Open Source Security Infrastructure

Security for
OpenClaw Agents

Plug in your own evaluators — regex, Sigma, CEL, SQL, ML, or LLM-as-judge — and protect your AI agents in minutes. Bring-your-own-security.

View on GitHub Quick Start
The Problem

OpenClaw has no security layer

OpenClaw gives your AI agent access to messaging platforms, shell commands, file systems, and APIs — but ships with no security layer. This project fills that gap.

You pick the evaluators

Already running OpenClaw? Drop this in. No fork, no migration — it's a plugin. Have your own detection models? Plug them in as ONNX models or LLM-as-judge policies.

You write the rules

Want to reuse your SOC's Sigma rules? Point them at OpenClaw events. Need custom policies? Write them in regex, CEL, SQL, or Python — your choice.

The platform doesn't tell you what's dangerous. You tell it — through whatever combination of evaluators fits your threat model.

How It Works

Evaluate every stage of the agent lifecycle

Two deployment modes — a lightweight plugin for tool-level blocking, or a full reverse proxy for blocking at every stage.

StageShim pluginAPI proxyWhat it covers
tool.beforeBlock, redact, detectBlock, redact, detectTool calls — dangerous commands, policy violations
message.beforeDetect and alertBlock, redact, detectInbound prompts — injection, PII, abuse
tool.afterDetect and alertBlock, redact, detectTool output — secret leakage, sensitive data

Shim plugin: Only tool.before can block (sequential hook). The other stages are fire-and-forget — they evaluate and alert but cannot prevent the event.
API proxy: Sits between OpenClaw and the Anthropic API. Can block at every stage, including rewriting streamed responses.

regex ~1 μs
sigma ~1 ms
CEL ~1 ms
SQL ~10 ms
ML ~50 ms
LLM ~500 ms

Cheapest evaluators run first. Short-circuits on block — if regex catches it, ML never wakes up.

Evaluators

Six tiers of defense

From microsecond pattern matching to semantic AI judgement. Use what you need, skip what you don't.

regex

Pattern Matching

Microsecond-fast secret scanning and command detection. Ships with rules for AWS keys, GitHub tokens, PII, and dangerous commands.

sigma

Threat Detection

Industry-standard YAML detection rules mapped to OpenClaw events. Reuse rules from the entire Sigma ecosystem.

cel

Policy Rules

Common Expression Language for conditional policies. Full access to every event field with boolean logic.

sql

Aggregate Analytics

In-memory SQLite for temporal queries — rate limiting, burst detection, session-level anomaly scoring.

ml

Local Model Inference

ONNX Runtime models for prompt injection, toxicity, and custom classifiers. Runs locally — no API calls, no data leaves your machine.

llm

Semantic Evaluation

Use Claude as a judge for nuanced decisions that rules can't capture. Policy-driven, structured verdicts.

Every evaluator type is extensible — bring your own rules, models, and policies. See the GitHub repo for configuration examples and how to write custom evaluators.

Architecture

Two deployment modes

Choose the level of control you need — a lightweight plugin or a full reverse proxy.

Mode 1

Shim Plugin

A TypeScript plugin registers OpenClaw hooks and forwards events to the Python evaluation server over HTTP. Blocks on tool.before, detects on all stages.

Mode 2

API Proxy

A reverse proxy sits between OpenClaw and the Anthropic API. Intercepts every request and response. Blocks at every stage — including rewriting streamed responses.

Shim Plugin

OpenClaw Gateway

before_tool_call
after_tool_call
message_received
HTTP POST
/evaluate
Evaluation Server

Evaluator Chain

regex~1 μs
sigma~1 ms
CEL~1 ms
SQL~10 ms
ML~50 ms
LLM~500 ms
{ action, blocked, reasons, redacted }
Short-circuits on BLOCK · block > redact > detect

API Proxy mode: OpenClaw → Proxy (:9920) → Anthropic API. The proxy evaluates at all three stages inline, with full blocking capability. No plugin installation needed — it's transparent to OpenClaw.

Get Started

Choose your deployment mode

Shim Plugin — lightweight, tool-level blocking

1

Install the platform

git clone && cd openclaw-security-platform && pip install -e .

2

Install and enable the plugin

openclaw plugins install --link ./shim
openclaw plugins enable openclaw-security
openclaw config set plugins.allow '["openclaw-security"]'

3

Start the evaluation server

openclaw-security serve -c openclaw-security.yaml

4

Restart your gateway

openclaw gateway --force — hooks are live.

API Proxy — full blocking at every stage

1

Install the platform

git clone && cd openclaw-security-platform && pip install -e .

2

Configure OpenClaw to use the proxy

openclaw-security setup-openclaw
Registers a secured provider, copies your API key, and sets it as default.

3

Start the proxy

openclaw-security serve --mode proxy -c openclaw-security.yaml
All Anthropic API traffic now flows through the security proxy.

To revert proxy mode: openclaw-security revert-openclaw

Visibility

Real-time security dashboard

Every evaluation streams live to a built-in dashboard at /dashboard — no extra setup required.

Live event stream

Every block, redact, detect, and allow appears instantly via Server-Sent Events. Filter by action, stage, or free-text search. Click any event for full evaluator details.

Stats and history

Running totals for every action type. In-memory history of the last 10,000 events with latency tracking per evaluation. All available via API at /dashboard/api/.

API

Two endpoints, zero complexity

POST /evaluate

Evaluate an event

{
  "stage": "tool.before",
  "session_id": "sess-abc",
  "tool_name": "exec",
  "tool_args": { "command": "rm -rf /" }
}

→ { "action": "block",
    "blocked": true,
    "reasons": ["Recursive delete root"] }
GET /health

Health check

{
  "status": "ok",
  "mode": "server",
  "evaluators": 4
}

Returns evaluator count and server status. Use for monitoring and liveness probes.