OpenClaw Shield
Enterprise security scanner for AI agents. Detects credential theft, data exfiltration, and malicious code with static analysis + runtime guards + ClamAV integration. Audit logging and tamper-evident reports.
When to use: Security scanning, threat detection, code auditing, runtime protection for AI agents
What to know:
Repository: https://github.com/pfaria32/OpenClaw-Shield-Security
Features
Static Scanner
- Detects credential theft, data exfiltration, destructive operations
- Pattern-based analysis (no external dependencies)
- Python stdlib only (zero supply chain risk)
- Pre-execution scanning
Runtime Guard
- File/network/exec allowlists
- Output sanitization
- Policy enforcement
- Real-time protection
Integration
- ClamAV integration (3.6M virus signatures)
- Telegram alerting on critical findings
- Hash-chained audit logging
- Tamper-evident security logs
Installation
cd /home/node/.openclaw/workspace
git clone https://github.com/pfaria32/OpenClaw-Shield-Security.git projects/OpenClaw-Shield
# Test the scanner
python3 projects/OpenClaw-Shield/src/scanner.py /path/to/scan
# Deploy (see repository README for full setup)
Usage
Manual Scan
python3 projects/OpenClaw-Shield/src/scanner.py workspace --output shield-report.json
Daily Automated Scans
Set up cron job (see repository deployment guide):
# Daily at 3 AM UTC
0 3 * * * /path/to/scan-script.sh
Runtime Guard (Optional)
Configure allowlists and enable runtime protection (see deployment/openclaw-config.py in repo).
Status
✅ Deployed on this instance (clawdbot-toronto)
- Daily scans: 3:00 AM UTC
- ClamAV: Active (host-level)
- Runtime guard: Prepared (not enabled by default)
Attribution
Inspired by: Resonant by Manolo Remiddi
Source: https://github.com/ManoloRemiddi/resonantos-open-system-toolkit/blob/main/BUILD_YOUR_OWN_SHIELD.md
Built on the principle: "Don't trust, verify."
Documentation
Full docs, threat model, and deployment guide in repository README.