reins
mcp
Warn
Health Pass
- License — License: Apache-2.0
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Community trust — 384 GitHub stars
Code Warn
- process.env — Environment variable access in scripts/demo-destructive.ts
- fs module — File system access in scripts/mock-watchtower.js
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This tool provides runtime security, scanning, and continuous monitoring specifically designed for OpenClaw AI agents. It acts as a watchdog layer to find, fix, and block high-risk configurations and destructive actions.
Security Assessment
Overall risk: Medium. The package acts as a security scanner that naturally interacts with system configurations, shell command allowlists, and file permissions. It also connects to an external Watchtower service for continuous drift monitoring, which involves network requests. The codebase contains environment variable access and file system operations, though these are isolated within demo and mock scripts rather than the core tool. There are no hardcoded secrets and no overly broad permissions requested by the MCP server itself. However, the auto-fix feature (`scan --fix`) modifies local files, and the continuous monitor feature sends data to external servers, requiring a degree of trust.
Quality Assessment
Overall quality: Good. The repository is very actively maintained (last updated today) and has generated solid community trust with 384 GitHub stars. It uses the permissive Apache-2.0 license and includes a clear description. The comprehensive documentation outlines 13 specific security checks, demonstrating a well-thought-out utility.
Verdict
Use with caution: the tool itself is a highly regarded security asset, but its auto-remediation capabilities and external monitoring features require you to review exactly what local data it accesses and transmits.
This tool provides runtime security, scanning, and continuous monitoring specifically designed for OpenClaw AI agents. It acts as a watchdog layer to find, fix, and block high-risk configurations and destructive actions.
Security Assessment
Overall risk: Medium. The package acts as a security scanner that naturally interacts with system configurations, shell command allowlists, and file permissions. It also connects to an external Watchtower service for continuous drift monitoring, which involves network requests. The codebase contains environment variable access and file system operations, though these are isolated within demo and mock scripts rather than the core tool. There are no hardcoded secrets and no overly broad permissions requested by the MCP server itself. However, the auto-fix feature (`scan --fix`) modifies local files, and the continuous monitor feature sends data to external servers, requiring a degree of trust.
Quality Assessment
Overall quality: Good. The repository is very actively maintained (last updated today) and has generated solid community trust with 384 GitHub stars. It uses the permissive Apache-2.0 license and includes a clear description. The comprehensive documentation outlines 13 specific security checks, demonstrating a well-thought-out utility.
Verdict
Use with caution: the tool itself is a highly regarded security asset, but its auto-remediation capabilities and external monitoring features require you to review exactly what local data it accesses and transmits.
Runtime security for OpenClaw agents. Scan, fix, monitor.
README.md
🔒 ClawReins
Runtime security for OpenClaw agents. Scan, fix, monitor.
OpenClaw is powerful. That's the problem. ClawReins is the watchdog layer.
Quick Start
npm i -g clawreins
clawreins scan
13 security checks in 30 seconds. That's it.
What it does
- Scan — finds security issues in your OpenClaw config (
clawreins scan) - Fix — auto-remediates what it can (
clawreins scan --fix) - Monitor — connects to Watchtower for continuous drift detection
- Intercept — blocks destructive agent actions before they execute
- Approve — human-in-the-loop approval for high-risk operations
OpenClaw cannot be its own watchdog. Neither can any CUA.
In The News
- TechCrunch (February 23, 2026): A Meta AI security researcher said an OpenClaw agent ran amok on her inbox
Security Scan
clawreins scan # 13-check security audit
clawreins scan --fix # Auto-fix with backup
clawreins scan --json # Machine-readable for CI
clawreins scan --monitor # Compare against baseline, alert on drift
Security Checks
| Check | Severity | Detects | Auto-fix |
|---|---|---|---|
GATEWAY_BINDING |
Critical | Gateway listening on 0.0.0.0 or missing localhost binding |
Yes |
API_KEYS_EXPOSURE |
Critical | Plaintext API keys, tokens, or secrets in config files | No |
FILE_PERMISSIONS |
Critical | Config files readable by group or other users | Yes |
HTTPS_TLS |
Warning | Missing HTTPS/TLS configuration | No |
SHELL_COMMAND_ALLOWLIST |
Critical | Missing shell allowlist or unrestricted shell execution | Yes |
SENSITIVE_DIRECTORIES |
Warning | Agent can access ~/.ssh, ~/.gnupg, ~/.aws, /etc/shadow |
No |
WEBHOOK_AUTH |
Warning | Webhook endpoints without auth tokens | No |
SANDBOX_ISOLATION |
Warning | No Docker or sandbox isolation detected | No |
DEFAULT_WEAK_CREDENTIALS |
Critical | Default, weak, or missing gateway credentials | No |
RATE_LIMITING |
Warning | No gateway throttling or rate limit configured | No |
NODEJS_VERSION |
Critical | Node.js affected by CVE-2026-21636 permission bypass | No |
CONTROL_UI_AUTH |
Critical | Control UI authentication bypass enabled | Yes |
BROWSER_UNSANDBOXED |
Critical | Browser skill missing headless or sandbox protection | No |
Exit codes: 0 = SECURE, 1 = NEEDS ATTENTION, 2 = EXPOSED
Runtime Interception
ClawReins hooks into OpenClaw's before_tool_call event. Before any dangerous action executes, the agent pauses and waits for your decision.
