Easylab AI×  OpenClaw
Back to Architecture

Inter-Agent Bridge

How Max and Eva communicate safely

When two autonomous AI agents run on separate machines, they need to communicate -- but neither trusts the other. A compromised agent could send prompt injections to take over its counterpart. This requires a zero-trust architecture between agents.

Bridge Governor

An independent daemon acting as rate-limiter between Max and Eva. Deployed locally on each instance.

  • Maximum 50 messages per direction before requiring human intervention
  • STOP/GO controls via messaging for both operators
  • 5-minute timeout without human activity triggers automatic pause
  • All messages logged in a local database for analytics

Communication Flow

MaxGPT-5.4GovernorBridge Channelrate-limiterEvaGPT-5.4TelegramSTOP / GOmsgmsgresponse
Communication Protocol
1

Agent sends message

The sending agent calls its send-to-eva (or send-to-max) skill

2

Governor rate-check

The local governor daemon checks rate limits and STOP/GO state

3

HTTPS Webhook

Message sent via authenticated HTTPS webhook through a private network transport (/hooks endpoint)

4

Remote Governor receives

The remote governor daemon receives, logs, and forwards to the bridge-reader

5

Bridge-Reader sanitizes

Disposable sub-agent rewrites the message in isolation (zero tools, 60s timeout)

6

Main agent receives

The main agent only sees the sanitized rewrite, never the original message

Orchestration via the bridge
NEW

The Coordinator pattern uses the bridge to orchestrate complex tasks between agents. A coordinator agent breaks down the request, assigns sub-tasks via the bridge to specialized agents on different machines, and unifies results.

Delegation flow

  1. 1The coordinator receives the request and identifies the required skill domains.
  2. 2Each sub-task is sent via the bridge to the specialized agent (Max for code, Eva for security).
  3. 3The governor traces each delegation: direction, size, timestamp.
  4. 4Results come back through the bridge, are sanitized by the bridge-reader, then synthesized by the coordinator.
Full details
Bridge Skills
Maxsend-to-eva

Sends a message to Eva through the governor pipeline

Evasend-to-max

Sends a message to Max through the governor pipeline

Supervision Channel

Both human operators share a Telegram group (Bridge Eva-Max) where every inter-agent exchange is visible in real time. Neither agent can communicate secretly.

Communication resilience
NEW

EasyClaw v2 adds automatic retry and failover mechanisms for inter-agent exchanges. If an agent doesn't respond within the allotted time, the system reacts transparently.

Resilience strategy

  1. 1Every send is wrapped in a circuit breaker that detects errors and timeouts.
  2. 2Temporary errors (network timeout, rate limit) trigger retry with exponential backoff (1s, 2s, 4s...).
  3. 3After exhausting retries, a backup agent can take over without context loss.
  4. 4The bridge traces each attempt and each failover in an audit log for diagnostics.
Full details
Risks and Mitigations
RiskMitigation
Prompt injection via incoming messageBridge-reader rewrites everything. The main agent never sees the original message. Injection patterns are broken by reformulation.
Compromised remote agent sends malicious payloadsBridge-reader has zero tools. Even if the injection succeeds within the bridge-reader, it cannot execute any action.
Network-level attack between the two machinesOnly one port is open (HTTPS webhook). No SSH, no other services. Access is revocable at any time by either party.
Credential exfiltration through the bridgePINs, gateway tokens, and internal credentials are never transmitted through inter-agent communication. The bridge is a one-way data valve.
One side attempts to overwhelm the other with messagesRate limiting on both ends. The supervision channel makes flooding immediately visible to both humans.
Systems in Detail

Bridge Governor

Permanent daemon (launchd)

Rate-limits and supervises all communication between Max and Eva.

HOW IT WORKS

  1. 1Local daemon: loopback channel on Max, restricted private-network channel on Eva
  2. 2Maintains a message counter per direction — stops at 50 messages and requires human GO via messaging
  3. 35-minute inactivity timeout: if no human is watching, the bridge auto-pauses
  4. 4All exchanges are logged in a local database with timestamps, direction, and content length

WHY IT MATTERS

Without rate-limiting, a compromised agent could spam its counterpart with thousands of prompt injection attempts. The governor ensures human oversight and prevents runaway conversations.

bridge-reader

On-demand (spawned per message)

Sanitizes incoming messages in complete isolation before the main agent sees them.

HOW IT WORKS

  1. 1Spawned as a disposable one-shot sub-agent with zero tools and a 60-second timeout
  2. 2Reads the raw incoming message and rewrites it in its own words -- stripping any hidden instructions or prompt injections
  3. 3Only the sanitized rewrite reaches the main agent. The original message is never exposed
  4. 4If the bridge-reader crashes or times out, the message is silently dropped

WHY IT MATTERS

The main agent trusts its own context. If an attacker message entered the context directly, it could override instructions. The bridge-reader is a firewall: it understands the message content but can't be weaponized (no tools, no persistence).

Inter-Agent Bridge -- Architecture Deep Dive | OpenClaw × Easylab