Episode 02 · Apr 2026 · 30:27
How this YC Startup Secures AI Agents
A semantic firewall for AI agents — blocking the request that nearly leaked his dad’s tax data.
Transcript
If another founder asked about using Composio, what would you tell them? Do it. Then if you can just do it through an external provider that's specializing in that, then we don't need to worry about like a lot of like random things breaking. So that's why Composio helps, saves a lot of time.
We were pivoting, we were trying to come up with ideas, and then obviously as you've heard about Open Claw, like it just came out and we're like, this seems interesting, this feels like it's the future, and we came up with Claw. Why is security such a big deal for AI agents? What breaks without it? Without security is trust.
People cannot trust their AI agents, so that's what Hi Vaibhav, thank you so much for coming on. I'm really glad you're able to visit. Yeah, thanks for having me. Yeah, I'm really excited to interview you about Clam and how you have integrated Composio in it.
So let's start off, let's set the scene. Can you please introduce yourself and yeah, Yeah, hey, I'm Vaibhav, and we're working on Clam. We're in the new YC Winter 26 batch, and Clam basically helps you deploy Open Claw agents and like other agents like that, like so broad access agents in the cloud securely. So the main problem we're trying to solve for is twofold.
One is security, the other one is ease of access. So for most non-technical people, like it's very hard for them to interact with broad access AI agents like Clam, uh sorry, like Open Claw. So what we do is we make the whole process seamless. We make it one-click deploy, they can have like multiple integrations actually through Composio.
Um and the other part is like they want to make sure that their data is not leaving the container or like if it leaves, it only leaves when it's necessary. So we're trying to make a whole secure framework around that. Nice. And we before we dive to um a little bit deeper into that, can you tell me about a little bit about your backstory?
Is this something you've been working on for a while? Did you pivot? Yeah, so actually we weren't working on this for a while. We just like pivoted into this two to and a half weeks ago.
Um we actually did our YC launch last Sunday, so it's not been that long. Um but before that, we were actually doing software for hardware. So, we were trying to help people select components for their printed circuit boards. So, if you're like a small startup or if you're a bigger enterprise and you're trying to design a printed circuit board, which are like every chips that like go into your phone or any electronic device, we basically help you find the right components super fast.
So, what changed there was we went to like a lot of different conferences, talked to people, and then realized that um the people who really want the solution are like really big enterprises because there were like three different verticals you could technically go after. One is like the small startups, one is um your bigger startup that have like an in-house team, and then the other one is enterprise. With the smaller startup, they were just sending it off to um like people in Shenzhen, and then they didn't really want to bother with it at all. For the medium-scale companies, they were using contractors in the US who kind of had this like sort of figured out maybe, or they were like more hesitant about trying AI right now.
And then the other one because of security. So, and then the other one was the bigger enterprises. But then with those, the sales cycle were super long, and like we weren't really interested in doing that because that kind of like just was different from what we originally set out to do, which was trying to help like everyday people just make really cool hardware products easily. So, we were pivoting, we were trying to come up with ideas, and then obviously as you've heard about open claw, like it just came out and we're like, "This seems interesting.
This feels like it's the future. " So, we spent a few days like just thinking about what we want to build, and we came up with claw. Oh. So, you wanted to like kind of ride the wave, like you wanted to um and what made you interested in like the hardware initially?
Yeah. So, I I also say we were trying to necessarily write the wave, although like I think it does help us a little bit. But, I think for us it's more around like the whole thing about like, okay, before this AI agents just weren't like so accessible to like everyday people. Now it just kind of became so that like they can now access it through their WhatsApp or anything.
So, we're more focusing on that, but Okay. for the hardware side of things, I think my co-founder, Anshul, he used to do a lot of tinkering in college. We were roommates. I would walk into his room, he would have like a lot of resistors and stuff lying on the floor.
I would actually get poked on the sole of my feet. Like it was just so common. And then he always found this issue that when he was trying to design a circuit, Mhm. it just took a lot of effort on his part to try to like find the right components, check the stock, make sure they're compatible.
