Security
Eleven layers. Each one testable.
Clawmont is a plugin that runs inside OpenClaw on your machine — not a cloud gateway. Every defense below is code in packages/plugin with its own regression suite, re-run on every commit. Known limitations are tracked alongside what we do block.
Verified, not claimed
The 11 Defense Layers
Credential scanner
Detects API keys, JWTs, PEMs, SSH keys, AWS/GCP/Azure tokens, Stripe keys, GitHub PATs, Slack / Discord webhook URLs, Telegram bot tokens, and private key material in every prompt and tool input before the model sees it.
credentialScanner
Tool firewall
Allow-list of tools per persona — anything outside the persona-specific manifest is refused at the plugin layer before the model can call it.
toolFirewall
Schema validation
Every tool argument is validated against its declared JSON schema. Over/under-supplied fields, wrong types, and unknown properties all refuse at the gateway.
schemaValidator
MCP integrity pinning
MCP server binaries and configs are pinned to known-good hashes. A maintainer swap or typosquat package triggers a refuse-to-load and surfaces a red-team alert.
mcpIntegrity
Path protection
Any tool that resolves to ~/.ssh, ~/.aws, /etc/passwd, /etc/shadow, ~/.config, or the user's keychain is blocked — even when the path is obfuscated via symlinks or env-var expansion.
pathGuard
Session isolation
Each OpenClaw session runs with its own scoped config and tool state — no shared cache, no cross-session prompt leakage, no "persistent" agent memory you didn't opt into.
sessionScope
Read-only mode
Default posture for unknown repos and production-looking paths. Writes require an explicit persona-scoped allow or human-in-the-loop confirmation.
readOnlyMode
Tamper-evident audit
Every prompt, tool call, refusal, and secret-redaction event is written to a hash-chained log on disk. Any edit breaks the chain and the plugin flags it on the next boot.
auditLog
Command guard
Shell-pattern detector for rm -rf, curl | bash, eval, DROP TABLE, dd of=/dev/, mkfs, and kernel-module inserts — refused with a labelled alert, not silent-dropped.
commandGuard
Egress allow-list
Outbound HTTP(S) from sandboxed tools is restricted to a persona-scoped domain allow-list. Exfiltration attempts via DNS or non-standard ports are logged and blocked.
egressAllowList
Prompt-injection detector
Pattern + classifier check on every prompt fragment — ignore-previous-instructions, role-reset, tool-injection, and obfuscated instruction-markdown all get flagged before reaching the model.
injectionDetector
What leaves your machine
| Data | What leaves |
|---|---|
| Your provider API keys | Never — validated locally, never proxied, never logged. |
| Your prompts or completions | Never — the plugin runs in-process; prompts stay between your editor and your chosen model provider. |
| Your code | Never — no repo contents, file contents, or diffs leave your machine. |
| Security alerts (only with Guardrails) | HMAC-signed metadata only — event type, severity, timestamp, redacted summary. Raw secrets, raw prompts, and raw tool arguments are stripped before transmission. |
| Telemetry | None. No analytics, no crash reports, no "anonymous usage" ping. |
Source: the alert-pipeline redactor in packages/plugin/src/cloud-sync.ts and the Guardrails egress allow-list. No implicit telemetry exists anywhere in the codebase.
Pick a persona. Keep your keys.
Every persona ships with the full security layer above. Any single persona is $30 one-time; Apex unlocks all four plus every future persona for $40.