SkillAgentSearch skills...

Clawreins

Intervention layer with audit logs for OpenClaw agents. Browser-aware. Trajectory-aware. Human-routable.

GenerateConvertImprove

Install / Use

/learn @pegasi-ai/Clawreins
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

<div align="center"> <img src="logo.png" alt="ClawReins Logo" width="360"/> <h1>🦞 + 🪢 ClawReins</h1> <p><strong>Runtime safety and human approval infrastructure for computer-using agents.</strong></p> <p> <a href="https://github.com/pegasi-ai/clawreins">github.com/pegasi-ai/clawreins</a> </p> <p> <a href="https://www.apache.org/licenses/LICENSE-2.0"><img src="https://img.shields.io/badge/License-Apache%202.0-blue.svg" alt="License: Apache 2.0"></a> <a href="http://www.typescriptlang.org/"><img src="https://img.shields.io/badge/%3C%2F%3E-TypeScript-%23007ACC.svg" alt="TypeScript"></a> <img src="https://img.shields.io/badge/node-%3E%3D18.0.0-brightgreen" alt="Node.js >= 18.0.0"> </p> </div>

OpenClaw is powerful. That's the problem. ClawReins is the watchdog layer.

ClawReins sits between an AI agent and the real world. It’s the watchdog layer for computer-using agents. ClawReins protects agents at two stages:

  • Before runtime → security scanning
  • During runtime → action interception

Think of it as sudo for AI agents. The first production integration is OpenClaw. ClawReins plugs into the before_tool_call event and adds:

  • Prevent destructive actions before they execute
  • Pause for human approval with YES / ALLOW / CONFIRM flows
  • Prove what happened with durable audit logs and post-incident review

OpenClaw cannot be its own watchdog. Neither can any CUA.

Demo

ClawReins demo

Hero example: an OpenClaw agent tries to bulk-delete 4,382 Gmail messages. ClawReins blocks it before execution.

That is the core runtime story:

  • destructive action detected
  • execution paused before side effects
  • human approval required
  • decision written to the audit trail

In The News

Intercept Example

ClawReins intercept example

Runtime Interception

Runtime interception is the enforcement layer. It is what stops an agent mid-trajectory when the action is destructive, irreversible, or operating under risky browser state.

Core capabilities:

  • Browser-state awareness for CAPTCHA, 2FA, and challenge walls
  • Irreversibility scoring for risky versus catastrophic actions
  • Runtime intervention across terminal and messaging approval channels
  • ToolShield-aligned hardening for new tool rollouts
  • Full audit logging for every approval decision

Security Scan

ClawReins includes a security scanner that audits the local OpenClaw environment for high-signal misconfigurations before runtime problems turn into incidents.

ClawReins security scan

clawreins scan audits a local OpenClaw installation for high-signal security misconfigurations, writes an HTML report to ~/Downloads/scan-report.html, and prints a file:// link directly in the terminal.

Usage:

# Run the 13-check audit and save the HTML report
clawreins scan

# Save the report and try to open it automatically
clawreins scan --html

# Machine-readable output for CI
clawreins scan --json

# Apply supported auto-fixes after confirmation
clawreins scan --fix

# Apply supported auto-fixes without prompting
clawreins scan --fix --yes

# Compare against the last saved baseline and alert on drift
clawreins scan --monitor

# Compare against the baseline and invoke a notifier when drift is detected
clawreins scan --monitor --alert-command "/path/to/send-openclaw-alert.sh"

Supported auto-fixes:

  • Rebinding gateway host from 0.0.0.0 to 127.0.0.1
  • Tightening config file permissions to 600
  • Injecting a default tools.exec.safeBins allowlist
  • Disabling authBypass / skipAuth / disableAuth style flags

Before any fix is applied, ClawReins creates a timestamped backup in ~/.scan-backup/.

Drift Monitoring

Drift monitoring is opt-in. It is designed for scheduled runs, not enabled by default.

Default monitoring behavior:

  • disabled by default
  • run every 24 hours when scheduled
  • compare against ~/.openclaw/clawreins/scan-state.json
  • alert only on worsened posture: verdict worsening, new WARN, or new FAIL
  • no background auto-fix
  • HTML report still written to ~/Downloads/scan-report.html

Manual run:

clawreins scan --monitor

The first run creates a baseline. Later runs compare the current report against that saved baseline and only alert when posture worsens.

If you want scheduled jobs to notify through your own transport, add --alert-command. This command runs only when drift is detected. ClawReins exports these environment variables to the notifier:

  • CLAWREINS_SCAN_SUMMARY
  • CLAWREINS_SCAN_VERDICT
  • CLAWREINS_SCAN_REPORT_PATH
  • CLAWREINS_SCAN_REPORT_URL
  • CLAWREINS_SCAN_STATE_PATH
  • CLAWREINS_SCAN_WORSENED_CHECKS

That makes it easy to route alerts through:

  • an OpenClaw messaging wrapper
  • a webhook sender
  • email, Slack, Telegram, or WhatsApp bridge scripts

Notifier example:

clawreins scan --monitor \
  --alert-command "$HOME/bin/send-openclaw-alert.sh"

The alert hook is generic on purpose. The scan CLI does not directly call the in-process OpenClaw plugin API from cron or system schedulers, so the notifier command is the bridge if you want alerts to land through OpenClaw-managed messaging.

