Claw Guard

English | 简体中文 | 日本語 | 한국어 | Français | Deutsch | Español | Русский

Claw Guard is an OpenClaw security plugin that adds a local guard layer in front of risky agent activity. It can warn, block, audit, pause the gateway, expose a dashboard, and optionally talk to a remote policy service.

Why Claw Guard?

1. Shared threat intelligence: Claw Guard can share malicious skill detections across the OpenClaw ecosystem, so one confirmed threat can help protect every other user.
2. Distributed AI review: suspicious skills can be evaluated both by each user's local OpenClaw model and by Claw Guard's cloud-side analysis pipeline for broader verification.
3. Dual-layer detection: protection does not rely on a single checkpoint. Claw Guard combines local inspection with optional cloud detection.
4. Broad coverage: Claw Guard is designed to inspect risky skills, files, commands, and URLs.
5. Real-time response: confirmed malicious behavior can be blocked immediately, while lower-confidence or risky behavior can trigger warnings for the user.
6. Privacy-aware uploads: the plugin is designed not to upload user secrets or full private content. The remote side receives security-relevant metadata such as skills, file paths, command lines, URLs, and OpenClaw tool-call context. The server implementation is also planned to be open sourced.

Install

If you want OpenClaw to install the plugin for you, send the agent this prompt:

Please install the OpenClaw plugin "@bitslabguard/claw-guard" for me.
Use the standard OpenClaw plugin install flow, enable the plugin after installation if needed, and then verify the install result by checking the plugin info for "claw-guard".

Install From npm

If you want to install Claw Guard directly from npm, use the published package with OpenClaw:

openclaw plugins install @bitslabguard/claw-guard

Install From GitHub Release

For most users, the easiest path is to install the latest packaged release from GitHub. OpenClaw supports installing plugin archives directly from .zip files.

1. Open the GitHub Releases page for this project.
2. Download the latest release asset named like claw-guard-v0.0.3.zip.
3. Install the downloaded archive with OpenClaw:

openclaw plugins install /path/to/claw-guard-v0.0.3.zip

4. Verify that the plugin is installed:

openclaw plugins info claw-guard

If your running Gateway has not picked up the new plugin yet, restart OpenClaw once after install.

What It Does

• Intercepts risky tool calls through OpenClaw hooks
• Applies local allow/deny rules for commands, paths, and URLs
• Sends localized warning or block notices back into chat channels
• Exposes a built-in dashboard for status, scans, pause, resume, and settings
• Records structured audit logs
• Optionally uploads events to Claw_Guard_Server for remote policy decisions

Main Features

• before_tool_call risk filtering for commands, paths, URLs, and generic tools
• message_received interception for install-style instructions
• Dashboard settings for mode, locale, auto-upgrade, pause defaults, interception, and intel
• Chat commands for operator workflows:
  • /sec_help
  • /sec_scan
  • /sec_language [auto|locale]
  • /sec_block_stats [count]

Installation

Requirements

• Node.js >=20
• A working OpenClaw installation available on PATH

Local Development Install

From the plugin root:

npm install
npm run build
openclaw plugins install -l .

Or from the workspace root:

openclaw plugins install -l ./Claw_Guard

Bootstrap Installer

This repo also includes a helper installer:

npm run bootstrap:install -- --source local --path .

Useful flags:

• --skip-doctor
• --no-restart
• --dry-run

Development

Install dependencies:

npm install

Build:

npm run build

Run typecheck:

npm run typecheck

Run tests:

npm test

Run the main validation path:

npm run check