FailSafe Supports NEAR AI in Securing IronClaw Agents

IronClaw is positioned as the secure, Rust-based alternative to the massively popular OpenClaw autonomous agent framework. Developed by NEAR AI, it features Trusted Execution Environment (TEE) enclaves and WASM sandboxes to eliminate memory leaks and system-level exploits. As part of a collaborative security push, the NEAR AI team engaged the FailSafe SWARM engine to perform a proactive security assessment of IronClaw (v0.19.0) prior to production scaling.

During the assessment, FailSafe uncovered four vulnerabilities: one high severity and three medium severity. The IronClaw engineering team acknowledged the findings immediately, validating our assessment and merging our comprehensive patch (PR #1851) to secure their agent framework.

The Full Scope of Exploitation

• Safety Layer Bypass via Output Truncation (High): The sanitize_tool_output() method was designed to truncate oversized tool output. However, the truncation logic returned the payload immediately, skipping leak detection, policy enforcement, and injection scanning entirely. Attackers could bypass all security filters by intentionally padding malicious payloads to trigger truncation.
• Indirect Prompt Injection via Memory Poisoning (Medium): Unguarded write paths allowed an attacker to plant indirect prompt injections directly into the agent's workspace memory. The agent would subsequently read the poisoned memory and execute the injected payload during normal operations.
• Server-Side Request Forgery (SSRF) (Medium): SSRF vectors in the extension download and Model Context Protocol (MCP) transport layers allowed authenticated requests to hit internal services. Insufficient URL validation combined with permissive HTTP redirect behavior enabled internal network pivoting.
• Zip Bomb Denial of Service (Medium): Document extraction pipelines lacked decompressed size limits. Attackers could upload highly compressed zip bombs, triggering catastrophic resource exhaustion and denial-of-service (DoS) conditions during agent ingestion.

Remediation and Mitigation Strategies

1. Enforce Downstream Security Checks: The NEAR AI team patched the truncation logic to ensure oversized outputs still pass through leak detection, policy enforcement, and injection scanning before reaching the LLM.
2. Bound Memory Writes: Sanitization was applied to all content written to workspace memory, preventing persistent prompt injection and validating read operations.
3. Strict MCP Transport Validation: Permissive HTTP redirects were disabled and strict internal IP range validation was applied for extension downloads to prevent SSRF pivoting.
4. Implement Extraction Quotas: Decompressed file sizes were capped at the stream level to neutralize Zip Bomb vectors.

Securing the Next Generation of AI

Memory safety is critical, but it does not equal agentic safety. Rust prevents buffer overflows, but it does not prevent an LLM from reading poisoned memory or a safety filter from returning early. We commend the NEAR AI team for their proactive stance on agentic security and their swift remediation of these complex, multi-step vulnerabilities.

Continuous Agentic Penetration Testing as a Service (PTaaS) via SWARM remains the most reliable way to validate autonomous workflows. Security must evolve to test the agent, not just the code it runs on.