Control Layer for OpenClaw agents — protection in 2 minutes, 8 automatic rules, BYOM, blockchain proof.

OpenClaw Integration

Your agent runs 24/7. Do you know what it's doing right now?

agent-shield shows you everything your OpenClaw agent does, blocks dangerous actions before they execute and masks your personal data. One command. Zero configuration.

How It Works

OpenClaw Agent → Tool Call → agent-shield (MCP) → {{brand}} Gateway → Policy Check
                                                              ↓
                                                    ✅ ALLOW → Execute tool
                                                    ✏️ MODIFY → Execute with PII masked
                                                    🚫 BLOCK → Rejected with reason
                                                    ⏸️ APPROVAL → Waiting for approval

Every tool call produces a tamper-evident trace — searchable, filterable, optionally anchored on the Flare blockchain.

Quickstart (2 Minutes)

1. Install the package

npm install -g @{{brand_scope}}/agent-shield

2. Set API key and LLM key

export PALVERON_API_KEY="your-key"          # Dashboard → Settings → API Keys
export PALVERON_API_URL="your-api-url"      # Gateway address
export OPENAI_API_KEY="sk-..."              # Your own LLM key (BYOM)

3. Activate Shield

npx agent-shield init

Output:

✅ API Key validated (Project: "My Project")
✅ Shield activated: 8 protection rules
✅ Agent "MacBook-Pro" registered
✅ Blockchain: SHA-256 hash chain active

4. Restart Gateway

openclaw gateway restart

Done. 8 protection rules are active. Open the dashboard tomorrow morning.

BYOM: Bring Your Own Model

You already have an LLM API key. Our 2-pass system (regex + AI) uses your key for the AI analysis. Our LLM cost per user: effectively zero.

Tier	LLM Key	What happens
Community	Your own	Full 2-pass engine (regex + AI via your key)
Pro	Your own	+ Neural Custom Policies
Business	Your own	+ Team features
Enterprise	Your own OR Managed	Managed LLM as a premium option

8 Shield Rules (Automatically Enabled)

npx agent-shield init activates all 8 rules immediately. No YAML. No config files.

Rule	Detects	Action
Secret Exfiltration Shield	API keys, private keys, JWTs in output	BLOCK
Shell Injection Guard	curl\|bash, chmod 777, eval()	BLOCK
Destructive Actions Shield	rm -rf, DROP TABLE, git push --force	BLOCK
Package Install Watchdog	npm/pip/apt install from unknown sources	APPROVAL
Social Media Output Guard	PII + secrets in outgoing messages	ANONYMIZE
GDPR Privacy	Emails, phone numbers, IBANs, SSNs	ANONYMIZE
High-Speed Circuit Breaker	Agent loops (>100 req/min)	BLOCK
Fiscal Authority Limit	Transactions above a configurable threshold	APPROVAL

MCP Configuration

agent-shield registers itself automatically as an MCP server. If you'd like to adjust the configuration manually:

{
  "mcpServers": {
    "agent-shield": {
      "command": "npx",
      "args": ["-y", "agent-shield-mcp"],
      "env": {
        "PALVERON_API_URL": "your-api-url",
        "PALVERON_API_KEY": "your-key"
      }
    }
  }
}

MCP Tool

Tool	Description
`governance_check`	Check a tool call against governance policies before it executes. Returns ALLOW, BLOCK, MODIFY or APPROVAL.

The agent calls governance_check automatically before executing HIGH-RISK actions (shell, file deletes, package installs, sending messages).

CLI Commands

npx agent-shield init       # Set up shield + register agent
npx agent-shield status     # 24h statistics + active rules
npx agent-shield test       # Run test governance checks
npx agent-shield help       # Show help

Environment Variables

Variable	Description
`PALVERON_API_KEY`	Your project API key (required)
`PALVERON_API_URL`	Gateway URL (required)
`OPENAI_API_KEY`	Your LLM key for BYOM 2-pass analysis
`AGENT_SHIELD_API_KEY`	Alternative name for the API key
`AGENT_SHIELD_API_URL`	Alternative name for the API URL

Risk Classification

Risk	Example Tools	Behavior
HIGH	exec, shell, delete_file, git_push, install_package	Always governance_check
MEDIUM	read_file, write_file, memory_write, navigate	governance_check (fail-open)
LOW	list_directory, search	Trace only, no check

Blockchain Proof

Set up a Flare wallet in the dashboard for cryptographic on-chain proof of every governance decision:

Tier	Wallet Mode	Gas Fees
Community	Own wallet (CUSTOMER_OWNED)	You pay (minimal per-transaction cost)
Pro/Business	Managed OR own	We pay (Managed)
Enterprise	Managed OR own	Included

Without a wallet: a local SHA-256 hash chain provides tamper-evident integrity.

Viewing Traces

Every governance check produces a trace in the dashboard:

Filter by framework: openclaw for all OpenClaw checks
Filter by tool name (e.g. toolName: exec)
Timeline view: every tool call, every minute, searchable
Inspect PII findings, policy matches and blockchain status
Export as CSV or include in EU AI Act Evidence Packages

On-Premise

{
  "mcpServers": {
    "agent-shield": {
      "command": "npx",
      "args": ["-y", "agent-shield-mcp"],
      "env": {
        "PALVERON_API_URL": "https://gateway.internal.yourcompany.com:8080",
        "PALVERON_API_KEY": "your-key"
      }
    }
  }
}

Next Steps

Create your own policies for your team's workflow
Set up approval workflows for high-risk operations
Configure blockchain attestation for regulated environments
Compliance Hub for EU AI Act, DORA and other frameworks

OpenClaw Integration

On this page