Features
Six pillars of protection for AI agent deployments.
Scanning
Scan every skill, MCP server, plugin, and code artifact before it runs. DefenseClaw wraps Cisco AI Defense open-source scanners and adds built-in static analysis engines.
Skill Scanning
Uses the Cisco Skill Scanner (GitHub) with configurable analyzers:
- Static analysis — YAML structure validation and YARA pattern matching
- Behavioral analysis — Python AST dataflow analysis with taint tracking
- LLM semantic analysis — AI-driven intent analysis with optional consensus mode
- Meta-analyzer — Cross-correlates findings from all engines to filter false positives
- VirusTotal — Hash-based binary scanning
- Cisco AI Defense — Cloud-based threat classification
defenseclaw skill scan web-search
defenseclaw skill scan all
MCP Server Scanning
Uses the Cisco MCP Scanner (GitHub):
- YARA pattern matching — Signature-based detection of known malicious patterns
- LLM analysis — Semantic analysis of tool descriptions
- Cisco AI Defense — Cloud-based threat classification
defenseclaw mcp scan github-mcp
Plugin Scanning
Scans OpenClaw plugins with both in-process and external scanners:
defenseclaw plugin scan code-review
Code Scanning (CodeGuard / ClawShield)
Built-in static analysis engines that scan source code without external dependencies:
| Engine | What it detects |
|---|---|
| clawshield-secrets | AWS keys, Stripe keys, GitHub tokens, JWTs, PEM private keys, connection strings |
| clawshield-pii | Email addresses, phone numbers, SSNs, credit card numbers |
| clawshield-vuln | Dangerous exec patterns, command injection, unsafe deserialization |
| clawshield-malware | Known malicious code patterns |
| clawshield-injection | SQL injection, shell injection, path traversal |
defenseclaw-gateway scan code ./src
Real-Time Tool Inspection
The gateway sidecar inspects every tool call in real-time as OpenClaw executes:
- Scans tool arguments for secrets, credentials, and dangerous patterns
- Blocks tool calls that match high-severity rules (in action mode)
- Logs all inspections to the audit store
AI Bill of Materials (AIBOM)
Generate a comprehensive, live inventory of your entire AI deployment. Unlike the external AI BOM package, this is a built-in feature that queries OpenClaw directly.
# Full inventory
defenseclaw aibom scan
# Summary table only
defenseclaw aibom scan --summary
# Specific categories
defenseclaw aibom scan --only skills,plugins,mcp
# Machine-readable output
defenseclaw aibom scan --json
AIBOM scans seven categories by running OpenClaw commands in parallel:
| Category | What it discovers |
|---|---|
| skills | All installed skills with eligibility, enable status, missing binaries/env |
| plugins | Plugin ID, version, origin, enabled state, exposed tools, hooks, services |
| mcp | MCP server transport, commands, URLs, environment variable keys |
| agents | Agent configurations and defaults |
| tools | Deduplicated tool names with source tracking (e.g., plugin:defenseclaw) |
| models | Model providers, auth status, available models |
| memory | Per-agent memory backend, file counts, FTS/vector status, database paths |
Enforcement
Operator-managed block and allow lists with quarantine, disable, and policy-driven admission control.
Block and Allow Lists
Manage lists for skills, MCP servers, plugins, and individual tools:
# Block a risky skill
defenseclaw skill block untrusted-skill --reason "data exfiltration detected"
# Allow a trusted MCP server (skips scanning)
defenseclaw mcp allow github-mcp
# Block a dangerous tool
defenseclaw tool block delete_file --reason "destructive operation"
# View current lists
defenseclaw tool list
Quarantine and Restore
Move risky skills or plugins to a secure quarantine directory, preventing execution:
defenseclaw skill quarantine malicious-skill
defenseclaw skill restore malicious-skill
Disable and Enable
Disable skills or plugins at runtime via the gateway sidecar (requires running sidecar):
defenseclaw skill disable risky-skill --reason "under investigation"
defenseclaw skill enable risky-skill
defenseclaw plugin disable suspicious-plugin --reason "review pending"
defenseclaw plugin enable suspicious-plugin
Skill and Plugin Registry
Install skills from the clawhub registry, npm, or direct URLs with automatic admission gate enforcement:
# Install from clawhub registry
defenseclaw skill install web-search
# Search the registry
defenseclaw skill search "file management"
# Install a plugin from npm
defenseclaw plugin install @anthropic/code-review
# Install from a URL
defenseclaw plugin install https://example.com/plugin.tar.gz
Source detection is automatic: local paths, npm packages, clawhub:// URIs, and HTTP URLs are all supported.
File System Watcher
The gateway sidecar monitors skill and plugin directories for changes and automatically scans new or modified items:
- Auto-scan — New skills/plugins are scanned on detection
- Configurable directories — Watch custom skill and plugin paths
- Debounce — Configurable debounce interval to avoid scanning during rapid file changes
Admission Gate
Every install passes through the admission gate automatically:
- Block list check — Instant rejection for blocked items
- Allow list check — Skip scanning for trusted items (still logged)
- Scan — Run all configured scanners
- Enforce — Block HIGH/CRITICAL, warn on MEDIUM/LOW, install CLEAN
Policy Engine
Rego-based policy evaluation across six domains with three built-in templates.
