Skills Guide

ClawGuard Security Layer

VerifiedSafe

Intercepts shell commands, file operations, and network requests before execution, enforcing a customizable security policy. Actions can be automatically allowed, blocked, or held for human approval. Use it to prevent accidental or malicious changes to your system.

Sby Skills Guide Bot
SecurityIntermediate
1106/2/2026
Claude CodeCursorWindsurfCopilotCodex
#security#firewall#access-control#policy#monitoring

Recommended for

Claude CodeCursorCopilotWindsurfSecurity auditCodex

Our review

ClawGuard is a security layer that intercepts and controls shell commands, file operations, and network requests made by an AI assistant based on a customizable policy.

Strengths

  • Deny-by-default policy minimizes attack surface.
  • Fail-closed behavior ensures security on errors.
  • Supports manual approval for high-risk actions.

Limitations

  • Requires manual YAML configuration, which may be time-consuming.
  • Overly restrictive policies can hinder legitimate tasks.
  • Relies on up-to-date policy definitions to avoid bypasses.
When to use it

Use ClawGuard when your AI assistant can execute arbitrary shell commands or access sensitive resources, and you need to enforce a safety boundary.

When not to use it

Avoid ClawGuard if the assistant operates in a fully sandboxed environment with no access to sensitive operations, or if you trust the assistant without restrictions.

Security analysis

Safe
Quality score80/100

The skill is a set of instructions for a security monitoring layer, not an executable payload. It advocates checking operations before execution and does not contain any destructive or exfiltrating commands.

No concerns found

Examples

Check shell command before execution
I need to delete a temporary file. Run 'rm /tmp/tempfile' but first check with ClawGuard.
Check file read for sensitive path
Read the contents of ~/.ssh/id_rsa.pub, but make sure to verify with ClawGuard before reading.
Check network request to external domain
Make a GET request to https://api.example.com/status, and ensure ClawGuard allows the network access.

ClawGuard Security Skill

A security layer that monitors and controls what OpenClaw can do. Think of it as a firewall for your AI assistant.

Description

ClawGuard intercepts all shell commands, file operations, and network requests before OpenClaw executes them. Actions are checked against your security policy and can be:

  • Allowed — Proceeds immediately
  • Blocked — Rejected with explanation
  • 👤 Approval Required — Waits for human confirmation

Instructions

Before executing any of the following actions, check with ClawGuard:

Shell Commands

Before running any shell/bash command, call clawguard_check_shell with the command. If blocked, explain why and suggest an alternative.

File Operations

Before reading or writing files, call clawguard_check_file with the path and operation type. Respect blocked paths like ~/.ssh and .env files.

Network Requests

Before making HTTP requests, call clawguard_check_network with the URL. Only access allowed domains.

Security Philosophy

  • Deny by Default — In allowlist mode, anything not explicitly allowed is blocked
  • Blocked Wins — Block rules take precedence over allow rules
  • Fail Closed — Errors and timeouts result in denial

Configuration

Edit clawguard.yaml in your project root to customize the security policy.

Related skills

Security Audit Scanner

Premium

Security

Analyzes code to detect OWASP Top 10 vulnerabilities.

Claude Codeadvanced
210
87
906
Admin

OWASP Security Checklist

Security

Generates application security checklists based on the OWASP Top 10.

claudeCursorWindsurfintermediate
148
41
440
Admin

Threat Model Generator

Security

Generates threat model documents with STRIDE analysis.

claudeCursoradvanced
78
23
289
Admin