Ironclaw Security Guard

README

# OpenClaw IronClaw Security Guard

Defense-in-depth security plugin for OpenClaw, inspired by the security model and threat posture documented in [IronClaw](https://github.com/nearai/ironclaw).

## What It Adds

- Dangerous shell command blocking
- Sensitive path protection
- Prompt-injection pattern detection
- Outbound secret leak prevention
- Secret redaction before outgoing messages
- Local audit log for blocked or risky events
- A callable `ironclaw_security_scan` tool for manual inspection

## Design Inspiration

This plugin borrows the most practical ideas from IronClaw's public design:

- defense in depth
- prompt injection defense
- endpoint allowlisting
- credential leak detection
- explicit network trust boundaries
- auditability

It is intentionally lighter-weight than IronClaw's full runtime. It does **not** implement a WASM sandbox or container orchestrator. Instead, it adds guardrails at OpenClaw's plugin hook layer.

## Install In OpenClaw

Add this repo path to `plugins.load.paths`, allow `ironclaw-security-guard`, and enable it in `plugins.entries`.

## Audit Log

By default the plugin writes JSONL audit events to:

`~/.openclaw/logs/ironclaw-security-guard.audit.jsonl`