And so we thought like, okay, like with all these AI agents becoming more and more like powerful, knowledgeable, like how can we make this process easier for other people? So, it was a problem that like he lived every day to some extent, and then I lived that problem through just stepping on his resistors. Okay. But, it was just like more of a personal thing that we thought other people felt as well, and we like talked to a lot of folks and realized that it is a problem.
So, we just wanted to like go in there and solve it. I just don't think like there was the founder market fit there. Got it. Okay, nice.
You experiment and you figure it, okay. And then so why is the security such Why is security such a big deal for AI agents? What breaks without it? Yeah.
So, I think it's becoming more and more obvious that like security is just super important for AI agents because when you're talking to ChatGPT or you're using Claude, all of these different AI agents, when you're talking to them about your personal information, it's technically not really leaving the container because or the container of ChatGPT or OpenAI because you're just talking to them, and then they give you a response. They don't really go on behalf of you and actually act on any of that information. But with AI agents, what changes is that they're actually given the permissions to act on your behalf. So, let's say you give it access to your LinkedIn or your Twitter, maybe your customer information.
Now, the same AI agent actually has access to all of these five different things. So, now if it finds like random patterns and then you've also told it to like send emails out to customers, maybe it sends out some emails that you didn't really want to send out. So, let's say you're talking to customer A and you're talking to customer B. Somehow like the AI agent hallucinates, like it thinks that customer A, whatever they said is a pain point for customer B or maybe like leaks some private information, but it's like just so hard to control that.
It is becoming more and more of like a serious problem, which is like hindering adoption at like big enterprise or even for consumers because when they want an AI agent to go and like act on their behalf, they want it to do like something deterministic and they think like it'll just do it. But because the AI agents are just all random, they can actually go ahead and do things that would break a lot of things. So, I think what breaks without it without security is trust. Like that's the biggest thing I think people cannot trust their AI agents.
So, that's what we're trying to solve. Powerful. Walk me through a specific example. What happens when the AI agent Oh, you already gave an example.
That's good. Okay. Yeah, amazing. What was wrong with existing approaches to AI agent security?
I think at least for like open claw and like these broad access AI agents, people just thought like having them in like a VM running in the cloud or like just having them in their own containers is good enough because then like no one else can access the AI agent, but the thing is like at that point you want to give information to the AI agents. Let's say you want to give it access to emails or you don't want to give it access to the emails. It's always binary. So, I think what we're trying to change about that is like it can be very semantic.
So, instead of giving all access to email, you can like kind of filter through like the relevant emails that are required for that task. " But now we're trying to like kind of make it more task-based where like if you have to do let's say if you have to go and read my customer emails and like figure out different patterns there, then you don't necessarily need to go and do like this email that I got from my dad like that includes like some pictures from my childhood or maybe includes like his tax information that I need to like do something with. So, we're trying to like kind of make that distinction that actually you can give AI access to more things while being sure that it's not accessing things that it's not supposed to. So, it's like some somewhat of a balance.
Okay, you kind of talked about the semantic firewall. Yeah, so I mean just to like uh Break it down for the non-technical people. Yeah. Yeah, so I think the way we're doing semantic firewall is at like three different layers.
So, we're trying to understand is there like a prompt injection? Is there more like PII information that you don't really want to share with the world that is coming either in or out? So, the semantic firewall sits essentially outside your AI agent. Okay.
So, anything that the AI agent wants to talk to the outside world about goes through the semantic firewall. And the semantic firewall on everything that goes out and comes in screens that to make sure that like any that your AI agent directly sees or acts upon is actually relevant to the task and actually doesn't have any of like the prompt injections or PIIs that could break things. So, even if a prompt injection gets through, let's say, then for the AI agent to actually act on that it needs to then go out again to talk to like your AI provider so that then it can take an action. So, we're because we're looking at every single request and response, we're able to like do this at like multi-layered system.
