Features

What you can do with ClawLock

ClawLock is easiest to understand as a journey: set it up, decide what the agent is allowed to do, let it work, and keep control when the stakes go up.

1. Set up ClawLock

Start by installing the plugin, setting your vault PIN, and connecting the approval flow to your phone. If you want the agent to interact with real websites, you can then turn on browser automation.

  • Install ClawLock into OpenClaw in a single plugin step.
  • Set your vault PIN before any sensitive action can be approved.
  • Use Tailscale to expose the approval UI securely to your phone.
  • Optionally enable browser automation if you want the agent to log in, fill forms, and work through real sites.

2. Decide what the agent is allowed to do

ClawLock gives you a policy layer between “helpful” and “dangerous”. You decide what the agent can browse freely, what should pause for approval, and what should be denied outright.

  • Create a passport that defines what the agent is allowed to do.
  • Separate low-risk browsing from high-risk actions like checkout, shell commands, or messaging.
  • Apply allow / ask / deny controls to the actions that matter.
  • Keep the agent inside the scope you intended instead of letting it improvise its own job description.

3. Let the agent browse, compare, and prepare

Once policy is in place, the agent can do the useful work. It can browse websites, compare options, prepare a cart, or reach the point where a human decision is needed.

  • Browse real sites and gather options for you.
  • Compare products, prices, and sellers before any money moves.
  • Prepare carts and workflows without silently completing the final step.
  • Work through sites in a way that still respects the control boundary you set.

4. Keep credentials and payments under control

Sensitive values are handled differently from normal model context. That is the entire point. Cards and passwords should not be sprayed through prompts, logs, or session history if there is any better way to do it.

  • Store credentials and payment details in an encrypted vault.
  • Inject secrets into the browser flow without handing raw values to the model where possible.
  • Keep the agent useful while reducing the chance that secrets leak into model context or transcripts.
  • Treat checkout and login as controlled operations, not casual side effects of browsing.

5. Approve or block sensitive actions on your phone

When the agent reaches a consequential action, ClawLock stops it. You get a separate approval flow with the details that matter: merchant, amount, card, and action.

  • Checkout is blocked until you explicitly approve it.
  • Approvals are delivered through a separate channel to your phone.
  • You review the details and enter your PIN before the action is released.
  • If you deny it, the agent stops there. No quiet purchases. No “helpful” surprises.

6. See what happened afterwards

ClawLock keeps an audit trail so you can understand what happened after the fact. That matters for debugging, trust, and not going insane when an agent does something expensive.

  • Record approvals and completed actions.
  • Keep receipts for what was allowed, blocked, or escalated.
  • Trace actions back to the rule or approval that allowed them.
  • Review outcomes after the fact instead of relying on memory or vibes.

7. Harden the runtime if you need to

For operators who want a stricter boundary, ClawLock also supports optional process isolation. This is an advanced hardening mode, not something every user needs on day one.

  • Run ClawLock with process isolation so OpenClaw cannot kill or obstruct what ClawLock does.
  • Use it when you want a stronger separation between the control layer and the agent runtime.
  • Treat it as an advanced deployment option, not a mandatory prerequisite.
  • Currently tested on Linux only and may not work on other operating systems.