openclaw plugins install @oktsec/openclawoktsec already connects to Claude Code, Cursor, Windsurf, VS Code, Gemini CLI, Amp, and 17+ agent tools. OpenClaw is the newest integration, and the first as a native plugin that runs inside the platform itself.
Why OpenClaw
327K+ people build agents on OpenClaw. Those agents handle files, run commands, and chat on Telegram, Slack, WhatsApp, Discord. CrowdStrike documented it as "a powerful AI backdoor agent capable of taking orders from adversaries." Every direct message channel is a prompt injection surface.
OpenClaw already has security layers. The model's own reasoning rejects obvious attacks. Tool policies restrict which tools are available. Sandbox mode isolates sessions. These are real protections.
But they share a limitation: they all depend on the model, the config, or the infrastructure. None of them independently scan the content of what the agent is receiving and executing.
That's what oktsec adds. A deterministic rule engine with 217 detection rules that scans every message and tool call before execution, independent from the model. If the model gets manipulated by a sophisticated prompt injection, oktsec still sees the malicious content and blocks it.
How it works
The plugin hooks into four event types in the OpenClaw lifecycle:
- Incoming messages — before the agent reads them
- Outgoing messages — before they're sent
- Tool calls — before they execute
- Tool results — after execution
Each event is scanned through the same 217-rule engine that runs across all oktsec integrations. The same rules, the same verdicts (clean, flag, quarantine, block), the same audit trail.
incoming message
The plugin connects to an oktsec gateway running alongside the OpenClaw instance. The gateway handles scanning, session management, and the dashboard.
Session management
This release includes session management, which is particularly valuable for OpenClaw deployments where agents run continuously.
You can see every session from the day, filter the ones that had issues, and drill into any of them to see the full timeline of tool calls and messages. Click a session, run AI analysis. It tells you the risk level, what happened, what to do, and how the interactions between human and agent unfolded. The analysis is saved as audit evidence.
For OpenClaw specifically, this means you can trace a complete conversation from Telegram through the agent's tool calls and back to the response. If something went wrong, you see exactly where.
OpenClaw-specific rules
15 detection rules built for OpenClaw configurations:
| Rule | What it checks |
|---|---|
| Gateway exposure | Is the WebSocket gateway bound to 0.0.0.0? |
| Sandbox settings | Are agents running without sandbox isolation? |
| DM policies | Is dmPolicy set to "open"? Every DM becomes an attack vector |
| Exec permissions | Is tools.profile "full" with no deny list? |
| Auth configuration | Is the gateway missing authentication? |
| Hardcoded credentials | Are there credentials in openclaw.json? |
These run as part of oktsec audit and appear in the Security Posture dashboard with remediation guidance.
Two modes
Observe logs everything without blocking. Every message scanned, every verdict recorded, every session traced. The agent works normally. You get full visibility.
Enforce acts on the rules. A message with prompt injection gets blocked before the agent sees it. A tool call trying to read /etc/passwd gets rejected. The agent receives a JSON-RPC error instead of executing the action.
Start with observe. Review the dashboard for a few days. Understand your agents' behavior. Move to enforce when you're confident in the rules.
Alongside NemoClaw
NVIDIA released NemoClaw this week to sandbox OpenClaw agents. NemoClaw isolates the container: network egress, filesystem access, process restrictions. Infrastructure security.
oktsec does something different. It scans the content of messages and tool calls, traces sessions, analyzes behavior with AI, controls egress per tool, and maintains a tamper-evident audit trail. Content security.
A sandboxed agent can still follow a prompt injection received via Telegram, as long as the action stays within the sandbox's allowed boundaries. oktsec catches the injection regardless of where the agent runs.
Both tools are complementary. NemoClaw controls where the agent can go. oktsec understands what the agent did when it got there.
Getting started
# 1. Install the plugin
openclaw plugins install @oktsec/openclaw
# 2. Start oktsec (installs automatically if not present)
oktsec run
# 3. Start OpenClaw
openclaw gatewayThat's it. The plugin connects to the local oktsec gateway automatically. Send a message via Telegram, Discord, or web chat and open http://127.0.0.1:8080/dashboard to see every event in real time.
You also get slash commands inside OpenClaw:
/oktsec status # Pipeline health and stats
/oktsec dashboard # Open dashboard URLAnd CLI commands:
openclaw oktsec status # Gateway health
openclaw oktsec logs -f # Stream audit events live
openclaw oktsec dashboard # Open dashboard in browserLinks
- Plugin: github.com/oktsec/oktsec-openclaw
- oktsec: github.com/oktsec/oktsec
- npm: npmjs.com/package/@oktsec/openclaw
- Documentation: oktsec.com
Get started
One binary. 217 detection rules. Delegation chains. Deploy in minutes.