So, we're able to like prevent anything from happening there. That makes a lot of sense. Thank you. Why is that important?
So, because this is at the network level, like why is that important versus like other Is there other approaches? Why is that important? Yeah, I think the other approaches that most I think like people would do on their own would be just trying to make the prompt stronger and stronger, try to make the system prompt as good as possible. So, that in the system prompt they just say that, "Hey, if someone tries to say this, like don't do it.
" Or whatever, like all those kind of things. What we do by being at the network level is that we're removing the dependency from the bot to like an external system that can actually validate that instead of like the bot trying to just think on its own, make decisions. Now you're like you have this other layer that's just screening every single thing that the bot is able to access. Mhm.
Okay. Walk me through what you're scanning for. Yeah, what what like PII leaks, like prompt injections, like malicious code. Yeah, so I think we're like scanning for all of those.
So, the biggest thing is we have different layers for each of those. So, we have um a model that's specifically trained for prompt injections. So, then that's like always checking for prompt injections. And then we have the simple matches for the PIIs.
And we also have malicious code. The malicious code is more of like we have specialized models that are specifically looking for that. So, we have different layers that are all like specializing in one of these aspects, trying to understand like, "Oh, was there a PII leak? Was there this?
" Like and if it goes through all of those layers, only then like the bot is able to access that information. And then what we're trying to like optimize on is like bringing down that latency so that for an end user they don't really feel like there's like all of this happening in the back end. They just feel like they're sending a message to their bot and it's replying with the relevant information as quickly as possible. Okay.
The API key injection piece, why does the AI never see credentials? The matter, yeah. Yes. Yeah, so I think this is one of those interesting things as I said like with the broad access AI agents, the biggest problem is that it has access to my LinkedIn, it has access to my email, but it also has access to let's say my Posthog or my Compozio key or all of those things.
So, if it has access to external things where it can publish information, then it having direct access to my key can lead to a case where let's say for some reason some prompt injection or anything gets through. So, like if we're thinking about security at like security is only as good as your like weakest link or like that weakest security point. So, what we're trying to do with that is like just keep So, since we already are like intercepting everything at the network layer, why can't we just add your specific key at the network layer as well. So, if the bot is trying to talk to the outside world, we already know that it's in like the specific VM, it has the specific IP, then we can validate that the request that is going outside is a valid request.
We've already screened it for all of those things using the semantic firewall, and now we can like at the network layer, we can just swap out the keys to Actually, before it has like a fake clam key is what we call it, which like identifies it as like being an authentic clam bot. And then at the network layer, we just swap it out for like let's say you're talking to Anthropic, so it swaps out for your Anthropic key. Or if you're talking to OpenAI, it swaps out for that. Or Compozio, it swaps out for your Compozio key.
So, then we can have like that granular control using one one key there. So, the bot only sees the clam key, which is really irrelevant outside of the use of clam. So, if even if you publish it on the outside world, like you can't really access anything because you need to hit it from the specific internal IP to get in access to your personal information. Give me a real example of something clam caught that would have been a security incident.
Yeah, so I've recently given it access to my Gmail, and then I was like, "Okay, just go through everything and like make sure that um all of the meetings that I have coming up since like the YC launch, we've just been like scheduling meetings. So, like all the meetings that are coming up, like just look at every single person, go on LinkedIn, and like just make sure that like those people are someone who would actually buy the product. So, just like kind of doing that initial screening. So, I was trying to do that, but then again, as I said, like my dad was sending me some tax information because I was applying for my visa, and then I had to like actually show some information from my parents.
So, then I was I asked him for all his bank account statements, all the tax information, but that got like intercepted at the semantic firewall layer. So, it never reached the bot. It was actually stopped there and like got blocked. " Wow, that's incredible.
Okay. Now, let's talk about Composio. So, how does Composio fit into Clam's architecture? I think it's actually fairly simple for us.
