AI coding app quick start

OpenClaw quick start

Put Guard in front of OpenClaw so risky tool calls and config changes are caught before launch.

Prerequisite

Install Guard

If you haven't installed Guard yet, run the install script first. This installs hol-guard via pipx and configures it for OpenClaw in one step.

Terminal

set -o pipefail; curl -fsSL https://hol.org/guard/install.sh | bash -s -- --harness openclaw --mode install --verify

Already have Guard installed? Skip to the harness command below. Full install guide.

Harness command

Attach to OpenClaw

Terminal

hol-guard install openclaw

Guard stays local by default — no account required to protect your first session. Connect Guard Cloud later to sync security records across your devices.

What Guard checks

  • ~/.openclaw/config.toml and project .openclaw/config.toml
  • MCP server entries, plugin declarations, and command surfaces
  • local tool paths and linked extension manifests

What install changes

  • Installs Guard in wrapper mode so you can protect OpenClaw without changing your existing setup.
  • Keeps a local security record for every approval and block so your team can reuse past decisions.
  • Guards against config mutations between sessions so silent drift stays visible.

Verification

Confirm the setup before your first protected session.

1

Run the setup command

Start with the Guard command matched to this AI coding app and its setup mode.

Command

hol-guard install openclaw
2

Run the next verification commands

Confirm Guard sees the expected config paths before your first protected session.

Command

hol-guard doctor openclaw
hol-guard run openclaw --dry-run
3

Check your first security record

After Guard records a local decision, open the receipt list to confirm what was scanned.

Command

hol-guard receipts

Safe demo & test protection

Use --dry-run for demos and CI. Guard scans and reports without blocking, so you can show what it catches without interrupting a live session.

Sync to Guard Cloud

Connect Guard Cloud to carry your security records, team memory, and approval history across every machine and teammate — no rebuilding approvals when you switch devices.

Review Guard Cloud plans →

Troubleshooting

Something not working?

  • Guard does not intercept launches

    Run hol-guard doctor openclaw and check that the wrapper path matches your installed binary.

  • No security record after the first run

    Check that ~/.hol-guard/ is writable. Guard writes every decision there by default.

  • Cloud sync not reflecting local decisions

    Run hol-guard sync --status to see if Guard Cloud can reach the server. Local protection keeps running even when sync is unavailable.

Approval surface

Guard local approval center (browser, localhost) via wrapper mode — opens when a new or changed tool call or config entry needs a decision.

Run command

hol-guard run openclaw

Uninstall / revert

Guard leaves no background services. Your approval history stays on disk in ~/.hol-guard/ unless you delete that folder.

Uninstall command

hol-guard uninstall openclaw

Current phase notes

  • OpenClaw's native tool approval surface is not replaced — Guard intercepts at the wrapper layer before OpenClaw receives the request.
  • Plugin and extension enumeration depends on OpenClaw version. Run `hol-guard doctor openclaw` to confirm what Guard resolved.