Guard
Home

Guard for OpenClaw

Protect OpenClaw before risky tools, plugins, and config drift reach your machine

OpenClaw is powerful because it can act. Guard keeps that power reviewable with wrapper-mode interception, plugin/MCP checks, local receipts, and visible config drift before launch.

Inspect local proofOpenClaw hardening guide
No account required for local protection. Create an account later when you want synced receipts, team policy, or shared history.

What Guard checks

A runtime safety layer shaped around this stack.

Wrapper mode lets you place Guard in front of OpenClaw without replacing the setup you already use.

Config drift visibility shows changed MCP endpoints, plugin declarations, and local tool paths before launch.

Plugin/MCP checks pause risky surfaces before OpenClaw receives the request.

Local receipts record approvals and blocks on your machine first.

Revert anytime with hol-guard uninstall openclaw.

Rollout path

Built for how this stack is actually run.

Start with the operator’s real workflow, prove local control, then move to the smallest useful protected run.

Operator fit

Self-hosted operators protecting chat-to-tool power

OpenClaw operators need a practical safeguard for plugins, MCP servers, channels, and config drift without turning their personal stack into a corporate compliance workflow.

Local proof

Show wrapper mode, receipts, and rollback before signup

Guard leads with no-account local protection, a receipt preview, doctor checks, and a revert path because control has to come before commitment.

First run

Copy the OpenClaw command, then inspect the first receipt

The CTA path moves from install to doctor to dry-run so the operator can prove Guard works inside their current OpenClaw setup.

Install path

Activation first, account later.

Copy the local command, verify the setup, then connect cloud only when shared history is useful.

01

Install wrapper mode

Attach Guard to OpenClaw without rewriting the rest of your workflow.

hol-guard install openclaw
02

Run doctor

Confirm Guard sees the wrapper path, plugins, MCP entries, and local config.

hol-guard doctor openclaw
03

Try a dry run

Inspect the approval path before the first protected session.

hol-guard run openclaw --dry-run

OpenClaw

hol-guard install openclaw

Data boundary

No account required for local protection.

Local first

  • Scans stay on your machine by default.
  • Receipts are written locally before any cloud sync exists.
  • OpenClaw protection works before sign-in.

Cloud later

  • Sync approvals across devices when you choose.
  • Share team policy later.
  • Keep longer shared history after local activation.

Operator proof

Proof for the moment OpenClaw moves from chat to action.

OpenClaw operators need to see what changed before a plugin, MCP server, or local tool path becomes part of the next run.

Risk moment

Plugin or MCP drift detected before launch

Local receipts first. Shared history later.

Receipt evidence

Decision before execution

review_required
Harness
openclaw
Boundary
local
Surface
mcp_config
Next step
inspect_receipt
Run doctor intent
01

Changed surface is named

Guard calls out the plugin, MCP endpoint, or config path that changed so the operator reviews the actual risk.

02

OpenClaw approvals stay intact

Guard sits before launch and keeps OpenClaw’s own approval model in the workflow instead of replacing it.

03

Rollback is part of trust

The same rollout path includes install, doctor, dry-run, receipt, and uninstall commands.

Pricing path

Start local. Add shared history later.

Local OpenClaw protection is free on one machine. Guard Cloud adds synced receipts, advisories, and team policy when you need them.

Create account later

FAQ

Direct answers for local-first rollout.