So, what we do is we tell the bot that, "Hey, you have access to all of these different toolkits through Composio. This is the endpoint you need to hit. " So, then the bot only again uses the Clam key and then hits the network firewall or the network proxy, and then it's like swapped for the Composio internal key, and then like every agent has their own identity. So, I think with Composio, you guys call it the user ID.
So, we just like give every single bot its own user ID. It's able to swap it out for that, and then and then it's able to get the user information. So, now how the user sets it up on the front end is actually very simple because all they need to do is like now they want to connect their Gmail, they just need to go and click on connect, and it just takes them to the whole OAuth flow through Composio. So, now on our end, we don't need to worry about anything.
" That's great. We'll tell the bot that okay, now you have access to Gmail for this customer. Now you have access to Post op for this customer. Now you have access to XYZ like all these things for this customer and the bot is just able to go to Composio, hit the correct endpoints, get the relevant information, help the customer out.
Okay, you kind of mentioned this. What integrations are you using through Composio? So we actually ended up enabling all of those. So we were like okay, like you guys I think have like 900 plus or 800 plus whatever Oh, now we have a thousand plus.
Now we have a thousand so I guess we have a thousand then. So all So I think there is like an API that you can hit on Composio that just says like get everything or something. Like I I'm forgetting like maybe I'm bike coding a little too hard. But um for the Composio integration I think there is this tools available tools endpoint that we hit and then it just like gets back all of the single tool kits that are available and we just display that on our front end and the user can just click on it and then integrate with that.
So anything that you guys add we have access to directly which is great. That's so cool. Why did you choose Composio instead of building integrations yourself? So I think at some point we were building some integrations ourselves so like linear, GitHub, like a lot of those like we were adding that but at that point we didn't really know about Composio.
So as soon as we knew about Composio we were like huh, this is something we want to do. It's definitely on our road map. We'll like figure it out. We'll use it at some point.
What was the aha moment for us was we were trying to actually do Gmail integration and Google calendar integration and those kind of integrations actually take a very long time because you need to get approved by Google. You need to do a lot of different like approval processes. And the thing is because we don't need direct access to any of that information we can get it through a third party provider. It works really well for us that like now we can use Composio to like do the whole OAuth and just give us the relevant information.
So then that really works well for us and like we were out to launch and then we were looking at how can we make Gmail work and then we already knew about Composio so then we're like okay let's just integrate this. It took a few hours for us to do but like as soon as we were done now we have access to all these thousand integrations. I guess which is great. Yeah.
How did you hear about Composio? Um I think my brother knows one of the PMs so then like through that like we were just like grabbing coffee and I was like okay like this company sounds cool like let me try it out. Yeah. How does the security layer Clam work with that integration layer Composio?
Security layer. So actually what we ended up doing was we created another layer of security for Composio just because like all of the integrations of there are going through Composio we wanted to make sure that the user can actually add more security there. So what we do is we let user define like their own rules for what information can get through Composio. So we'll just like send out an information or like a request to Composio for give us all the emails in the last let's say a day or 10 hours or whatever.
And Composio will give us those emails back but then the user might have defined like the scope of those emails. So then before the bot actually sees it so this is like a third layer that we added so there's the network proxy semantic firewall and then we added this like integration firewall of sorts which is like kind of built into um the semantic firewall but it's like more defined by the user. So the user can say like okay I don't want any information of this sort or I only want information that's like relevant to this. So then we're like kind of screening that at that integration layer and making sure that like whatever information we're getting through Composio is also like screened for all of that.
So it like kind of just all fits in together. Okay walk me through the flow. So an agent wants to send an email via Composio what happens with Clam in the middle? Yeah so typically like the way you would do it is like you can either do it through our web UI or directly through your WhatsApp after you've have it.
So, if you say "Oh, hey, like go send Julia Yeah. " Yeah. And well, what it'll do is like it'll realize that, okay, like I want to send an email. md that I have a toolkit available through Composedio that exposes the Gmail API.
