Security layer for OpenClaw

AI agents, secured locally.
Your models. Your tools. Your machine.

Clawmont is the in-process security layer for OpenClaw — the local-first platform for running AI agents on your own computer. Four security pillars, hash-chained tamper-evident audit, keys that stay in your OS keychain. Bring any model — Claude, GPT-5, Gemini, Llama — and the tools you already use. Clawmont watches every call.

See it in action

Works with Claude GPT-5 Gemini Llama Gemma & any LLM via OpenRouter (DeepSeek, Mistral, Qwen, and more)

What OpenClaw does

The assistant you always wanted.
On hardware you already own.

One platform. Any model. Any tool. Running on the laptop in front of you — not someone else's cloud.

Automate the tedious stuff

Let an agent sort your inbox, draft replies, close tickets, spin up pull requests. Daily chores, off your plate.

Use any AI model

GPT-5, Claude, Gemini, Llama, Gemma, or a model you fine-tuned yourself. OpenClaw runs them side by side — switch at any time.

Connect to your tools

Slack, Discord, Telegram, Gmail, Notion, your filesystem. Plug them in through MCP. Your agent uses them like a teammate would.

Runs on your machine

Chat history, credentials, files, audit logs — all local. No vendor sees your prompts. No cloud subscription hiding behind "cloud-first" marketing.

The flip side

But AI agents have access
to everything.

An agent that can read your files can also leak them. An agent that can call an API can also send your keys somewhere that politely asks. Every tool you wire up is a path an attacker can try to walk.

Prompt injection

Someone hides instructions in a PR comment, a fetched web page, or a file. Your agent reads them and follows — without telling you.

Credential leaks

An agent that can read your code can also read ~/.aws/credentials. A single "paste these keys here" request is enough.

Unauthorized tool calls

rm -rf. curl | bash. DROP TABLE. Without a guardrail, every tool your agent has is a destructive command away.

The answer

That's why we built
Clawmont.

Clawmont is the security layer for OpenClaw — an in-process plugin that inspects every prompt, every tool call, and every file read before the model sees it. Four security pillars — input rail, tool dispatch, tool response, model output — each one independently bypass-tested against the OWASP LLM Top 10 and a 200-scenario red-team corpus.

01

Keys stay on your machine

Provider API keys are validated on-device. Never proxied. Never logged. Never shipped to a Clawmont server — not even for health checks.

02

Four security pillars

Input rail, tool dispatch, tool response, and model output — each one bypass-tested against the OWASP LLM Top 10 and a 200-scenario red-team corpus.

03

Tamper-evident audit

Every prompt, tool call, refusal, and redaction is hash-chained to disk. Any edit breaks the chain and Clawmont flags it on the next boot.

See it in action

Someone tries something nasty.
Clawmont refuses. You never hear about it.

Pick an attack below. Watch the plugin catch it — locally, before it ever reaches the model.

Try it live

Run an attack. See which pillar stops it.

The regexes here are the same ones that ship in packages/plugin/src. No network calls — every verdict runs in your browser so you can diff what leaks without Clawmont vs. what gets blocked with it.

Clawmont inspects the payload and writes a hash-chained audit entry before the tool call reaches the model.

attacker > input

Presets auto-load. Free-text mode lets you paste any prompt, tool call, or file path you want to try.

clawmont > scan Ready
Ready
Pick a preset or type a payload.
Scan detail will show here.

Same regexes that ship in production. Four security pillars — input rail, tool dispatch, tool response, model output — each independently bypass-tested against the OWASP LLM Top 10 and a 200-scenario red-team corpus. Raw measurements at wiki/measurements/ · full methodology at security.clawmont.com.

Want the deep, developer-grade version with every pillar broken out? Open the full playground →

Premium add-on

Send every refusal
to your team.

Add Guardrails Monitoring at checkout. HMAC-signed end-to-end — the plugin keeps protecting you locally even if you cancel.

Pricing

Pay once. Keys stay yours.

One-time license. All four security pillars on every tier. No subscription on the plugin itself.

Single persona

$30one-time

Pick one of four personas — Developer, Trader, SRE, or Researcher.

Developer Trader SRE Researcher pick one
  • Full Clawmont security layer — four pillars (input rail, tool dispatch, tool response, model output), each independently bypass-tested
  • Curated MCP + skill bundle locked to your role
  • Tamper-evident audit log + zero-knowledge keys
  • Upgrade to Apex later for $10 — no re-tier
Add Guardrails Monitoring +€9/mo
  • Real-time alerts to Slack, Discord, Telegram, or email
  • Searchable 90-day alert history (we host it for you)
  • Daily security digest

Added during checkout · Cancel anytime

Pay now, choose your persona in onboarding. Upgrade to Apex later for $10.

Apex · all-access

$40one-time

Every persona, plus every future one.

Developer Trader SRE Researcher
  • All four personas — merged, deduplicated, locked to the strictest union
  • Most-restrictive security across the four-persona union
  • Early access to supply-chain diff-audit + guardian-cron
  • Every future persona ships free
Add Guardrails Monitoring +€9/mo
  • Real-time alerts to Slack, Discord, Telegram, or email
  • Searchable 90-day alert history (we host it for you)
  • Daily security digest

Added during checkout · Cancel anytime

One-time payment. All future personas included.

Get started in three minutes.

Pick a persona, click the email link, paste one install command. After that, Clawmont quietly watches every AI call you make.

Read the setup guide