An enterprise-grade, zero-trust Data Loss Prevention (DLP) protocol designed to prevent autonomous AI agents from accidentally destroying production infrastructure, wiping databases, or deleting critical files.
The Problem • The Protocol • Installation • Programmatic Interceptors
When you equip autonomous LLM agents with un-sandboxed terminal access, cloud credentials, and database connectors, they gain the power to build incredible things.
They also gain the power to destroy them.
Without explicit boundaries, a hallucinating agent—or an agent trying to "clean up" a messy directory—might run rm -rf, execute a DROP DATABASE, or run terraform destroy without fully grasping the catastrophic context.
Agent-DLP solves this by injecting a strict, zero-trust behavioral directive directly into the agent's core memory space (via SKILL.md).
Whenever the agent is about to execute a tool call containing a destructive pattern, the protocol forces the agent to intercept its own thought loop, halt execution, and request explicit human consent.
flowchart TD
A[Agent Formulates Plan] --> B{Does the plan involve<br>destructive commands?};
B -- Yes --> C[Agent-DLP Triggered];
B -- No --> E[Execute Tool Call];
C --> F[Halt Execution];
F --> G[Explain impact to User];
G --> H[Request Explicit Consent];
H --> I{User Approves?};
I -- Yes --> E;
I -- No --> J[Abort & Suggest Safe Alternative];
The Agent-DLP skill explicitly covers the following destruction vectors:
- Local Filesystem: Recursive forced deletions (
rm -rf,del /s /q). - Databases: SQL
DROP,TRUNCATE, and unboundedDELETEoperations. - Cloud Infrastructure: Infrastructure-as-Code teardowns (
terraform destroy), and cloud-native resource drops (AWS, GCP, Azure). - Git Operations: Forced repository pushes to remote origins (
git push --force).
This protocol is designed as a native Skill for autonomous ecosystems like OpenClaw or Fractal Swarm.
- Copy the
SKILL.mdfile from this repository. - Place it in your agent's central
skills/directory (e.g.,.agents/skills/agent-dlp-guardrail/SKILL.md). - Your agent will automatically discover the policy and apply it globally to all tool-calling capabilities.
Relying entirely on LLM prompt-adherence (even highly rigid ones) is not 100% foolproof against catastrophic data loss in highly sensitive environments.
For true enterprise-grade security, you should complement the SKILL.md directive with hardcoded middleware in your tool execution pipeline.
We have provided a mock interceptor in examples/python_interceptor.py that demonstrates how to catch destructive commands before they hit the system shell, forcing the LLM to route back to the user.
# Example output from python_interceptor.py
[Agent] Attempting to execute: 'DROP TABLE users;'
>> EXECUTION BLOCKED. The LLM attempted a destructive action without explicit bypass.
>> Returning intercept error to LLM context window to prompt for user consent.Have you discovered a new edge-case or destruction vector that an agent might hallucinate? Please open a Pull Request to add it to the SKILL.md pattern matchers!
This project is licensed under the MIT License - see the LICENSE file for details.