" It's going to go hit that um which will go through first the semantic firewall, then the network firewall, and go to Composedio, come back through the network firewall, uh semantic firewall, and then like the integrations firewall to see like what the the information that came in is actually like relevant for the bot. " And then it'll just like go through the whole flow again, like it'll maybe get like, let's say 100 emails, but then the bot only sees a subset of those because some would be caught by the semantic firewall, some would be caught by the integrations firewall that the user defined rules would catch. And then the bot will see the relevant information and then relay it back to your WhatsApp or whatever uh platform you're using. That's really cool.
And this is why it's called Clam. Like where did you get the name? Because it's like a clam. So, I mean, the the genius behind Clam is my co-founder.
I think he's just always like doing all like the website was designed by him, like the whole UI. Like I think like he's just someone more of like trying to think about like the product side, the team, and everything. So, we were thinking about open claw, and we're like, "Oh, it's like a little crab running around. " And then we're like, "We're doing security, so what if like we're like trying to capture information and like protect it of sorts and like so then Clam just made sense as a name.
And yeah, now we're doing Clam. So good. If you were to build all of those integrations yourself, like how would have that look like? How many like how much time, how many resources would have taken a lot?
Yeah, I mean I don't even know. Like at least for like some of the O laws integrations that we would have to do, I think that would take like at least a couple months because you need to like find the right security companies to do like complete tests on your platform even though like we had all these things in place like we just need to go get audited and like get get access through those platforms and then um let's say like someone wants post talk then we can add that. If someone wants like um excel we can add that. If someone wants this or that like we can add those but then it's like on a very ad hoc basis.
Right now like the easier part for us is like we're like oh you don't need to ask us like just go on there because like I'm pretty sure like for Composure so many people have already requested those things that at least when you're in the tech bubble most people are using similar things anyway. So you already have those things accessible through Composure. So then now we don't need to like do things that are not part of our core offering. Our core offering is security, one click deploy, integrations obviously everyone needs that and you need to make it as easy as possible but then if we can just do it through an external provider that's specializing in that then we don't need to worry about like a lot of like random things breaking which is great.
So that's why Composure helps, saves a lot of time. Can you tell me again how long it took to integrate everything with Composure? Yeah, I think it was like just one night. So I don't know this was like right before we were launching we were just like figuring out like oh what all features can we add?
And then at some like I was already talking to Palash I think the PM and then we were already discussing like how easy it is and at some point we just decided like okay we're launching in like 10 12 hours. We have a few hours handy right now like why don't we just add like everything right now? So then we thought okay how long would that take and then through Composure was just super simple because once you like figure out like by reading the docs like what you need to do, which is you can just tell Cloud Code to do it. It can just read the docs and like put in the right information.
You can just integrate that directly and then once you integrate for one tool then you technically can just do the same thing for anyone else, like all of the other tools. Which makes like the whole process easier because again to go back to like how long would it have taken us like maybe the same amount of time for one tool. But would have taken us like way longer because then you'd have to copy-paste the same logic to some extent for like thousands of different integrations and then like it would also be ad hoc. Then like this customer then needs to ask you for something instead of like them just having it out of the box.
So I think yeah, it's just like super simple the whole integration process for us. Yeah. And so would you say then okay, Composable enables you to focus on that like security that um focusing on that one one-step deploy. Yeah, I think so because um if we zoom out and security as a whole then the main thing we're doing at the security layer is the key swap that we're doing because we're using the clam key.
That's the only thing that the bot sees and then it needs to go to the network proxy where it's just like gets swapped for the relevant key. So we have like these five six different keys like Anthropic, OpenAI obviously all of those. But outside of that now we don't need to manage like a bajillion keys. We can just use that one Composable key directly to manage everything else which is like reduces like the risk of things because now it's only Composable.
