Lock it down. Let it work.

3 min read Original article ↗

ClawLock logo

ClawLockThe control plane for OpenClaw

OpenClaw is an AI agent that can browse real web sites, log into real accounts, fill real forms, and complete real transactions. However, without a control plane, there isn't far from “compare prices” to “checkout without you knowing”. OpenClaw can:

  • move from research to checkout without you knowing.
  • leak cards and passwords into model context and logs.
  • execute shell commands with your credentials on the line.

ClawLock is the control plane for OpenClaw. It lets the agent browse, compare, and recommend — but blocks checkout, payments, and credentials until you approve in a separate, secure channel.

Agent: "Found a Mac Mini M4 for $100 on eBay.
Checking out now."

ClawLock: BLOCKED
"Checkout requires your approval."

eBay

$100.00

Visa ending in 4242

Action: checkout

Agent: Done. Visa ending in 4242 charged $100.00.

Quick start

Install ClawLock. Set your PIN. Let OpenClaw do its work.

openclaw plugins install @andersjw/clawlock
openclaw gateway restart

sudo tailscale set --operator=$USER
tailscale serve --bg --http 18789 http://127.0.0.1:18789

ClawLock uses Tailscale to expose the approval UI securely to your phone. Once configured, open http://localhost:18789/passport/, go to Vault, and set your PIN.

Enable browser automation

Let ClawLock drive the browser when you want it to.

Browser automation is off by default. Turn it on if you want the agent to browse real sites, log in with stored credentials, fill checkout forms, and complete purchases — all gated by ClawLock policies.

# One-time: install headless Chromium
npx playwright install chromium

# Enable browser in ClawLock config
openclaw config set plugins.entries.clawlock.config.enableBrowser true
openclaw gateway restart

After this, ClawLock automatically launches headless Chromium / Chrome with CDP, configures the gateway, and manages the browser lifecycle. Without it, the agent can recommend actions but cannot interact with websites directly.

What it does

Control the actions that matter.

Blocks checkout until you approve

ClawLock stops the agent at checkout until you approve it on your phone.

Keeps secrets out of the model

Card details and passwords are injected into the browser via CDP. The model never needs to see the raw secret.

Separates browsing from buying

Browsing, search, compare, and add-to-cart can be allowed. Checkout, shell access, messaging, and unknown domains can be blocked outright.

Leaves a receipt trail

Every approval and action is logged with the rule that matched, the time, and the evidence.

Optional process isolation

Run ClawLock with full process isolation so OpenClaw cannot kill or obstruct what ClawLock does. Currently tested on Linux only and may not work on other operating systems.

01

Create a passport

Define what the agent can browse, what it can do automatically, and what must stop for approval.

02

Intercept the action

When the agent reaches checkout or another sensitive step, policy evaluates the action and blocks it.

03

Approve on your phone

You get an approval link, review the merchant, amount, and card, then enter your PIN.

04

Complete without leaking

Payment and credentials are injected directly into the browser. Sensitive values never need to enter the model context.

Open source

Read the code. Install the plugin. Ship it yourself.

ClawLock is free, open source, and designed to run with your own OpenClaw setup.

Security notice

Defense in depth. Not a guarantee.

ClawLock is a defense-in-depth layer, not a security guarantee. It reduces risk by keeping sensitive data out of model context and gating consequential actions on human approval, but it does not eliminate the possibility of prompt injection, infrastructure compromise, malicious skills, token theft, or operator error.

  • This software is provided as-is under the MIT license, without warranty of any kind.
  • No security tool can fully prevent a sufficiently sophisticated prompt injection attack.
  • The encrypted vault is only as strong as your PIN and the security of the host machine.
  • You are responsible for reviewing approval requests carefully before allowing an action to proceed.

ClawLock may reduce risk. It does not eliminate it.