Scheduled Runs

Recommended operating model:

  • run once per day
  • use --monitor so each run compares against the last saved baseline
  • add --alert-command if you want drift notifications delivered outside the terminal
  • never use --fix in scheduled jobs

What happens on scheduled runs:

  1. The first scheduled run creates the baseline in ~/.openclaw/clawreins/scan-state.json.
  2. Later runs compare the current ScanReport against that saved baseline.
  3. ClawReins alerts only when posture worsens: verdict gets worse, a check changes from PASS to WARN, or a check changes from PASS or WARN to FAIL.
  4. Every run still writes ~/Downloads/scan-report.html so the latest full report is easy to inspect.

Recommended scheduler settings:

  • frequency: every 24 hours
  • stdout/stderr: append to a dedicated log file such as ~/.openclaw/clawreins/scan-monitor.log
  • environment: set HOME and OPENCLAW_HOME explicitly
  • notifier: use --alert-command for OpenClaw wrappers, webhooks, or messaging bridges

Example daily job with drift logging only:

0 9 * * * /usr/bin/env \
  HOME=$HOME \
  OPENCLAW_HOME=$HOME/.openclaw \
  /usr/local/bin/clawreins scan --monitor \
  >> $HOME/.openclaw/clawreins/scan-monitor.log 2>&1

Example daily job with drift alert delivery:

0 9 * * * /usr/bin/env \
  HOME=$HOME \
  OPENCLAW_HOME=$HOME/.openclaw \
  /usr/local/bin/clawreins scan --monitor \
  --alert-command "$HOME/bin/send-openclaw-alert.sh" \
  >> $HOME/.openclaw/clawreins/scan-monitor.log 2>&1

If you want the scheduled job to fail loudly for automation, the exit codes stay the same in monitor mode:

  • 0 for SECURE
  • 1 for NEEDS ATTENTION
  • 2 for EXPOSED

That makes scheduled monitoring usable from cron, systemd, CI, or any wrapper that reacts to non-zero exit codes.

Security Checks

| Check | Severity | Detects | Auto-fix | |------|----------|---------|----------| | GATEWAY_BINDING | Critical | Gateway listening on 0.0.0.0 or missing localhost binding | Yes | | API_KEYS_EXPOSURE | Critical | Plaintext API keys, tokens, passwords, or secrets stored directly in config files | No | | FILE_PERMISSIONS | Critical | Config files readable by group or other users instead of 600 | Yes | | HTTPS_TLS | Warning | Missing HTTPS/TLS or certificate-related configuration | No | | SHELL_COMMAND_ALLOWLIST | Critical | Missing safeBins or equivalent shell allowlist / unrestricted shell execution | Yes | | SENSITIVE_DIRECTORIES | Warning | Agent environment can still reach directories like ~/.ssh, ~/.gnupg, ~/.aws, or /etc/shadow | No | | WEBHOOK_AUTH | Warning | Webhook endpoints configured without auth tokens or shared secrets | No | | SANDBOX_ISOLATION | Warning | No Docker or sandbox isolation detected | No | | DEFAULT_WEAK_CREDENTIALS | Critical | Default, weak, undefined, or missing gateway credentials | No | | RATE_LIMITING | Warning | No gateway throttling or rate limit configuration | No | | NODEJS_VERSION | Critical | Node.js versions affected by CVE-2026-21636 permission-model bypass window | No | | CONTROL_UI_AUTH | Critical | Control UI authentication bypass flags enabled | Yes | | BROWSER_UNSANDBOXED | Critical | Browser skill config missing headless: true or sandbox: true protection | No |

Exit codes:

  • 0 = SECURE
  • 1 = NEEDS ATTENTION
  • 2 = EXPOSED

Why?

OpenClaw can execute shell commands, modify files, and access your APIs. OS-level isolation (containers, VMs) protects your host machine, but it doesn't protect the services your agent has access to.

ClawReins solves this by hooking into OpenClaw's before_tool_call plugin event. Before any dangerous action executes (writes, deletes, shell commands, API calls), the agent pauses and waits for your decision. In a terminal, you get an interactive prompt. On messaging channels (WhatsApp, Telegram), the agent asks for YES/NO/ALLOW or explicit CONFIRM token (for irreversible actions) via a dedicated clawreins_respond tool. Every choice is logged to an immutable audit trail. Think of it as sudo for your AI agent: nothing happens without your explicit permission.

Features

  • Prevent Stop destructive actions before execution, score irreversibility, detect risky browser state, and harden tool rollout with ToolShield-aligned guardrails.
  • Pause Route high-impact actions through terminal or messaging approva

pegasi-ai

View profile

View on GitHub
GitHub Stars379
CategoryDevelopment
Updated20h ago
Forks46
pegasi-ai/clawreins

Languages

Python

Security Score

100/100

Audited on Mar 26, 2026

No findings