Real-time security monitoring for AI agents — powered by local LLMs. Every tool call gets risk-scored before it runs. 100% private, zero cloud.
git clone https://github.com/TobyGE/GuardClaw.git
cd GuardClaw
npm install && npm install --prefix client && npm run build
npm linkguardclaw config detect-token --save # auto-detect OpenClaw token
guardclaw start # opens browser automaticallyOr skip the CLI: run guardclaw start, go to ⚙️ Settings → Gateway → Auto-Detect.
By default GuardClaw only receives text/chat events from OpenClaw. To see every tool call (read, write, exec, etc.) in real-time, run the included patch script:
bash scripts/patch-openclaw.shThat's it. The script will patch OpenClaw, rebuild it, and restart the gateway automatically. It's safe to run multiple times (idempotent).
What it does: Adds one line to OpenClaw's WebSocket broadcast logic so that tool events are sent to all connected clients — not just ones that started an agent run. GuardClaw is a passive observer and this is the only way it can receive tool events without interfering with normal operation.
By default GuardClaw is monitor-only — it shows risk scores but doesn't interfere with the agent.
Install the OpenClaw plugin to enable pre-execution interception:
| Monitor only | With plugin | |
|---|---|---|
| Risk scores + audit trail | ✅ | ✅ |
| Real-time tool call visibility | ✅ | ✅ |
| Block dangerous commands | ❌ | ✅ |
| Approval prompts for high-risk (score ≥ 8) | ❌ | ✅ |
guardclaw plugin install
openclaw gateway restartOnce enabled, the 🛡️ button in the Dashboard toggles blocking on/off without a restart. Tools with a risk score ≥ 8 are paused and require human approval — respond with /approve-last or /deny-last. Below 8, tools run freely and risk scores are logged in the dashboard.
guardclaw start / stop
guardclaw config detect-token --save
guardclaw config set-token <token>
guardclaw plugin install / uninstall / status
guardclaw helpCore Analysis
| Feature | Status | Date |
|---|---|---|
| Real-time tool event monitoring | ✅ Done | 2026-02-15 |
| Risk scoring with local LLM | ✅ Done | 2026-02-15 |
| Safe-tool fast path — skip LLM for clearly safe tools | ✅ Done | 2026-02-20 |
| Per-model prompt configs (qwen3-1.7b / 0.5b / gpt-oss) | ✅ Done | 2026-02-20 |
message tool privacy analysis |
✅ Done | 2026-02-20 |
| Chained tool analysis | ✅ Done | 2026-02-21 |
write/edit path analysis — persistence & backdoor detection |
✅ Done | 2026-02-21 |
Tool result inspection via after_tool_call |
✅ Done | 2026-02-21 |
canvas eval analysis |
✅ Done | 2026-02-21 |
nodes invoke analysis |
✅ Done | 2026-02-21 |
| Prompt injection defense on LLM judge | ✅ Done | 2026-02-22 |
| Sub-agent monitoring — independent chain analysis per session | ✅ Done | 2026-02-22 |
| Write/Edit content scanning | ✅ Done | 2026-02-22 |
Active Blocking
| Feature | Status | Date |
|---|---|---|
Approval workflow (/approve-last / /deny-last) |
✅ Done | 2026-02-15 |
| OpenClaw plugin — pre-execution interception | ✅ Done | 2026-02-20 |
| One-click blocking toggle in dashboard | ✅ Done | 2026-02-20 |
| Auto-retry after approval — no re-typing needed | ✅ Done | 2026-02-20 |
| Direct user notification on block | ✅ Done | 2026-02-20 |
| Run-level lock — single notification per run | ✅ Done | 2026-02-20 |
| Fail-closed on GuardClaw disconnect | ✅ Done | 2026-02-22 |
| Fail-closed dashboard toggle | ✅ Done | 2026-02-22 |
| Monitor/Blocking mode toggle | ✅ Done | 2026-02-22 |
Dashboard & UX
| Feature | Status | Date |
|---|---|---|
| Days Protected tracking | ✅ Done | 2026-02-11 |
| Light / dark mode | ✅ Done | 2026-02-11 |
| AI-powered event summaries | ✅ Done | 2026-02-15 |
| Click-to-filter stats cards | ✅ Done | 2026-02-15 |
| Auto-open browser on start | ✅ Done | 2026-02-15 |
| Conversation turn grouping in event list | ✅ Done | 2026-02-20 |
| Session tabs — separate views for main agent and sub-agents | ✅ Done | 2026-02-22 |
Integration & Setup
| Feature | Status | Date |
|---|---|---|
| nanobot support | ✅ Done | 2026-02-13 |
| Web UI + CLI configuration management | ✅ Done | 2026-02-15 |
| LLM backend config UI — LM Studio + Ollama | ✅ Done | 2026-02-15 |
patch-openclaw.sh — one-command OpenClaw patching |
✅ Done | 2026-02-20 |
Future
| Feature | Notes |
|---|---|
| Cross-session chain analysis | Parent→child chain history sharing. Low priority — per-session monitoring already covers most scenarios. |
| A2A (Agent-to-Agent) protocol monitoring | Monitor inter-agent communication. Waiting for broader A2A adoption in OpenClaw. |
| Approve/deny buttons in dashboard | Frontend buttons for /approve-last and /deny-last. Backend already exists. |