Installation
Prerequisites
| Dependency | Version | Notes |
|---|---|---|
| Go | 1.25+ | For building the gateway sidecar |
| Python | 3.10–3.13 | For the CLI and scanner dependencies |
| uv | Latest | Python package manager (install) |
| Node.js | 18+ | For building the OpenClaw plugin (optional) |
| Git | Any | For cloning the repository |
| OpenClaw | Latest | The AI agent framework DefenseClaw governs |
| Docker | Latest | Only required for setup splunk --logs (local Splunk Enterprise container) |
Quick Install
curl -fsSL https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/main/scripts/install.sh | bash
defenseclaw init --enable-guardrail
Pass --yes to skip confirmation prompts. Pin a specific release with:
VERSION=0.2.0 curl -fsSL https://raw.githubusercontent.com/cisco-ai-defense/defenseclaw/main/scripts/install.sh | bash
defenseclaw init --enable-guardrail
Build from Source
Use this if you want to build from source or contribute:
git clone https://github.com/cisco-ai-defense/defenseclaw.git
cd defenseclaw
make build
source .venv/bin/activate
defenseclaw init --enable-guardrail
This compiles all three components in-place:
| Component | Command | Output |
|---|---|---|
| Python CLI | make pycli | defenseclaw in .venv/bin/ |
| Go gateway | make gateway | defenseclaw-gateway binary in repo root |
| OpenClaw plugin | make plugin | extensions/defenseclaw/dist/ |
To install to system paths instead:
make install
What make install does | Destination |
|---|---|
Builds Python CLI into .venv | .venv/bin/defenseclaw (activate with source .venv/bin/activate) |
| Builds and copies Go gateway | ~/.local/bin/defenseclaw-gateway |
| Builds and copies OpenClaw plugin | ~/.defenseclaw/extensions/defenseclaw/ (also syncs to ~/.openclaw/extensions/ if present) |
Pre-built Artifacts
Build distributable packages for all platforms:
make dist
This produces a Python wheel, cross-compiled gateway binaries (linux/darwin x amd64/arm64), a plugin tarball, and a checksums file under dist/. Install from these artifacts on any machine:
./scripts/install.sh --local dist/
Initialize DefenseClaw
After installing, initialize DefenseClaw:
defenseclaw init
This creates the ~/.defenseclaw/ directory with default config, seeds policy templates, and installs scanner dependencies (Skill Scanner, MCP Scanner) via uv. The AI BOM inventory feature is built-in and does not require a separate package.
Flags:
| Flag | Description |
|---|---|
--skip-install | Skip automatic scanner dependency installation |
--enable-guardrail | Also configure and enable the LLM guardrail |
Configure Scanners and Services
After init, configure individual components with setup subcommands:
# Configure skill-scanner analyzers and API keys
defenseclaw setup skill-scanner
# Configure MCP scanner
defenseclaw setup mcp-scanner
# Configure the gateway sidecar connection
defenseclaw setup gateway
# Configure LLM guardrail (LiteLLM proxy)
defenseclaw setup guardrail
# Configure Splunk HEC / OTLP integration
defenseclaw setup splunk
Each command runs an interactive wizard. For CI/CD environments, pass --non-interactive with flags.
Verify Installation
defenseclaw doctor
Checks connectivity and credentials for all configured services: sidecar health, LiteLLM proxy, Cisco AI Defense API, Splunk HEC, and scanner availability. For machine-readable output:
defenseclaw doctor --json