ClawGuard

Package: @victorqr/clawguard (npm) Version: 0.3.3 Description: OpenClaw security plugin — runtime tool call interception, command-level allow/deny/approve, bypass detection, file/network path rules, and audit logging The package functions as a dedicated security guardrail plugin for the OpenClaw AI environment. Its logic is entirely focused on intercepting, analyzing, and enforcing rules on tool execution, file access, and network requests. Key security features include a tiered DENY > ALLOW > APPROVE rule engine, detection of bypass techniques (e.g., base64 piping, eval), network domain allowlisting (explicitly blocking cloud metadata endpoints), robust path normalization to prevent traversal, execution rate limiting against cascades, policy integrity verification using SHA256 hashing to prevent tampering, and comprehensive audit logging with strong PII/secret redaction. The code is highly defensive and explicitly designed to prevent malicious activity, including self-protection measures against terminating the plugin or altering its configuration. There are no indications of unauthorized data collection, covert communication, or malicious intent.