OpenClaw Plugin

The DefenseClaw OpenClaw plugin adds an automatic security layer inside OpenClaw. It intercepts tool calls, provides slash commands for on-demand scanning and enforcement, and connects to the DefenseClaw gateway sidecar for real-time threat detection.

How It Works

The plugin registers a before_tool_call hook with OpenClaw. Every time OpenClaw is about to execute a tool, the plugin:

Sends the tool name and arguments to the gateway sidecar (POST /api/v1/inspect/tool)
Receives a verdict: allow, block, or warn
In action mode, blocks the tool call if the verdict is block
In observe mode, logs the verdict without blocking
Special handling for message tools inspects outbound content for data exfiltration

Installation

From Source

# Build the plugin
make plugin

# Install to OpenClaw extensions directory
make plugin-install

This copies the built plugin to ~/.openclaw/extensions/defenseclaw/.

Manual Installation

cp -r extensions/defenseclaw/dist ~/.openclaw/extensions/defenseclaw

Configuration

The plugin is configured via openclaw.plugin.json:

Setting	Type	Default	Description
`sidecarPort`	integer	`18790`	Port for the DefenseClaw gateway sidecar REST API
`mode`	string	`"observe"`	`observe` (log only) or `action` (block threats)

The plugin is enabled by default (enabledByDefault: true). It connects to the gateway sidecar on http://127.0.0.1:<sidecarPort>.

Slash Commands

The plugin adds three slash commands to OpenClaw:

`/scan`

Trigger a security scan from within OpenClaw:

/scan skill <name> — Scan a skill using the full skill-scanner suite
/scan plugin <name> — Scan a plugin using the in-process scanner
/scan mcp <url> — Scan an MCP server
/scan code <path> — Scan source code via the sidecar CodeGuard engine

`/block`

Block a skill, plugin, MCP server, or tool:

/block skill <name> — Add to skill block list
/block tool <name> — Block a specific tool

`/allow`

Allow a trusted item (skip scan gate):

/allow skill <name> — Add to skill allow list
/allow tool <name> — Allow a specific tool

In-Process Scanners

The plugin includes built-in scanners for immediate, local analysis:

Scanner	Targets	Detection Method
MCP Scanner	MCP server tool descriptions	YARA patterns, LLM analysis
Plugin Scanner	OpenClaw plugin definitions	Behavioral rules, YARA patterns, attack chain analysis

These run directly in the plugin process without needing external Python scanners. For skill and code scanning, the plugin delegates to the DefenseClaw CLI and gateway sidecar respectively.

Architecture

┌──────────────┐     ┌──────────────────────┐     ┌──────────────────┐
│   OpenClaw    │     │  DefenseClaw Plugin   │     │  Gateway Sidecar  │
│   Agent       │     │  (TypeScript)         │     │  (Go)             │
└──────┬───────┘     └──────────┬───────────┘     └────────┬─────────┘
       │                        │                           │
       │  before_tool_call      │                           │
       ├───────────────────────►│                           │
       │                        │  POST /api/v1/inspect/tool│
       │                        ├──────────────────────────►│
       │                        │                           │
       │                        │  { verdict: "allow" }     │
       │                        │◄──────────────────────────┤
       │                        │                           │
       │  proceed / block       │                           │
       │◄───────────────────────┤                           │

OpenClaw Plugin — DefenseClaw