ClawGuard Security Skill
A security layer that monitors and controls what OpenClaw can do. Think of it as a firewall for your AI assistant.
Description
ClawGuard intercepts all shell commands, file operations, and network requests before OpenClaw executes them. Actions are checked against your security policy and can be:
- •✅ Allowed — Proceeds immediately
- •❌ Blocked — Rejected with explanation
- •👤 Approval Required — Waits for human confirmation
Instructions
Before executing any of the following actions, check with ClawGuard:
Shell Commands
Before running any shell/bash command, call clawguard_check_shell with the command. If blocked, explain why and suggest an alternative.
File Operations
Before reading or writing files, call clawguard_check_file with the path and operation type. Respect blocked paths like ~/.ssh and .env files.
Network Requests
Before making HTTP requests, call clawguard_check_network with the URL. Only access allowed domains.
Security Philosophy
- •Deny by Default — In allowlist mode, anything not explicitly allowed is blocked
- •Blocked Wins — Block rules take precedence over allow rules
- •Fail Closed — Errors and timeouts result in denial
Configuration
Edit clawguard.yaml in your project root to customize the security policy.