OpenClaw Security Layers
Input Guardrails
Inspect every input before it reaches the agent. Automatically block dangerous, inappropriate or prohibited requests.
Policy Engine
Rule-defined restrictions for agent behaviour: What may the agent do? Which tools may it use? Which data may it process?
Output Guardrails
Inspect every agent output before delivery. Prevent data leaks, inappropriate content and policy violations.
Security Features in Detail
Sandboxed Execution
Agents run in isolated environments – a compromised agent cannot affect other systems.
Secrets Management
API keys and credentials are never stored in the agent context – secure secrets management externally.
Compliance Logging
Complete audit log of every action, every decision and every tool usage – stored immutably.
PII Detection
Automatic detection and masking of personally identifiable information in inputs and outputs.
Anomaly Detection
Unusual agent behaviour is detected and immediately reported – before damage occurs.
Rate Limiting
Protection against misuse through configurable rate limits for API accesses and tool usage.
OpenClaw Security Questions
What are guardrails in OpenClaw?
Guardrails are rule-based filters that inspect agent inputs and outputs. They can use keyword matching, pattern recognition, PII detection or LLM-based classification to prevent unwanted behaviour.
Can an attacker bypass guardrails?
Guardrails are an important security layer, but not a standalone security concept. Wito AI implements defence in depth: multiple security layers, monitoring and regular security reviews.
How are policies defined in OpenClaw?
Policies are defined as YAML configuration or via an admin interface. They specify: permitted tools, data sources, output formats and behavioural rules for each agent type.
Is the audit log tamper-proof?
Yes. OpenClaw uses cryptographic signatures for audit log entries. Subsequent changes are detectable. For the highest requirements the log can be written to immutable storage (WORM).