Security

Four pillars.
Each one bypass-tested.

Input rail, tool dispatch, tool response, model output — each one is code in packages/plugin, with its own regression suite. Raw measurements update on every commit — bypasses included.

See the live security dashboard

File-handling posture

What we don't scan, what we do block

DON'T SCAN

Your file contents

We don't scan the contents of files you upload. Uploaded files are passed to the model unchanged and shown in your chat with a "not scanned" flag.

DO BLOCK

Model-initiated downloads

If the model tries to download something you didn't ask for, we stop it. Every download has to start with you — a slash command, a button click, or a clear request in chat.

Verified, not claimed

Four security pillars. Each one bypass-tested.

Each one runs in-process.

Input rail, tool dispatch, tool response, and model output — each independently bypass-tested against the OWASP LLM Top 10 and a 200-scenario red-team corpus. Raw measurements in wiki/measurements/ — full methodology at security.clawmont.com.

01

Input rail

Every prompt fragment inspected before the model sees it — credential scanner, prompt-injection detector, and Unicode-normalized pattern matchers.

02

Tool dispatch

Every tool call passes through a curated dangerous-action allowlist with per-tool severity grading. rm -rf, curl | bash, eval, DROP TABLE — refused with a labelled alert.

03

Tool response

Every tool result inspected before the model can read it. Path protection (~/.ssh, ~/.aws, /etc/passwd, keychain) plus request/response size limiter, even when payloads are obfuscated.

04

Model output

Every model reply scanned before it reaches the user. Hash-chained activity monitor, session isolation, and read-only mode close the loop with a tamper-evident audit trail.

Egress

What leaves your machine?

Almost nothing. Source: the redactor in packages/plugin/src/cloud-sync.ts.

API keys Never
Prompts Never
Code & files Never
Telemetry None
Alerts (only with Guardrails) HMAC-signed, redacted

Aligned with

OWASP LLM Top 10 (2025) NCSC AI Cyber Security (2024) Row-by-row mapping in source

Security-only product

Just the security layer — $19/mo

The same four-pillar middleware that ships with every persona, as a standalone subscription. No persona, no model setup — just the 4 security ports running in front of whatever model your OpenClaw gateway is already configured for.

  • Tool-guard, path-guard, input-normalizer, secret-scanner
  • Works with any model — Anthropic, OpenAI, Ollama, OpenRouter
  • Same red-team corpus + dashboard as the persona tiers
  • One-command install — install.sh --security-only
Compare with persona tiers

Cancel anytime. Pro-rata refund per refund policy. Already own a persona? You get Guardrails for $9/mo as a checkout add-on.

Licensing

Clawmont is source-available under the Business Source License 1.1, with a change date of 2028-05-08 to Apache 2.0.

Read the full terms in our LICENSE file.

Try it for $30.

All four pillars on every tier. Three minutes to install.

See pricing Setup guide Try the playground