ClawGuard

The antivirus for OpenClaw.
Blocks dangerous actions, scans skills, stops secret leaks, and puts humans back in control.

简体中文 · What it is · What works today · Install demo · Demo scenarios · Current limitations · Docs map

What it is

ClawGuard is the security control layer for OpenClaw.

If you are landing on this repository for the first time, the short version is:

ClawGuard is The antivirus for OpenClaw.

It is designed to sit between OpenClaw and high-risk actions so users can:

• require human approval before risky actions continue,
• inspect and explain risky behavior,
• keep an audit trail,
• and gradually add protection across exec, outbound, and workspace-mutation paths.

What works today

There is now a first OpenClaw install demo in this repository.

The current first usable version should be understood modestly:

• a local install + smoke + fake-only demo package
• enough to show the first plugin-hosted dashboard / checkup / approvals / audit / settings flow
• not a formal release, GA claim, or mature coverage statement

Today that demo covers:

• risky exec
• minimal outbound coverage
• minimal workspace mutation coverage for write / edit / apply_patch actions
• plugin-hosted dashboard, checkup, approvals, audit, and settings pages with:
  • browser-facing entry paths on /clawguard*
  • protected backing routes on /plugins/clawguard/*

Current Control UI posture:

• the plugin can already expose its own HTTP surfaces under /plugins/clawguard/*,
• but the current OpenClaw plugin API does not expose a formal way to register a left-nav tab such as Security inside the built-in Control UI,
• so the current demo should be understood as plugin-owned pages entered through the public /clawguard* shell URLs, not a first-class embedded dashboard tab. Any future embedded Control UI work would be a separate track requiring either a patched UI or upstream plugin-nav support that does not exist today.

Current repo status:

• the repo is still in a docs-first + Sprint 0 code-bootstrap stage,
• the installable OpenClaw path is currently a demo baseline, not a product release,
• and the demo is meant to show the first host integration and review flow, not a finished security platform.

Install demo

The install-demo entry lives here:

• plugins/openclaw-clawguard/README.md

Recommended install method from the repo root:

openclaw plugins install .\plugins\openclaw-clawguard

Optional local tarball demo only:

pnpm --dir plugins\openclaw-clawguard pack
openclaw plugins install .\plugins\openclaw-clawguard\<generated-tarball>.tgz

Important posture:

• this is an install demo only,
• it is not published to a registry,
• @clawguard/clawguard is currently metadata only and still unpublished,
• and this README does not imply npm publish, GA, or a formal release.

After install, restart OpenClaw, then use the plugin README operator runbook for the smoke path, 1-minute demo order, and 3-minute demo order. The current smoke path is:

• run openclaw dashboard --no-open
• replace the official tokenized dashboard URL path with /clawguard
• if bare /clawguard has no current-tab token yet, the public shell now shows a connect page aligned with OpenClaw Control UI bootstrap instead of failing closed
• then move through:
  • /clawguard
  • /clawguard/checkup
  • /clawguard/approvals
  • /clawguard/audit
  • /clawguard/settings

Demo scenarios

The current public-demo-ready scenarios are intentionally narrow:

1. Risky exec
   • ClawGuard blocks or queues a risky action for approval.
   • The decision is visible in the approvals page and the result lands in audit.
2. Minimal outbound
   • The demo shows the first outbound review / block posture.
   • Host-level outbound coverage is still intentionally limited.
3. Minimal workspace mutation
   • Risky file-change flows can enter the same approval / audit path.
   • In the current demo surface, write / edit / apply_patch are all explained as workspace mutation actions.
4. Plugin-hosted operator flow
   • Dashboard, checkup, approvals, audit, and settings pages provide the current demo surface.

For storytelling, the north-star scenario remains:

A group message tries to make OpenClaw send money, and ClawGuard puts the final decision back in human hands.

But the repository demo should currently be understood as a local install + page smoke + fake-only safety flow, not as proof of real payment execution, real money movement, or broad runtime completeness.

Current limitations

Please read this repo with the current scope in mind:

• install demo only
• local path install is the recommended path
• local tarball is optional and local-only
• not published
• not a formal release
• not presented as GA or a complete product
• outbound coverage is still minimal
• host-level outbound keeps hard blocks on message_sending and closes allowed / failed delivery on message_sent, while tool-level approvals stay on message / sessions_send; these are still two minimal fake-only review points, not full outbound lifecycle coverage
• the approval loop is still a pending-action + allow-once-retry demo flow
• the built-in Control UI sidebar is currently core-owned and hard-coded; there is no official plugin nav registration API for a Security tab yet
• current browser entry relies on the public shell at /clawguard*, while the protected /plugins/clawguard/* routes remain implementation backing routes
• embedded Control UI work is explicitly out of scope for this first usable version; any future embedded option would still require either a custom/patched Control UI nav item or an upstream OpenClaw plugin-nav API that does not exist today
• the demo should not be read as real dangerous execution, real transfer / red-packet execution, or full release-grade validation

Docs map

Start here

• plugins/openclaw-clawguard/README.md — install-demo entry, operator runbook, local path install, optional local tarball, smoke path, 1-minute / 3-minute demo order
• docs/v1-installer-demo-strategy.md — install-demo posture and why the current path is plugin-first, local-only, and not published
• docs/v1-north-star-demo-script.md — the flagship “group message tries to make OpenClaw send money” demo narrative

Product and implementation context

• docs/system-architecture.md — long-term platform architecture
• docs/v1-implementation-breakdown.md — V1 slices and implementation order
• docs/v1-development-readiness-checklist.md — what still needs tightening before broader development
• docs/security-methodology.md — ClawGuard defense model

Positioning and launch context

• docs/star-strategy.md — GitHub-facing positioning and launch strategy
• README.zh-CN.md — Simplified Chinese repository entry
• TODO.md — current project decisions and next documentation / demo tightening items