OpenClaw integration

How DefenseClaw integrates with OpenClaw end-to-end — fetch interceptor, before_tool_call hook, correlation headers, plugin-mediated HITL approvals, and the audit loop.

OpenClaw is the connector DefenseClaw was designed against. It is also the only connector that ships a first-party plugin in the same repository (extensions/defenseclaw/). That plugin owns the OpenClaw-side wiring; the gateway and CLI own everything else.

Plugin install + first guardrail. The DefenseClaw plugin loads inside OpenClaw, the gateway picks up the correlation header, and policy decisions stream back through the chat UI.

Components

DefenseClaw plugin

TypeScript plugin under extensions/defenseclaw/. Hooks into OpenClaw's fetch interceptor and before_tool_call lifecycle.

defenseclaw-gateway

Go sidecar. Receives plugin requests, evaluates policy, returns verdicts, and writes the audit row.

DefenseClaw CLI

Python operator surface. Runs setup and exposes the TUI for audit, alerts, logs, and inventory.

Protocol compatibility

The DefenseClaw gateway client speaks the OpenClaw WebSocket handshake across the protocol v3-v4 range. During connect it sends minProtocol: 3 and maxProtocol: 4; OpenClaw returns the negotiated hello-ok protocol plus the supported method and event feature sets. That keeps current OpenClaw protocol v4 installs compatible while preserving the v3 challenge-response device flow for older OpenClaw endpoints.

End-to-end flow

  1. 01User OpenClaw

    prompt

  2. 02OpenClaw Plugin

    fetch (LLM request)

  3. 03Plugin Gateway

    POST /v1/inspect + correlation ID

  4. 04Gateway Plugin

    allow / block / pause

  5. 05Plugin OpenClaw

    publish approval prompt (when paused)

  6. 06OpenClaw Operator

    approval request in chat

  7. 07Operator OpenClaw

    approve / deny

  8. 08OpenClaw Plugin

    approval response

  9. 09Plugin Gateway

    resolve approval

  10. 10Gateway Plugin

    resolved verdict

  11. 11Plugin OpenClaw

    forward (or reject)

  12. 12OpenClaw Plugin

    before_tool_call(name, args)

  13. 13Plugin Gateway

    POST /v1/tool/inspect

  14. 14Gateway Plugin

    verdict

  15. 15Plugin OpenClaw

    allow / block

  16. 16OpenClaw User

    response

Three interception points let DefenseClaw inspect every interesting moment in OpenClaw's lifecycle and surface HITL approvals back through the chat origin. Plugin is the bundled DefenseClaw plugin; Gateway is defenseclaw-gateway; Operator is the DefenseClaw TUI.

Correlation headers

Every plugin → gateway request carries X-DefenseClaw-Correlation-Id so the audit log can stitch a tool call back to the prompt that triggered it. The plugin generates one ID per OpenClaw turn; the gateway re-uses it for every downstream verdict.

HITL: the only connector with plugin-mediated approval

OpenClaw provides a native, plugin-mediated approval flow in its chat origin, so the operator approves or denies without leaving OpenClaw. Other native-ask connectors use their own host hook UI instead of this plugin path.

Connectors and hook events without native ask apply their documented alert/allow/context fallback. Their events remain visible in audit and defenseclaw tui, but the TUI cannot resume the original call. See the HITL page for the per-connector matrix.

Files DefenseClaw owns inside the OpenClaw tree

openclaw.json (allow + load entries for the DefenseClaw plugin)

DefenseClaw never touches anything outside extensions/defenseclaw/ and the allow / load arrays in openclaw.json. Backups are byte-for-byte; teardown either restores the file or surgically removes only DefenseClaw entries when the file has drifted.

When this is the right connector

Pick OpenClaw when:

  • You want the strongest enforcement contract: proxy-mode interception, sandbox subprocess policy, native ask + plugin-mediated approval.
  • You're already running OpenClaw or are open to switching from Codex / Claude Code for security-critical workflows.
  • You need fail-closed behaviour on transport failures.

If you're not running OpenClaw, the Claude Code connector is the closest hook-only equivalent and supports native ask on PreToolUse.