| Hi HN, I built BetterClaw after watching the PocketOS incident on April 25: a Cursor agent running Claude deleted a company's entire production database in 9 seconds, then zapped the backups. The agent had access to a Railway MCP server with destructive tools, and "be careful" in the system prompt didn't bind anything. BetterClaw takes a different angle: you describe the workflow you want in plain English ("Diagnose the credential mismatch - read the config, test the connection, report findings — do not modify or delete anything"), and the CLI compiles that paragraph into a directed graph of nodes, where each node declares which tools are allowed at that step. A plugin hooks into your agent's tool-call path and blocks anything outside the graph before it dispatches to the MCP server. So in the PocketOS reproducer (included in the repo with a mock Railway server, so you can run it without an account): the agent tries railway_delete_volume mid-conversation, the hook returns a deviation error, the volume is never touched. What I'd love feedback on: - Is "paragraph -> graph" the right authoring model, or should this be YAML / a DSL?
- Where does this fall down for you? (Multi-step approvals? Loops? Sub-agents?)
- What other agent runtimes should we support beyond Claude Code + Cowork + OpenClaw?
Repo: https://github.com/jfan22/BetterClawDemo (90s): https://youtu.be/ZreUtANHET0?si=VpdjA6lf0Wa1mhoi Install: npm install -g @betterclaw-ai/cli Apache 2.0. |