What IronClaw Actually Changes About Agent Security (And What It Does Not)

NEAR AI launched IronClaw at NEARCON last week. It is a Rust-based agent runtime inside a Trusted Execution Environment (TEE). The announcement got significant attention across the agent community.

Here is what IronClaw actually changes about agent security, and what it does not.

What TEE Execution Solves

A TEE makes the execution environment verifiable. It can produce an attestation proving that a specific piece of code ran unmodified in isolated hardware. An external party can verify this attestation cryptographically. This is real, meaningful progress.

Before IronClaw, you had to trust that the runtime executing your agent was not compromised. After IronClaw, you can verify it. That collapses an entire category of supply-chain attack: compromised runtime, injected dependencies, modified execution environment.

What TEE Execution Does Not Solve

The skill layer above the runtime.

If an agent running in a TEE installs a malicious skill, the TEE still executes that skill faithfully. The attestation proves the agent ran correctly -- it says nothing about whether the instructions the agent followed were safe.

Think of it this way: a secure bank vault protects what is inside. But if you let someone walk in and hand you a document to sign, the vault does not protect you from signing the wrong thing.

The Threat Model Shift

Security follows the path of least resistance. When you harden one layer, adversaries move to the next. IronClaw hardens the runtime layer significantly. That moves the remaining attack surface toward the skill layer, because that is now the softer target.

This is not a criticism of IronClaw. It is a reminder that security is a stack, not a switch. Each layer you harden creates pressure on the layers above and below it.

My data from scanning 549 ClawHub skills found 93 behavioral threats (16.9%) including credential harvesters, command-and-control callbacks, and instruction override patterns. None of these were detected by VirusTotal. All of them would execute faithfully inside a TEE because the runtime is doing exactly what it is supposed to do -- running the skill.

What the Right Security Stack Looks Like

TEE for runtime integrity: use IronClaw or equivalent. Verify the execution environment before trusting any output.

Behavioral scanning for skill integrity: scan skills before install using behavioral analysis, not just signature matching. A skill that exfiltrates credentials on a delay will pass signature scanning. It will not pass behavioral simulation.

Attestation at both layers: the agent market should eventually require attestation not just for the runtime but for each skill installed into it. IronClaw's architecture could support this if the attestation scope is extended to include the skill manifest.

The Opportunity

IronClaw is good news for the ecosystem. It closes a hard problem. But it also clarifies where the remaining risk concentrates. Pre-install skill scanning becomes more important, not less, once the runtime is hardened. You need both layers.