This work addresses the vulnerability of tool-augmented large language model (LLM) agents to unauthorized operations and runtime leakage of sensitive data. The authors propose a dual-boundary defense architecture: on the read path, a trusted gateway combined with opaque handles isolates sensitive data from the agent; on the execution path, a PREVIEW→COMMIT protocol ensures that the agent can only operate on restricted summaries and symbolic references, preventing direct access to confidential information or unintended side effects. This approach is the first to simultaneously guarantee confidentiality during data retrieval and authorization during action execution, thereby enabling end-to-end security. Experimental results demonstrate strong security and usability, achieving attack success rates of 0.64% on AgentDojo, information leakage of 3.23% on AgentLeak, and 0% attack success rate on the ASB benchmark, while maintaining high task performance.

Tool-using large language model (LLM) agents face two distinct security failures: unauthorized external actions and exposure of sensitive plaintext inside the runtime before any final output check can intervene. Existing defenses usually protect one boundary, either the planner/runtime or the action sink, and therefore do not by themselves secure both surfaces. We present SecureClaw, a dual-boundary architecture that places authorization at the effect sink and plaintext confinement at the read boundary. Sensitive reads pass through a trusted gateway that replaces raw values with opaque handles and, in the evaluated deployment, bounded summaries as an explicit declassification interface. Writes that change external state follow a PREVIEW$\rightarrow$COMMIT protocol in which only a trusted executor may commit the exact canonical request authorized by policy. The runtime can still plan over summaries and symbolic references, but cannot directly dereference secrets or perform side effects. Across AgentDojo, AgentLeak, and Agent Security Bench (ASB), SecureClaw is the only defense we evaluate in a common harness that simultaneously retains usable task utility and achieves 0\% attack success rate (ASR) on ASB, 0.64\% ASR on AgentDojo, and 3.23\% overall leak on AgentLeak's attacked parity lane, which measures final-output and internal-relay leakage.