ClawWall
ReviewAudited by ClawScan on May 10, 2026.
Overview
ClawWall is a disclosed local DLP tool, but it sends every outbound tool call through a service that defaults to listening on all network interfaces, so its network exposure and external install sources deserve review.
Install only if you want all outbound OpenClaw tool content scanned by a local service. Before enabling it, bind the service to 127.0.0.1, firewall port 8642, verify the referenced PyPI/GitHub/npm code and hashes, choose fail-open vs fail-closed behavior deliberately, and protect the local SQLite findings database.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The scanner API or dashboard could be reachable beyond the local agent if the host or network allows it, increasing exposure of sensitive scan requests or policy controls.
The service is intended to receive all outbound content, including sensitive data, while the documented default bind address listens on all interfaces rather than only localhost.
A local Python service (port 8642) that receives every outbound tool call for scanning ... `CLAWGUARD_HOST` | `0.0.0.0` | Bind address
Bind the service to 127.0.0.1, firewall port 8642, and verify the service’s authentication and access controls before routing all outbound content through it.
Tool calls can be blocked or redacted by policy, and with the default fail-open setting they may proceed without DLP scanning during service outages.
The plugin has broad tool-call interception and blocking/redaction authority, and the default configuration allows outbound calls if the service is down. This is disclosed and purpose-aligned, but users should understand the control point.
An OpenClaw plugin that hooks `before_tool_call` — all outbound content passes through it ... Set `blockOnError: false` (default) to fail-open
Review the policy before enabling the plugin and set `blockOnError: true` if you want strict fail-closed protection.
You would be running external package and npm dependency code that was not statically analyzed in the supplied artifact set.
The skill is instruction-only in the provided artifacts but directs the user to install external Python and Node code. The pinned version and hashes help, but that code was not included in this review.
pip install clawwall==0.2.1 ... git clone --branch v0.2.1 https://github.com/Stanxy/clawguard.git ... npm install && npm run build
Verify the release hashes, inspect the referenced repository and npm dependencies, and install in an isolated environment before enabling the plugin.
The database may reveal that certain kinds of secrets or PII were present in outbound requests, even if it does not store the raw values.
The skill persists metadata about sensitive-data detections. The artifact says raw content is not stored, so this is purpose-aligned but still a local privacy artifact to protect.
A local SQLite database that stores scan findings metadata ... finding type, severity, position offsets, action taken, and duration. It never stores raw content, secrets, or PII values.
Protect the SQLite database location, configure retention if supported, and avoid sharing the database unless you have reviewed its contents.