What actually helped was flipping it around. Instead of trying to trust the agent, I used the agent to help build something that watches it. I've got an OpenClaw setup on a Raspberry Pi and it helped plan, test, build, install, run and monitor its own security proxy. Deterministic rules, no LLM in the enforcement path, just pattern matching on every outbound tool call.

So now the agent runs, the proxy catches anything sketchy before it leaves the box, and I've got a dashboard I can check from my phone. Still wouldn't call it "safe" but at least I can see what's happening and it can't quietly exfiltrate stuff without tripping a rule.

Turns out "help me build the thing that constrains you" is a use case agents are surprisingly good at.