OpenClaw sanitizer plugin wrapping ClawMoat's prompt injection detection, secret scanning, and PII detection.
Runs ClawMoat's scan() function as a pre-phase sanitizer plugin.
Every piece of untrusted content (transcript or MCP result) passes through
ClawMoat's pattern matching and entropy analysis before reaching the
semantic sub-agent.
- Sub-millisecond execution — pure regex/entropy, no model calls, no network
- 30+ credential patterns, OWASP Agentic AI coverage
- Deterministic results (confidence always 1.0)
- Complements OpenClaw's built-in Tier 1 patterns with ClawMoat's own library
cd plugins/clawmoat-adapter
npm install
npm run buildThis produces dist/index.js — a single-file CJS bundle with ClawMoat inlined.
In your OpenClaw config:
memory.sessions.sanitization.plugins:
- module: "./plugins/clawmoat-adapter/dist/index.js"
phase: "pre"
config:
# ClawMoat policy config (passed through to createPolicy)
policy:
secretPatterns: ["AWS_*", "GITHUB_TOKEN"]
blockedCommands: ["rm -rf", "curl * | sh"]
# Block threshold — which severity level triggers a block?
# Default: "low" (any finding blocks)
# Options: "low" | "medium" | "high" | "critical"
blockThreshold: "low"By default, any ClawMoat finding (even low severity) produces a block.
This is the safest setting. If you're seeing false positives on low-severity
findings, you can raise the threshold:
blockThreshold |
Blocks on | Flags (but passes) |
|---|---|---|
"low" (default) |
low, medium, high, critical | — |
"medium" |
medium, high, critical | low |
"high" |
high, critical | low, medium |
"critical" |
critical only | low, medium, high |
Findings below the threshold still appear in the audit trail as flags and contribute to frequency scoring. They're not ignored — they just don't independently trigger a block.
| ClawMoat concept | OpenClaw mapping |
|---|---|
result.blocked |
PluginResult.safe (inverted) |
result.threats[].pattern |
PluginResult.ruleIds (prefixed with clawmoat.scanner.) |
result.threats[].match |
PluginResult.flags |
result.threats[].severity |
Used for block threshold decision |
createPolicy() config |
Passed through from plugin config.policy |
ClawMoat's injection and credential patterns overlap with OpenClaw's built-in Tier 1 pre-filter (INJ-, CRED-). This is intentional — defense in depth. ClawMoat maintains its own pattern library which may catch things the built-in set misses, and vice versa. Duplicate findings are deduplicated by ruleId in the final merge.
This adapter provides single-scan integration. For production deployments that need session tracking, frequency-based escalation, content redaction, and compliance audit trails, see clawmoat-drawbridge — a session-aware pipeline that wraps ClawMoat with:
- Exponential-decay frequency tracking with 3 escalation tiers
- 16-rule syntactic pre-filter
- Context profiles (general, medical, financial, code, MCP)
- Structured audit events with typed payloads
- Cross-session alert rules with aggregation
- Content sanitization/redaction
The adapter and Drawbridge are complementary: the adapter handles OpenClaw plugin interface compliance, Drawbridge handles session-level orchestration.
npm run typecheck # Type check without emitting
npm run build # Bundle to dist/index.jsThe build uses esbuild to produce a single CJS file with clawmoat inlined, following the plugin spec's recommended bundling approach.