The claw strikes back.
At the boundary between intent and action,
it watches what leaves, what changes, what leaks.
Not "visibility." Not “telemetry.” Not "vibes." Logs are stories—proof is a signature.
If the tale diverges, the receipt won't sign.
Fail closed. Sign the truth.
Docs · TypeScript · Python · OpenClaw · Examples
Alpha software — APIs and import paths may change between releases. See GitHub Releases and the package registries (crates.io / npm / PyPI) for published versions.
Clawdstrike provides runtime security enforcement for agents, designed for developers building EDR solutions and security infrastructure on top of OpenClaw.
Guards — Block sensitive paths, control network egress, detect secrets, validate patches, restrict tools, catch jailbreaks
Receipts — Ed25519-signed attestations proving what was decided, under which policy, with what evidence
Multi-language — Rust, TypeScript, Python, WebAssembly
Multi-framework — OpenClaw, Vercel AI, LangChain, Claude Code, and more
cargo install --path crates/services/hush-cli
clawdstrike policy list
clawdstrike check --action-type file --ruleset strict ~/.ssh/id_rsaimport { Clawdstrike } from "@clawdstrike/sdk";
// Simple: use built-in strict rules (fail-closed)
const cs = Clawdstrike.withDefaults("strict");
// Check an action
const decision = await cs.checkFile("~/.ssh/id_rsa", "read");
if (decision.status === "deny") {
throw new Error(`Blocked: ${decision.message}`);
}
// Or use sessions for stateful tracking
const session = cs.session({ agentId: "my-agent" });
const result = await session.check("file_access", { path: "~/.ssh/id_rsa" });
console.log(session.getSummary()); // { checkCount, denyCount, ... }For framework integrations, use the interceptor pattern:
import { Clawdstrike } from "@clawdstrike/sdk";
const cs = Clawdstrike.withDefaults("strict");
const interceptor = cs.createInterceptor();
const session = cs.session({ sessionId: "session-123" });
const preflight = await interceptor.beforeExecute("bash", { cmd: "echo hello" }, session);
if (!preflight.proceed) throw new Error("Blocked by policy");See packages/adapters/clawdstrike-openclaw/docs/getting-started.md.
| Feature | Description |
|---|---|
| 7 Built-in Guards | Path, egress, secrets, patches, tools, prompt injection, jailbreak |
| 4-Layer Jailbreak Detection | Heuristic + statistical + ML + optional LLM-as-judge with session aggregation |
| Output Sanitization | Redact secrets, PII, internal data from LLM output with streaming support |
| Prompt Watermarking | Embed signed provenance markers for attribution and forensics |
| Fail-Closed Design | Invalid policies reject at load time; errors deny access |
| Signed Receipts | Tamper-evident audit trail with Ed25519 signatures |
Guard checks add <0.05ms overhead per tool call. For context, typical LLM API calls take 500-2000ms.
| Operation | Latency | % of LLM call |
|---|---|---|
| Single guard check | <0.001ms | <0.0001% |
| Full policy evaluation | ~0.04ms | ~0.004% |
| Jailbreak detection (heuristic+statistical) | ~0.03ms | ~0.003% |
No external API calls required for core detection. Full benchmarks →
- Design Philosophy — Fail-closed, defense in depth
- Guards Reference — All 7 guards documented
- Policy Schema — YAML configuration
- Framework Integrations — OpenClaw, Vercel AI, LangChain
- Repository Map — Newcomer guide to project layout and component maturity
- Documentation Map — Canonical source-of-truth guide for docs
We take security seriously. If you discover a vulnerability:
- For sensitive issues: Email connor@backbay.io with details. We aim to respond within 48 hours.
- For non-sensitive issues: Open a GitHub issue with the
securitylabel.
Contributions welcome! See CONTRIBUTING.md for guidelines.
cargo build && cargo test && cargo clippyApache License 2.0 - see LICENSE for details.