaMask's delegation framework.

36 audited caveat enforcer contracts. Consensys Diligence audit. Self-deployment to any EVM chain. Viem-native. TypeScript SDK.

contracts/delegation/create-delegation.ts
// On-chain spending controls — enforced by smart contracts, not software.
// Using MetaMask's Smart Accounts Kit (ERC-7710)

const delegation = await createDelegation({
  delegate: botWalletAddress,
  caveats: [
    AllowedTargets([UNISWAP_V4_ROUTER]),         // Only Uniswap
    SpendingLimit(parseEther('100'), 'USDC'),     // Max 100 USDC/day
    AllowedTokens(['USDC', 'ETH', 'WETH']),      // Approved tokens only
    TimeBound(now, now + 30 * DAY),               // 30-day expiry
  ],
});

// Bot tries to exceed limit:
// --> Smart contract REVERTS. Not our code. The blockchain itself.

// Effective limits computed from Privy policies + on-chain caveats:
// daily_limit_usd, allowed_tokens, allowed_targets, source

ERC-8128 Signed HTTP

Every HTTP request your bot sends is cryptographically signed with its wallet. The signature covers the method, path, query, and body — any tampering invalidates it. No bearer tokens. No shared secrets. The wallet IS the authentication.

RFC 9421 HTTP Message Signatures + EIP-191 Ethereum signed data. Per-request cryptographic binding. Replay-protected with nonces. Out of the box for every bot.

proxy/erc8128/authenticated-request.ts
// Every API call your bot makes can be cryptographically signed.
// Built on RFC 9421 (HTTP Message Signatures) + EIP-191.

const response = await authenticatedRequest({
  url: 'https://api.external-service.com/data',
  method: 'POST',
  body: JSON.stringify({ query: 'ETH price' }),
});

// What the receiving service gets:
// Signature-Input: sig1=("@method" "@path" "content-digest");
//                  keyid="0x742d...0bEb";nonce="abc123";created=1707350400
// Signature: sig1=:BASE64_ECDSA_SIGNATURE:
//
// The service recovers the wallet address from the signature,
// looks up the bot's ERC-8004 AgentCard, and trusts — or rejects.

ERC-8004 Identity

An on-chain registry backed by the Ethereum Foundation, MetaMask, Google, and Coinbase. Your bot gets a permanent, discoverable identity as an ERC-721 NFT. 24,000+ agents already registered. Live on Ethereum mainnet since January 2026.

24,000+ agents registered on ERC-8004. Backed by Ethereum Foundation, MetaMask, Google, Coinbase. Live on mainnet since January 2026.

.well-known/agent-card.json
// Your bot's public AgentCard — discoverable on-chain.
// /.well-known/agent-card.json
{
  "type": "https://eips.ethereum.org/EIPS/eip-8004#registration-v1",
  "name": "Clawdius DeFi Assistant",
  "description": "Autonomous trading bot with Uniswap integration",
  "services": [
    {
      "endpoint": "https://app.clawdius.com/agents/{botId}/mcp",
      "protocol": "mcp",
      "capabilities": ["token-swap", "price-quote", "scheduled-tasks"]
    }
  ],
  "evm_address": "0x742d...0bEb",
  "supportedTrust": ["reputation", "tee-attestation"],
  "chains": ["ethereum", "base", "unichain"]
}

Hyperliquid Agent Wallet

Your bot gets a restricted agent wallet on Hyperliquid — the deepest liquidity in DeFi ($4B+ daily volume). It can place orders, open positions, manage risk. But it can NEVER withdraw funds. Not because we said so. Because the exchange cryptographically enforces it.

EIP-712 signed. Nonce-protected. Replay-proof. Risk controls enforced at proxy level before signing reaches the exchange.

container/hyperliquid/sign-order.ts
// Agent wallet: can trade, can NEVER withdraw.
// Enforced by Hyperliquid's exchange — not our code.

// EIP-712 typed data signing for every trade action:
const signature = await signTypedData({
  domain: {
    name: 'Exchange',
    version: '1',
    chainId: 42161,                    // Arbitrum
    verifyingContract: '0x...',
  },
  types: {
    Order: [
      { name: 'asset', type: 'uint32' },
      { name: 'isBuy', type: 'bool' },
      { name: 'limitPx', type: 'uint64' },
      { name: 'sz', type: 'uint64' },
      { name: 'nonce', type: 'uint64' },  // Replay protection
    ],
  },
  value: orderParams,
});

// Risk controls enforced at proxy level BEFORE signing:
// - Max position size (% of account)
// - Max leverage
// - Max open positions
// - Daily loss limit (% of starting balance)

Every feature on this page ships with every bot.

One tier. No capability gates on security. No premium add-ons for the architecture that keeps your bot safe.

Launch your bot