Overview
This walkthrough is the minimum number of commands needed to get DefenseClaw from zero to a state where every LLM call through OpenClaw is inspected, skills and MCP servers are scanned on load, and audit events land in your SIEM. Every step below links to a dedicated page with flag reference, generated artifacts, verification, and rollback.
The 10-step happy path
Every step is idempotent — re-running is safe and only prints "preserved" for objects already in place.
Step-by-step
| # | Command | What it does | Page |
|---|---|---|---|
| 1 | defenseclaw init | Creates ~/.defenseclaw/, seeds policies, initializes SQLite audit DB, generates the Ed25519 device key, writes default config | init |
| 2 | defenseclaw setup skill-scanner | Verifies the skill_scanner Python SDK is importable, applies scanner defaults | skill-scanner |
| 3 | defenseclaw setup mcp-scanner | Verifies the mcpscanner SDK (needs Python ≥ 3.11), configures default analyzers | mcp-scanner |
| 4 | defenseclaw setup provider add --name ... | Adds internal/self-hosted LLM domains to the passthrough allow-list (only if you run one) | provider |
| 5 | defenseclaw setup guardrail | Installs the OpenClaw plugin, patches ~/.openclaw/openclaw.json to route LLM traffic through the guardrail on 4000 | guardrail |
| 6 | defenseclaw-gateway start | Spawns the Go sidecar as a background daemon, binds REST on 18970 and guardrail on 4000 | gateway |
| 7 | defenseclaw keys fill-missing | Prompts for every REQUIRED-but-unset credential, persists to ~/.defenseclaw/.env at mode 0600 | provider keys |
| 8 | defenseclaw setup observability add <preset> | Attaches Splunk O11y, HEC, Datadog, Honeycomb, New Relic, Grafana Cloud, or a generic OTLP/HTTP sink | observability / Splunk |
| 9 | defenseclaw setup webhook add slack | Adds a chat/incident webhook (Slack, PagerDuty, Webex, or generic HMAC) | webhook |
| 10 | defenseclaw doctor | End-to-end preflight: binary paths, config, plugin presence, OpenClaw wiring, key resolution | doctor |
Zero-prompt alternative
For CI and first-run automation use defenseclaw quickstart, which runs steps 1, 5, and 6 non-interactively with mode=observe, scanner=local, and no judge, then prints a summary of which REQUIRED API keys are still missing. It is the same code path invoked by make all and curl | bash after install.
Verify everything is wired
defenseclaw status
defenseclaw doctor
curl -s http://127.0.0.1:18970/health | jq .
status prints sidecar PID, guardrail mode, scanner mode, and active sinks. doctor exercises every external dependency (OpenClaw config, plugin, device key, sink tokens) and exits non-zero when any check fails so it's safe in CI.