Skip to main content
Amla Labs

Your agent needs your password
and your credit card.
That should terrify you.

OpenClaw gives your agent a task, your credentials, and a VM it can't escape. Every byte of network traffic is decrypted and checked before it leaves. If the agent tries anything you didn't authorize, it's blocked.

Request early access See how it works
terminal
$ openclaw run \
--agent "Book a flight to NYC for Tuesday" \
--capabilities flight-booking.cap
✓ Sandbox created (amla-vm)
✓ Capabilities loaded: 4 grants, 2 constraints
✓ TLS inspection active
● Agent running... (3 actions taken, 0 blocked)

Trust is a vulnerability

So we replaced it with enforcement.

01

Define the envelope

Which domains. Which APIs. What dollar limit. Who it can email. You declare this upfront as capability tokens — cryptographic permissions that can be narrowed but never widened.

Not config files. Signed tokens with attenuation semantics.

02

Sandbox everything

The agent runs in a KVM microVM with one way out: a proxy that terminates TLS and inspects every request. The agent thinks it's on the open internet. It's not.

Hardware isolation. Not a container. Not a promise.

03

Get receipts, not logs

Every action produces a signed receipt chained to the capability that authorized it. Not a log line that someone can edit. A cryptographic proof that a specific action was authorized by a specific grant.

Tamper-evident. Machine-verifiable. Human-readable.

01 Capability Grant

You set the rules. The VM enforces them.

Three allowed domains. One credit card with a $600 ceiling. Email to you and only you. The agent doesn't get to negotiate.

OpenClaw — New Session
sandbox: isolated
Task
Book a round-trip flight from SFO to JFK, departing Tuesday Jan 14, returning Friday Jan 17. Budget under $600. Use my United MileagePlus account.
Capabilities
Web Access
3 domains
united.com google.com/flights kayak.com ✕ *
Payments
max $600
max amount: $600.00 currency: USD merchant: united.com card: ****4829
Email
1 recipient
to: [email protected] subject must contain: "flight confirmation" max emails: 2
Login Credentials
1 account
service: united.com username: [email protected] scope: booking, profile (read-only)
TTL: 30 min Sandbox: amla-vm (KVM) TLS inspection: enabled Human-in-the-loop: payments > $400
4 capabilities granted · 6 constraints active
02 Live Monitoring

The agent thinks it's alone on the internet

It's not. We terminate its TLS, read every request, and check it against the capabilities you granted. The agent never knows.

recording
GET google.com/travel/flights/search?from=SFO&to=JFK
✓ allowed
cap: web_access · TLS inspected · 200 OK · 2.3KB
POST united.com/api/auth/login
✓ allowed
cap: login_cred · credential injected by sandbox · 200 OK
GET united.com/api/flights?from=SFO&to=JFK&date=2025-01-14
✓ allowed
cap: web_access · TLS inspected · 200 OK · 8.1KB
GET hooks.slack.com/services/T024/B037/xHjk7...
✕ blocked
no capability · hooks.slack.com not in allowlist · dropped
POST united.com/api/booking/purchase
● approval
cap: payment (max $600) · $487.00 · human-in-the-loop triggered
Human approval required
Purchase: UA 2847 SFO→JFK Jan 14 + UA 1192 JFK→SFO Jan 17
Total: $487.00 (within $600 budget)
4 allowed 1 blocked 1 pending
bandwidth: 12.4KB ↑ 18.7KB ↓
03 Audit Trail

Not logs. Receipts.

Logs can be edited. Receipts are signed. Every action is chained to the capability that authorized it — a proof, not a promise.

OpenClaw — Session Report
completed
Duration
8m 42s
Actions
12 total
Blocked
1
Cost
$487
Task completed successfully
Booked round-trip SFO → JFK on United Airlines. Outbound: UA 2847, Jan 14 at 7:05am. Return: UA 1192, Jan 17 at 6:10pm. Confirmation: HKJX7M. Total charged: $487.00 to card ending 4829.
Action Timeline
12:04:11 web_access
Searched Google Flights for SFO → JFK options
12:05:44 login_cred
Logged into United MileagePlus
12:06:02 web_access
Compared 6 United flights, selected UA 2847 + UA 1192
12:07:18 blocked
Attempted hooks.slack.com — blocked (no capability)
12:09:31 payment human-approved
Purchased tickets — $487.00 charged to ****4829
12:11:05 email
Sent confirmation to [email protected] — subject: "flight confirmation: SFO→JFK Jan 14-17"
Signed Receipt #5 — Payment ✓ signature valid
{
"action": "payment.charge",
"amount": 487.00,
"merchant": "united.com",
"cap_chain": "pca_4f8a...→cap_7d2e...→receipt_a1b3...",
"human_approved": true,
"sig": "ed25519:9f3c7a...d482e1"
}

Stop hoping your agent behaves.

Start knowing.

If your agents touch real money, real credentials, or real people's data — you need more than a system prompt and a prayer.

VMs, not containers
Hardware isolation via KVM
TLS terminated
HTTPS can't hide what the agent does
Capabilities, not ACLs
Tokens that can only get narrower
Receipts, not logs
Signed proofs, not editable text files
Request early access Read the sandbox docs