Policy Templates
| Template | Behavior |
|---|---|
| default | Balanced — blocks HIGH/CRITICAL, warns on MEDIUM/LOW, allow-list bypass enabled |
| strict | Maximum security — blocks MEDIUM and above, no allow-list bypass |
| permissive | Minimal friction — blocks CRITICAL only, all others install with warnings |
# List available policies
defenseclaw policy list
# Activate a policy
defenseclaw policy activate strict
# Create a custom policy
defenseclaw policy create my-policy
Rego Evaluation Domains
| Domain | What it evaluates |
|---|---|
| admission | Install/block/allow decisions based on scan severity |
| audit | Which events get logged and at what level |
| sandbox | OpenShell sandbox policy generation |
| guardrail | LLM content inspection thresholds |
| skill_actions | Per-severity enforcement actions (quarantine, disable, block) |
# Validate policy syntax
defenseclaw policy validate
# Dry-run admission evaluation
defenseclaw-gateway policy evaluate --target-type skill --target-name web-search --severity HIGH
# Hot-reload policies (no restart)
defenseclaw-gateway policy reload
Policy Editing
Fine-tune active policy sections interactively:
defenseclaw policy edit actions # Severity-to-action mappings
defenseclaw policy edit scanner # Per-scanner action overrides
defenseclaw policy edit guardrail # Guardrail thresholds and patterns
LLM Guardrail
Intercepts all traffic between OpenClaw and LLM providers using a LiteLLM proxy with a custom guardrail module.
What It Scans
- Prompts (pre-call) — Injection attacks, secret leakage, exfiltration patterns
- Responses (post-call) — Leaked secrets, harmful content, policy violations
- Tool calls (during-call) — Dangerous tool invocations in assistant responses
Modes
| Mode | Behavior |
|---|---|
| observe | Log all findings but never block. Default for safe rollout. |
| action | Actively block flagged prompts and responses before they reach the LLM or the agent. |
# Set up guardrail interactively
defenseclaw setup guardrail
# Switch to action mode
defenseclaw setup guardrail --mode action --restart
# Disable guardrail
defenseclaw setup guardrail --disable --restart
Detection Engines
| Engine | Scope | Requirements |
|---|---|---|
| Pattern matching | Injection, secrets, exfiltration patterns | None (local) |
| Cisco AI Defense | Cloud-based threat classification | API key |
Gateway Sidecar
A Go binary that bridges OpenClaw and DefenseClaw, providing real-time security enforcement and a REST API.
Key Capabilities
- WebSocket bridge to the OpenClaw gateway for real-time event routing
- REST API with 30+ endpoints for scanning, enforcement, inspection, audit, and policy
- Device identity using Ed25519 key pairs with cryptographic challenge signing
- Tool call interception with configurable block/allow behavior
- LiteLLM process management for the guardrail proxy
Daemon Management
defenseclaw-gateway start # Start as background daemon
defenseclaw-gateway stop # Stop the daemon
defenseclaw-gateway restart # Restart
defenseclaw-gateway status # Check health of all subsystems
Audit and Observability
Every action, scan result, and enforcement decision is recorded with a durable audit trail.
SQLite Audit Store
All events are stored locally in ~/.defenseclaw/audit.db:
- Audit events (install, block, allow, quarantine, scan, alert)
- Scan results with individual findings
- Enforcement actions and their reasons
# View recent alerts
defenseclaw alerts
# View more
defenseclaw alerts -n 50
# Full environment and activity summary
defenseclaw status
Splunk Integration
Two independent pipelines for Splunk integration:
Splunk Observability Cloud (--o11y) — exports traces, metrics, and logs via OTLP to Splunk's cloud ingest endpoints. No local infrastructure needed.
defenseclaw setup splunk --o11y
Local Splunk Enterprise (--logs) — spins up a Splunk container via Docker Compose with pre-configured dashboards and HEC endpoints. Forwards audit events via HEC (HTTP Event Collector) in batch and real-time modes.
defenseclaw setup splunk --logs
Both pipelines can run simultaneously — events are dual-exported when both splunk.enabled and otel.enabled are true.
OpenTelemetry
Export structured telemetry to any OTLP-compatible backend (Splunk Observability, Datadog, Grafana, etc.).
Four signal categories:
| Signal | OTEL Type | What it captures |
|---|---|---|
| Asset lifecycle | Logs | Install, block, allow, quarantine, restore, enable, disable events |
| Scan results | Logs + Metrics | Scan summaries, individual findings, severity counters |
| Runtime events | Traces (Spans) | Tool calls, LLM calls, exec approvals with parent-child relationships |
| Runtime alerts | Logs | Dangerous commands, guardrail blocks, prompt injection detections |
All signals use the defenseclaw.* attribute namespace. LLM-related attributes follow the OTEL GenAI semantic conventions (gen_ai.*).
Key metrics exported:
| Metric | Type | Description |
|---|---|---|
defenseclaw.scan.count | Counter | Scans by scanner, target type, and verdict |
defenseclaw.scan.findings | Counter | Findings by scanner, target type, and severity |
defenseclaw.tool.calls | Counter | Tool calls by name, provider, and dangerous flag |
defenseclaw.alert.count | Counter | Alerts by type, severity, and source |
defenseclaw.guardrail.evaluations | Counter | Guardrail evaluations by scanner and action taken |
defenseclaw.llm.tokens | Counter | Token usage by provider and type (prompt/completion) |
Configuration — add to ~/.defenseclaw/config.yaml:
otel:
enabled: true
protocol: "grpc"
endpoint: "https://ingest.us1.signalfx.com"
headers:
"X-SF-TOKEN": "${SPLUNK_ACCESS_TOKEN}"
traces:
enabled: true
logs:
enabled: true
emit_individual_findings: false
metrics:
enabled: true
export_interval_s: 60
Or use defenseclaw setup splunk --o11y to configure interactively.