.avif)
ClawPatrol
Secure Your OpenClaw Agents.
Gateway-level runtime security that executes as hard enforcement — not LLM-invoked suggestions. Six hooks. Nine detectors. Zero bypass vectors.
Terminal
3
Enforcement Layers
Active
6
Lifecycle Hooks
Covered
9
Threat Detectors
Deployed
0
LLM Bypass Points
Sealed
Three Autonomous Security Layers
Each layer operates independently. The LLM cannot suppress any of them.
Gateway Hook Enforcement
Six hooks fire as gateway code every turn.
before_tool_call blocks dangerous calls. message_sending cancels compromised outbound messages. No LLM involvement - the model can't negotiate.File Integrity Scanner
Continuously monitors the cognitive workspace files that define who the agent is -
SOUL.md, AGENTS.md, IDENTITY.md, TOOLS.md, USER.md, HEARTBEAT.md.Hash-first: SHA-256 baselines on startup, re-hash every 60s. API called only when content changes -zero overhead on unchanged files.
Skill Scanner (Skill Sentinel)
Autonomous background scanning of all installed skills. Composite SHA-256 detects new/modified skills → multi-agent AI pipeline produces verdicts:
SAFE, SUSPICIOUS, MALICIOUS.MALICIOUS findings persist across sessions - alerts survive restarts until the skill is removed or re-scanned clean.Hook Reference
All six hooks fire as gateway code. The LLM cannot suppress them.
before_prompt_build
Every run
HARD
Scan prompt → inject
prependContextbefore_tool_call
Any tool call
HARD
{ block: true } — blocks dangerous callsafter_tool_call
Tool returns
OBS
Scan output → queue alert
llm_output
LLM responds
OBS
Scan response → queue alert
message_sending
Outbound msg
HARD
{ cancel: true } — cancels compromised messagesmessage_received
Inbound channel
OBS
Scan → queue alert
ClawPatrol Playground
Pick an attack. Watch it fail.
Click any scenario on the left or let it auto-play — each tab walks through the attack, then shows ClawPatrol blocking it in real time.
How It Works
Three autonomous layers — each operates independently. Tap a layer to explore.
Monitored Files
SOUL.md Core identity & safety rulesAGENTS.md Multi-agent configurationIDENTITY.md Persona definitionsTOOLS.md Permitted tool policiesUSER.md User preferences & memoryHEARTBEAT.md Liveness + state checksumDetection Pipeline
1. Startup → SHA-256 baselines for all files
2. Every 60s → re-hash each file
3. Hash differs → drift → send to Enkrypt API
4a. Malicious → baseline preserved → keeps alerting
4b. Benign → baseline updated → silent next cycle
5. Hash matches → no API call → zero overhead
Skill Scanner (Skill Sentinel)
Violations queue in memory. On the agent's next turn, the
before_prompt_build hook drains the queue and injects alerts via prependContext. The user sees the alert in conversation — specific file, detector, confidence score, and remediation steps. No separate dashboard needed.Per-File Policy (e.g. SOUL.md)
Each file type has a tailored policy definition. For
SOUL.md, the scanner flags:- Instructions to ignore safety guidelines or override security controls
- Commands to exfiltrate data to external endpoints
- Attempts to override the agent's identity
- Hidden instructions disguised as persona definitions
- Encoded, obfuscated, or base64 payloads
SAFE
Baseline silently updated. No action.
SUSPICIOUS
Persistent alert until re-scan clean.
MALICIOUS
Persistent alert across sessions. Survives restarts.
Scan Pipeline
Monitor
Composite SHA-256 hashing of skill directories detects new or modified skillsAnalyze
Multi-agent AI pipeline runs in a dedicated Python environmentCategorize
Prompt injection, data exfiltration, command injection, obfuscationPersist
SUSPICIOUS and MALICIOUS findings injected into every agent turn until resolvedSurface
Alerts delivered in-conversation with verdict, category, and remediationCompliance & Moderation
5 detectors
policy_violation
nsfw
toxicity
bias
topic_detector
Security
3 detectors
injection_attack
sponge_attack
keyword_detector
Privacy
5 detectors
pii
Built for Your Team
Quick setup to enterprise compliance — ClawPatrol meets you where you are.
Quick Start
# Install
npm install @enkryptai/clawpatrol
# Interactive setup wizard
clawpatrol-setup
# Config generated: clawpatrol.config.json
# → Hook selection (all 6 default)
# → Detectors per hook
# → Files to monitor
# → Fail mode: open | closed
# → OTLP endpointArchitecture
ClawPatrol runs as an OpenClaw plugin. Three background services start automatically:
Runtime Guardrails
Hard blocks at every stage of the agent lifecycle
Workspace Protection
Continuous monitoring that knows an attack from a benign edit
Skill Security
Every skill vetted automatically, no user action needed
No daemon
No root
No systemd
macOS
Windows
Linux
OTLP Telemetry
Per-hook traces, 10 metrics, severity-mapped logs. Plugs into Jaeger, Grafana, Datadog, or any OpenTelemetry collector.
Policy Enforcement
Natural-language policy text per hook. Configurable fail-open / fail-closed per deployment. Align to your AI governance framework.
In-Conversation Alerts
Violations surface directly to the user — confidence score, policy clause, attacker intent, remediation steps. Not buried in SIEM.
ClawPatrol fills the gap no other tool covers.
vs. DefenseClaw
File integrity + in-conversation alerts
Out-of-band file tampering detection
Semantic drift triage (auto-baseline)
User sees violations in-conversation
Cross-platform (not Linux-only)
vs. ClawSec
Hard enforcement, not LLM-driven
Gateway hooks ≠ LLM-invoked skills
9 runtime detectors (ClawSec: zero)
Semantic triage vs. manual approve
OTLP telemetry pipeline
vs. NemoClaw
Content-aware, not infra-only
Injection detection with scores
Workspace file monitoring
Skill scanning (AI analysis)
In-conversation alerts
Ship Secure Agents
Gateway enforcement. Semantic file integrity. Autonomous skill scanning. Your rules, your stack.
.svg){kind=small}
