TruClaw Stops What the Klue Breach Exposed: Two Barriers Against Agentic Data Exfiltration
In June 2026, attackers accessed Klue's platform via a compromised legacy credential, stole OAuth tokens, and fired 1,000+ Salesforce API queries in 15 minutes — exfiltrating data from five+ security firms before anyone inside Klue noticed. Detection came from customers, not from Klue's own systems. The root failures were architectural: persistent over-scoped credentials, no rate limiting on agent API calls, and no human approval gate on consequential actions. Two of them are solved by TruClaw.
The Two Barriers
Barrier 1: Rate Limiting on Agent API Calls
TruClaw's configurable per-agent rate limits would have throttled the bulk Salesforce query sweep before the exfiltration completed. 1,000 queries in 15 minutes is not normal agent behavior — it's a signal. TruClaw treats it as one.
Barrier 2: Hardware-Attested Human Approval at Execution
Any agent action touching Salesforce data at that volume and sensitivity tier triggers TruClaw's SEV classification and routes an out-of-band biometric approval request to an authorized engineer's iPhone via Face ID. No live approval — fails closed. The stolen OAuth token is irrelevant. TruClaw gates execution, not the credential.
The Demo: Google ADK + GitHub MCP + Cloud SQL
https://www.youtube.com/watch?v=vX6BQVqZfrY
Our Google ADK software-bug-assistant demo shows this threat pattern in action. A prompt-injected GitHub issue manipulates the agent into creating a malicious Cloud SQL ticket. The agent reads the issue, ingests the corrupted content, and reasons its way to a write action. TruClaw's before_tool_call hook intercepts at the write step — the only consequential action — and requires hardware-attested biometric approval before anything lands in the database. The stack: Google ADK orchestrating the agent, GitHub MCP as the injection vector, Stack Overflow and Stack Exchange for external knowledge lookup, Cloud SQL with RAG as the write target, and TruClaw intercepting the ticket create. No approval, no write.
Why This Matters for Agentic AI at Scale
Agents that ingest external content — competitor intel, GitHub issues, customer tickets, web data — operate in adversarial input environments by definition. Prompt injection success rates exceed 90% in controlled evaluations. The question is not whether an agent will be manipulated. It is whether the resulting action can be stopped before it lands.
TruClaw's before_tool_call hook operates entirely outside the agent runtime via FCM push to iOS and a Secure Enclave-signed JWT. A compromised agent cannot bypass or spoof it. Every interception — approved, denied, timed out — is written to an immutable GCS CMEK audit ledger with the approving identity, device attestation, and full tool call parameters.
The Anthropic and OWASP Connection
Anthropic's Zero Trust for AI Agents whitepaper identifies hardware-attested human approval for consequential actions as the Advanced tier control — the strongest available. TruClaw is the only implementation backed by on-device biometric identity and Secure Enclave attestation. OWASP Top 10 for Agentic Applications 2026 (ASI01, ASI03) maps directly to the threat the Klue breach illustrates: agent goal hijack and excessive agency resulting in irreversible action. TruClaw addresses both at the execution layer. Patent pending.