We just need to manage like maybe five to six keys instead of just managing so What's like a typical customer use case and who's right now who's using Clam? What who what's the majority? Yeah, I think like there's just a bunch of use cases out there. Some of the common ones we've heard are for engineering teams people just want to connect a lot of different um APIs or like different services like Post Hogs, Sentry, GitHub, Linear, just connect them all into one and then just see like you can ask like the bot different questions about customer say if you have also if you also have the bot integrated with Slack then you can just say like, "Okay, this customer is complaining about XYZ.
" Like they just reported this at this time. So, it's kind of helping you with that root cause analysis. I think a lot of people are using it for that. Then there are like different use cases on the sales side of things and then the customer success where people are able to use it for like again similar use cases but like add in like Fireflies data or Pylon data and all of those different integrations so that now they can kind of find patterns that they previously weren't able to just through their Slack.
" Or like let's say go through all my Fireflies call recordings and then find different things that people are talking about or how does that relate to like all of the issues that we've been hearing in Pylon? m. every morning? If a customer sentiment is actually bad like depending on like the severity of that like if they're like super mad at you maybe like just ping me right now.
If they're like just asking for a simple trivial question maybe you can directly reply to the customer. So, then people are using it for like all sorts of different things. Like depends on like what role they have in the company. So, the exact would definitely use it like different from what an engineer would do but yeah, there's like all of those use cases.
Nice. If another founder asked about using Composure, what would you tell them? Do it. I think, um, it's just such a no-brainer, um, cuz I don't think like for most companies they're always adding integrations as a part of like okay, we also have this to use us.
We also have this to use us. They're always trying to differentiate on the basis of like oh, we can integrate with your X. We can integrate with your Y. Why not just tell them that okay, like whatever you have will just integrate with it because you can do that through Composio and I think that's the biggest thing I would tell anyone like if you're worried about integrations or managing that, why not just use this?
What are you building next with Composio? What What are you Yeah, what's what's next steps with Clam? Yeah, so on the Composio side of things like I don't think like we're adding anything new with Composio. It's already like really good for us.
But as you said like I thought there were 800 integrations then you said it's a thousand plus now. So I don't even know how many things like keep coming out of Composio and then like we're just able to directly pass that on like pass that um benefit onto our customers. So I think that's like great. So we're not really building anything with on top of Composio anymore, but I think we're just like taking everything you're offering directly.
So it's great for us. Yeah. And then where do you see Clam going? What's next for you?
Yeah, honestly like what excites me about Clam is we're just excited about what people build with it. I think through Composio we're able to like expose so many different integrations. Every day there's like so many people are signing up. So many people are using it.
We actually find these cases from people that we didn't even think about and through that we're able to like just understand the power of Clam and like the power of having secure agents because a lot of people previously weren't doing a lot of things because they were just worried about AI having access to their information or access to the information that they didn't want it to have access to. And now with Clam we're basically trying to enable that for people. I think the next biggest step for us is doing more on prem stuff and trying to like just have local models in the cloud so that people don't even need to worry about like their information going to a third party AI provider. So if they're using us, then we're the people who are hosting like different models for them, so then everything is self-contained within that same cloud network, never leaves that, or only leaves the cloud when it needs to hit like some endpoint and like get some information.
So, yeah, that's what we're doing. Amazing. Well, thank you so much for chatting with me. I learned so much.
Like now I know so much about Clayb and you like broke it down so simply. What's one piece of advice you'd give to someone who also wants to start building AI agents or just building something in this in this yeah, AI agent in the world, you know? Yeah, so I was actually talking to someone yesterday about this and then they were talking about like how they're like kind of scared about um like competition. And I think that's the biggest thing with AI agents that like anything you can build so many other people are building.
So, you really need to find like that one thing that you could be passionate about and like see yourself doing for like the next few years. If you're not able to like see yourself working on something for the next few years, then I wouldn't really do it. I think that's like the biggest advice that I would give. I mean, granted that like we pivoted a while back, but then it's like if the market is telling you something, obviously you need to listen to the market, pivot.
" So many other people are doing it for like much better reasons, doing the same thing. So, I would say like just do