npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

clawguard-openclaw

v1.0.0

Published

Security guardrails for OpenClaw agents - Lethal Trifecta defense

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

maxlissmaxliss

Keywords

openclawpluginsecurityprompt-injectionguardrails

Readme

🛡️ ClawGuard OpenClaw Plugin

SOTA security guardrails for OpenClaw agents — Complete Lethal Trifecta defense.

What is the Lethal Trifecta?

The three attack vectors that can compromise an AI agent:

  1. Input Attacks (Prompt Injection) - Malicious instructions in user messages or external content
  2. Runtime Attacks (Tool Exploitation) - Abusing tool calls for data exfiltration or system compromise
  3. Output Attacks (Data Leakage) - Credentials or PII leaking in agent responses

ClawGuard defends against all three with state-of-the-art detection techniques.

Installation

openclaw plugins install @openclaw/clawguard

Then restart your gateway.

SOTA Features

Input Guard (Leg 1)

  • Pattern-based detection in 7+ languages (EN/KO/JA/ZH/ES/DE/FR/RU)
  • Adversarial suffix detection (GCG-style attacks) via entropy analysis
  • Multi-turn tracking - detects split payload attacks across messages
  • Source-aware thresholds - web content gets stricter scrutiny than user input
  • Encoding evasion detection (base64, hex, unicode, homoglyphs)
  • Jailbreak and system prompt extraction detection

Runtime Guard (Leg 2)

  • Tool call interception with parameter validation
  • Dangerous command detection (shell injection, rm -rf, etc.)
  • Exfiltration URL blocking (webhook.site, ngrok, etc.)
  • Sensitive path protection (.ssh, .aws, .env)
  • Optional human-in-the-loop approval gates

Output Guard (Leg 3)

  • Credential detection (AWS, GitHub, OpenAI, Slack, Discord, Telegram, and 15+ more)
  • PII detection (SSN, credit cards, phones, emails, IPs)
  • Automatic redaction before output
  • Canary token system for prompt leak detection

Additional SOTA Features

  • Spotlighting - Data marking for untrusted content (Microsoft research)
  • Defense presets - paranoid, balanced, permissive
  • Structured threat events - Correlation via fingerprinting
  • Context decay - Risk scores decay over conversation

Quick Start

Use a preset:

{
  plugins: {
    entries: {
      clawguard: {
        enabled: true,
        config: {
          preset: "balanced"  // or "paranoid" or "permissive"
        }
      }
    }
  }
}

Custom configuration:

{
  plugins: {
    entries: {
      clawguard: {
        enabled: true,
        config: {
          inputGuard: {
            enabled: true,
            threshold: 50,
            blockOnDetection: false,
            useAdversarialDetection: true,
            useMultiTurnTracking: true
          },
          runtimeGuard: {
            enabled: true,
            dangerousTools: ["exec", "write", "edit"],
            blockExfilUrls: true,
            requireApproval: false
          },
          outputGuard: {
            enabled: true,
            redactCredentials: true,
            redactPII: true,
            canaryTokens: ["SECRET_CANARY_12345"]
          },
          spotlighting: {
            enabled: true,
            mode: "delimit",
            sources: ["web", "email"]
          },
          logging: {
            logThreats: true,
            structuredEvents: true
          }
        }
      }
    }
  }
}

Defense Presets

| Preset | Threshold | Block | Adversarial | Multi-turn | Approval | Spotlighting | |--------|-----------|-------|-------------|------------|----------|--------------| | paranoid | 25 | ✓ | ✓ | ✓ | ✓ | all sources | | balanced | 50 | ✗ | ✓ | ✓ | ✗ | web, email | | permissive | 75 | ✗ | ✗ | ✗ | ✗ | disabled |

CLI Commands

# Check status and stats
openclaw clawguard status

# View available presets
openclaw clawguard presets

# Test detection with source simulation
openclaw clawguard test "ignore previous instructions" --guard input --source web
openclaw clawguard test "sk-proj-abc123..." --guard output

# View recent threat events
openclaw clawguard events --limit 20

Slash Command

In any chat, use /clawguard to see current status and session stats.

How It Works

ClawGuard hooks into OpenClaw's plugin lifecycle:

User Message
     ↓
┌─────────────────────────────────────┐
│  INPUT GUARD (before_agent_start)   │
│  • Pattern matching (7 languages)   │
│  • Adversarial suffix detection     │
│  • Multi-turn context tracking      │
│  • Source-aware thresholds          │
└─────────────────────────────────────┘
     ↓
┌─────────────────────────────────────┐
│  RUNTIME GUARD (before_tool_call)   │
│  • Parameter validation             │
│  • Exfil URL blocking               │
│  • Dangerous command detection      │
└─────────────────────────────────────┘
     ↓
┌─────────────────────────────────────┐
│  OUTPUT GUARD (message_sending)     │
│  • Credential scanning              │
│  • PII detection                    │
│  • Canary token monitoring          │
│  • Auto-redaction                   │
└─────────────────────────────────────┘
     ↓
Safe Response

Research References

  • Adversarial Suffixes: Zou et al. "Universal and Transferable Adversarial Attacks on Aligned Language Models"
  • Spotlighting: Microsoft "Defending Against Indirect Prompt Injection Attacks"
  • Lethal Trifecta: OpenClaw security model
  • Multi-turn Attacks: Perez & Ribeiro "Ignore This Title and HackAPrompt"

Testing

cd projects/clawguard-plugin
bun test  # 63 tests

File Structure

src/
├── index.ts         # Plugin entry, lifecycle hooks, CLI
├── guards.ts        # Input/Runtime/Output guards
├── patterns.ts      # Detection patterns (injection, credentials, PII)
├── analyzers.ts     # SOTA: entropy, context tracker, spotlighting
├── guards.test.ts   # Guard tests (38)
└── analyzers.test.ts # Analyzer tests (25)

License

MIT

Authors

Built by MaxsClawd & Max — Day one, shipped.