MoltGuard

Runtime security guard for OpenClaw agents by OpenGuardrails. Open source (Apache 2.0), fully auditable.

ClawHub: ThomasLWang/moltguard · npm: @openguardrails/moltguard · GitHub: openguardrails/openguardrails/tree/main/moltguard

Security & Provenance

Verify provenance before installing. The npm package should match the auditable GitHub source. To check:

# Download and inspect the package contents
npm pack @openguardrails/moltguard --dry-run

# Or do a full diff against the cloned repo:
mkdir /tmp/moltguard-audit && cd /tmp/moltguard-audit
npm pack @openguardrails/moltguard
tar -xzf openguardrails-moltguard-*.tgz
git clone https://github.com/openguardrails/openguardrails
diff -r package/scripts openguardrails/moltguard/scripts

Prefer source install if you have low trust in the publisher: openclaw plugins install -l ./openguardrails/moltguard

What activate.mjs does: Makes an outbound call to https://www.openguardrails.com/core to register the agent. Once you visit the claim URL and verify your email, the returned API key is written to ~/.openclaw/credentials/openguardrails/credentials.json. Do not activate if you do not trust this endpoint. All local protections work without activation.

Network behavior:

• Before activation: no outbound calls are made. Fully air-gapped local detection.
• After activation: each agent tool call sends a behavioral assessment request to https://www.openguardrails.com/core. No message content is sent — only tool names, sequence, and metadata.

Least privilege: Treat the API key written by activation as sensitive. Rotate or revoke it via the account portal (https://www.openguardrails.com/core/login) if needed. You can keep local-only protections indefinitely by simply not activating the cloud component.

What to Consider Before Installing

Before installing or running activate.mjs:

1. Verify provenance.
Compare the npm package to the GitHub source (npm pack + diff) as described in the Security & Provenance section above. Only proceed if the contents match the source you trust.

2. Inspect the scripts yourself.
scripts/activate.mjs and scripts/status.mjs are short and readable. Review them directly before running.

3. Understand what activation writes.
Activation writes an API key to ~/.openclaw/credentials/openguardrails/credentials.json. If you later distrust the endpoint, delete that file and revoke the key via the platform portal.

4. Activate from a monitored environment if you need high assurance.
Use tcpdump, mitmproxy, or Little Snitch to confirm outbound destinations and that payloads contain only sanitized metadata — not message content.

Local protections remain fully functional without activation — no outbound calls, no credentials written.

Agent Workflow

Check status

Run this when the user asks about MoltGuard status, whether it's registered, or what email/plan is active:

node {baseDir}/scripts/status.mjs

Register and activate

Run this when the user wants to register MoltGuard or enable cloud behavioral detection:

node {baseDir}/scripts/activate.mjs

After running, show the user the claim URL and verification code. Tell them to visit the URL, enter the code, and provide their email to complete activation. On success, an API key is written to ~/.openclaw/credentials/openguardrails/credentials.json — inform the user so they know a credential file was created.

Installation

When the user asks to install MoltGuard, run these steps:

# 1. Install the plugin
openclaw plugins install @openguardrails/moltguard

# 2. Restart the gateway to load the plugin
openclaw gateway restart

Local protections are active immediately after restart — no registration required. Cloud behavioral detection requires registration (run activate.mjs above).

To install from source (highest assurance):

git clone https://github.com/openguardrails/openguardrails.git
# Audit the code, then:
openclaw plugins install -l ./openguardrails/moltguard

What MoltGuard Protects Against

Local (no cloud, no registration needed):

• Read sensitive file → network call → BLOCK
• Shell escape in params ($(), backtick, ;, &&, |) → BLOCK
• Prompt injection in file/web content → REDACT in-place

Cloud (requires activation):

• Multi-credential access, shell after web fetch → BLOCK
• Intent-action mismatch, unusual tool sequence → ALERT

For full detection tables and pattern details, see references/details.md.

AI Security Gateway (Free, no registration)

Local HTTP proxy that sanitizes PII/secrets before they reach LLM providers:

npx @openguardrails/gateway   # runs on port 8900

Then point your agent's API base URL to http://127.0.0.1:8900. Sanitizes emails, credit cards, API keys, phone numbers, SSNs, IBANs, IPs, URLs. Restores originals in responses. Stateless — no data retained.

Configuration

All options in ~/.openclaw/openclaw.json under plugins.entries.openguardrails.config:

To use an existing API key directly (skips registration):

{
  "plugins": {
    "entries": {
      "openguardrails": {
        "config": { "apiKey": "sk-og-<your-key>" }
      }
    }
  }
}

Plans

Account portal: https://www.openguardrails.com/core/login (email + API key)

Uninstall

rm -rf ~/.openclaw/extensions/openguardrails
# Remove config from ~/.openclaw/openclaw.json
rm -rf ~/.openclaw/credentials/openguardrails   # optional

Reference

For detailed information on security & trust, detection patterns, privacy policy, and gateway data types, read references/details.md.