AI Agent Security - Lock Down Claude Code, MCP Servers & OpenClaw

b>You gave your agent your own credentials, just for testing. Then testing quietly became production.


It still has full access to everything you can touch. It still runs in a loop at 3am. And there is no security boundary, only a model that sometimes says no, and its refusal rate roughly tracks your monthly bill.


Meanwhile, developers on Reddit are locking their agents down to a scoped, expiring keyring a prompt injection can't touch. The difference isn't paranoia. It's a permission set treated like an API key, not a user account: scoped, revocable, and unable to leak what it never holds.


This is the defensive field manual that hardens your agents by architecture, not by a model's mood. By Chapter 2 you'll have a threat model of your own agent, every untrusted input mapped. By Chapter 5 it runs inside a real sandbox (gVisor, Firecracker) with credentials it physically cannot exfiltrate. By Chapter 7 the cheap model handling your inbox literally cannot send an email or spend a dollar. By Chapter 10 you'll attack your own agent and watch each defense hold or fail. By the last page you'll have a one-page hardening checklist you run on every new agent you deploy.


This isn't governance theory, and it isn't a 600-page academic tome. The agent-security shelf splits three ways: policy books that never touch your terminal, offensive pentest manuals priced at $22 to $90, and zero-review templates padded with acronyms (the top complaint on the shelf is "reads like the author used AI"). None of them name Claude Code or OpenClaw. None teach the audit trail that gets your agent past a security team. This is the one that hands you a hardened fleet this weekend.


Here's what you'll build:

1. A one-page threat model of your own agent, reusable on every new one.

2. A least-privilege permission spec that denies by default.

3. Scoped, brokered credentials a prompt injection can't steal.

4. A sandboxed agent runtime (gVisor, Firecracker, Linux namespaces) with an approval gate.

5. An untrusted-input gate that blocks a live injection payload, plus a memory-write guard.

6. Framework-level action tiers so the cheap model literally can't send email or spend money.

7. A pen-test suite and audit trail you can sell as a $1,500 agent-hardening audit.


Every month, a dozen more zero-review "agentic AI security" books are published, padded with acronyms and filler. This one is different: more than 40,000 words of copy-pasteable configs, real 2026 CVEs as case studies, and build steps you run on a real agent. The threat moves every week. Scroll up and lock your agents down.