AI coding app quick start
OpenClaw quick start
Put Guard in front of OpenClaw so risky tool calls and config changes are caught before launch.
Prerequisite
Install Guard
If you haven't installed Guard yet, run the install script first. This installs hol-guard via pipx and configures it for OpenClaw in one step.
Terminal
set -o pipefail; curl -fsSL https://hol.org/guard/install.sh | bash -s -- --harness openclaw --mode install --verifyAlready have Guard installed? Skip to the harness command below. Full install guide.
Harness command
Attach to OpenClaw
Terminal
hol-guard install openclawGuard stays local by default — no account required to protect your first session. Connect Guard Cloud later to sync security records across your devices.
What Guard checks
- ~/.openclaw/config.toml and project .openclaw/config.toml
- MCP server entries, plugin declarations, and command surfaces
- local tool paths and linked extension manifests
What install changes
- Installs Guard in wrapper mode so you can protect OpenClaw without changing your existing setup.
- Keeps a local security record for every approval and block so your team can reuse past decisions.
- Guards against config mutations between sessions so silent drift stays visible.
Verification
Confirm the setup before your first protected session.
Run the setup command
Start with the Guard command matched to this AI coding app and its setup mode.
Command
hol-guard install openclawRun the next verification commands
Confirm Guard sees the expected config paths before your first protected session.
Command
hol-guard doctor openclaw
hol-guard run openclaw --dry-runCheck your first security record
After Guard records a local decision, open the receipt list to confirm what was scanned.
Command
hol-guard receiptsSafe demo & test protection
Use --dry-run for demos and CI. Guard scans and reports without blocking, so you can show what it catches without interrupting a live session.
Sync to Guard Cloud
Connect Guard Cloud to carry your security records, team memory, and approval history across every machine and teammate — no rebuilding approvals when you switch devices.
Review Guard Cloud plans →Troubleshooting
Something not working?
Guard does not intercept launches
Run
hol-guard doctor openclawand check that the wrapper path matches your installed binary.No security record after the first run
Check that
~/.hol-guard/is writable. Guard writes every decision there by default.Cloud sync not reflecting local decisions
Run
hol-guard sync --statusto see if Guard Cloud can reach the server. Local protection keeps running even when sync is unavailable.
Approval surface
Guard local approval center (browser, localhost) via wrapper mode — opens when a new or changed tool call or config entry needs a decision.
Run command
hol-guard run openclawUninstall / revert
Guard leaves no background services. Your approval history stays on disk in ~/.hol-guard/ unless you delete that folder.
Uninstall command
hol-guard uninstall openclawCurrent phase notes
- OpenClaw's native tool approval surface is not replaced — Guard intercepts at the wrapper layer before OpenClaw receives the request.
- Plugin and extension enumeration depends on OpenClaw version. Run `hol-guard doctor openclaw` to confirm what Guard resolved.