Agent calls tool: bash('rm -rf /tmp/data')
→ ClawReins intercepts
→ Policy check: bash = ASK
→ Terminal prompt: Approve / Reject
→ You reject → action blocked
→ Decision logged to audit trail
Three policy types:
| Policy | Behavior |
|---|---|
| ALLOW | Execute immediately (e.g., file reads) |
| ASK | Prompt for human approval (e.g., file writes, shell commands) |
| DENY | Block automatically (e.g., file deletes) |
Policies are stored as plain JSON at ~/.openclaw/clawreins/policy.json.
Watchtower Dashboard
Connect to Watchtower for free cloud monitoring:
clawreins scan
# Say Y when prompted → enter email → dashboard loads at app.pegasi.ai
Watchtower gives you:
- Security score timeline and drift alerts
- Scan history across all your agents
- MCP Control Panel (tool allow/block policies)
- Org-wide shell policy enforcement (auto-deny
rm -rf,DROP TABLE,curl | bash) - Full audit log of every agent decision
OWASP Agentic Skills Top 10
ClawReins maps to 6 of the 10 OWASP AST risks:
| OWASP Risk | Description | ClawReins Coverage |
|---|---|---|
| AST01 — Skill Injection | Malicious instructions in skill files | CONTROL_UI_AUTH, WEBHOOK_AUTH |
| AST03 — Excessive Permissions | Over-privileged agent access | SHELL_COMMAND_ALLOWLIST, SENSITIVE_DIRECTORIES, FILE_PERMISSIONS |
| AST06 — Supply Chain | Vulnerable dependencies and registries | NODEJS_VERSION (CVE detection) |
| AST07 — Sandbox Escape | Agent breaking out of isolation | SANDBOX_ISOLATION, BROWSER_UNSANDBOXED |
| AST08 — Network Exposure | Unprotected network interfaces | GATEWAY_BINDING, HTTPS_TLS, RATE_LIMITING |
| AST09 — Secrets Exposure | Leaked credentials and tokens | API_KEYS_EXPOSURE, DEFAULT_WEAK_CREDENTIALS |
Remaining risks (AST02, AST04, AST05, AST10) are on the roadmap. Learn more: OWASP Agentic Skills Top 10
Why ClawReins?
| ClawReins | ClawSec | DefenseClaw | |
|---|---|---|---|
| Architecture | External to agent (can't be prompt-injected) | Runs inside agent (can be compromised) | External, multi-runtime |
| Install | npm i -g clawreins |
Skill install | 3 runtimes + Go daemon |
| Hosted dashboard | Yes (Watchtower) | No | No (Splunk only) |
| HITL approvals | Yes | No | No |
| Target user | Developers + small teams | OpenClaw users | Enterprise SOC teams |
CLI Commands
clawreins init # Interactive setup wizard
clawreins scan # 13-check security audit
clawreins scan --fix # Auto-fix with backup
clawreins scan --json # Machine-readable output for CI
clawreins scan --monitor # Drift detection against baseline
clawreins policy # Manage security policies
clawreins audit # View decision history
clawreins stats # View statistics
clawreins enable / disable # Toggle protection
Roadmap
Shipped
- 13-point security scan with auto-fix
- Watchtower dashboard (security score, drift detection, analytics)
- MCP Control Panel (tool allow/block, resource access, audit log)
- Org-wide shell policy (auto-deny dangerous commands)
- HITL approval flow (approve/deny agent actions)
- Magic link auth + CLI signup
Next
-
clawreins inventory— discover all MCP servers, skills, and tools -
clawreins audit— local agent action log - OWASP AST05 — SOUL.md / MEMORY.md integrity checks
- OWASP AST02 — trust prompt configuration validation
- Skill scanning on install (ClawHavoc IOC detection)
- Claude Agent SDK hook (
@clawreins/guard)
Later
- Gmail, Slack, GitHub MCP policy templates
- Runtime supply chain monitoring (OWASP AST04)
- Behavioral anomaly detection (OWASP AST10)
- On-prem deployment option
- SOC 2 / ISO 27001 audit export
Contributing
We believe in safe AI. PRs welcome!
- Fork the repo
- Create your feature branch:
git checkout -b feature/amazing - Commit changes:
git commit -m 'Add amazing feature' - Push:
git push origin feature/amazing - Open a Pull Request
See CONTRIBUTING.md for details.
License
Apache 2.0 — see LICENSE for details.
Links
- Watchtower Dashboard
- Blog: Browser Agents Complete the Lethal Trifecta
- Blog: Dark Agents Are Already Here
- OWASP Agentic Skills Top 10
Built by Pegasi — runtime security for AI agents.
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found