Clawmont

Security for
autonomous AI agents.

Clawmont is the security layer for AI agents — four security pillars that inspect every prompt, guard every tool call, and check every result before the model acts on it. It runs in-process on your own machine, not ours — your keys, prompts, and logs never leave your computer.

Get Started See it in action

The problem

An autonomous agent has access
to everything.

The moment an agent can read your files, call your APIs, and run commands on your behalf, each of those powers becomes a way in. Every tool you wire up is a path an attacker can try to walk.

Prompt injection

Someone hides instructions in a PR comment, a fetched web page, or a file. Your agent reads them and follows — without telling you.

Credential leaks

An agent that can read your code can also read ~/.aws/credentials. A single "paste these keys here" request is enough.

Unauthorized tool calls

rm -rf. curl | bash. DROP TABLE. Without a guardrail, every tool your agent has is a destructive command away.

How Clawmont guards you

Four security pillars,
one for every gap.

Clawmont is an in-process plugin that inspects every prompt, every tool call, and every file read before the model acts on it. Four security pillars — input rail, tool dispatch, tool response, model output — each one independently bypass-tested against the OWASP LLM Top 10 and a 2,300-scenario red-team corpus.

01

Keys stay on your machine

Provider API keys are validated on-device. Never proxied. Never logged. Never shipped to a Clawmont server — not even for health checks.

02

Four security pillars

Input rail, tool dispatch, tool response, and model output — each one bypass-tested against the OWASP LLM Top 10 and a 2,300-scenario red-team corpus.

03

Tamper-evident audit

Every prompt, tool call, refusal, and redaction is hash-chained to disk. Any edit breaks the chain and Clawmont flags it on the next boot.

See it in action

Someone tries something nasty.
Clawmont is built to catch it.

Pick an attack below. Watch the plugin catch these known patterns — locally, before they ever reach the model.

Try it live

Run a known attack pattern. See which pillar catches it.

Detection runs on our backend — paste any prompt, tool call, or path and the playground returns the same verdict that ships in production.

Clawmont inspects the payload and writes a hash-chained audit entry before the tool call reaches the model.

attacker > input

Presets auto-load. Free-text mode lets you paste any prompt, tool call, or file path you want to try.

clawmont > scan Ready
Ready
Pick a preset or type a payload.
Scan detail will show here.

Four security pillars — input rail, tool dispatch, tool response, model output — each independently bypass-tested against the OWASP LLM Top 10 and a 2,300-scenario red-team corpus. Methodology at security.clawmont.com.

Want the deep, developer-grade version with every pillar broken out? Open the full playground →

No security tool catches everything — read our honest limitations in the Security Disclaimer.

Who needs this most

If this is you,
an unguarded agent is a liability.

The teams that get burned usually aren't careless — they just never tested for the attack that hit them. Three setups where the risk is real:

Coding agents

Your agent reads your repo and runs commands

By far the most common way people run agents — and the one with the most to lose. A poisoned dependency, a booby-trapped README, a stray PR comment, or a page it fetches can smuggle in instructions you never see: grab the API keys sitting in your home directory, push them somewhere, or run a destructive command. Clawmont inspects every prompt, tool call, and result in real time, so a coding agent with real power stops being a blind spot.

Connected to your tools

Your agent acts through your email, Slack, and files

Wire an agent into Gmail, Slack, Notion, or your filesystem through MCP and everything it reads becomes a possible instruction — one email with hidden text can make it forward data or delete files on your behalf. Clawmont treats every inbound message, document, and tool result as untrusted and checks it before your agent acts.

Agents others can reach

Someone other than you can message it

A Slack or Discord bot, a customer-facing assistant, an automation left running overnight — the moment input can come from anyone but you, you have real users and real attackers. Clawmont is built to catch the attack families most teams never think to test for — prompt injection, secret extraction, tool hijacking — so a clever message is less likely to become an incident report.

And it runs on OpenClaw

The secure platform
underneath.

Clawmont protects agents running on OpenClaw — the local-first platform for running AI agents on the computer in front of you. Any model, any tool, every byte staying on your machine.

Automate the tedious stuff

Let an agent sort your inbox, draft replies, close tickets, spin up pull requests. Daily chores, off your plate.

Use any AI model

GPT-5, Claude, Gemini, Llama, Gemma, or a model you fine-tuned yourself. OpenClaw runs them side by side — switch at any time.

Connect to your tools

Slack, Discord, Telegram, Gmail, Notion, your filesystem. Plug them in through MCP. Your agent uses them like a teammate would.

Runs on your machine

Chat history, credentials, files, audit logs — all local. No vendor sees your prompts. No cloud subscription hiding behind "cloud-first" marketing.

Choose a persona to get started — Developer, Trader, SRE, or Researcher — each with curated MCP tools and security rules tuned to your role.

Works with Claude GPT-5 Gemini Llama Gemma & any LLM via OpenRouter (DeepSeek, Mistral, Qwen, and more)

Premium add-on

Send every refusal
to your team.

Add Guardrails Monitoring at checkout — $9.99/mo bundled with any persona or Apex purchase. HMAC-signed end-to-end — the plugin keeps running locally, with every local security feature intact, even if you cancel.

Introductory rate for the first 6 months, then $19.99/mo.

Just want the monitoring, no persona? Get Guardrails Standalone — $19.99/mo →

Pricing

Pay once. Keys stay yours.

One-time license — set up your persona, MCP servers, and skills once. No subscription on the plugin itself.

Single persona

$30one-time

Pick one of four personas — Developer, Trader, SRE, or Researcher.

Developer Trader SRE Researcher pick one
  • A role-tuned AI persona — model routing, system prompt, and sensible defaults configured for you
  • Curated MCP servers + a skills bundle, locked to your role
  • Your provider keys stay on your machine — entered in your terminal, never on our servers
  • Upgrade to Apex later for $10 — no re-tier
Add Guardrails Monitoring +$9.99/mo
  • Real-time alerts to Slack, Discord, Telegram, or email
  • Searchable 90-day alert history (we host it for you)
  • Daily security digest

Bundled rate · Added during checkout · Cancel anytime

Introductory rate for the first 6 months, then $19.99/mo.

Pay now, choose your persona in onboarding. Upgrade to Apex later for $10.

Apex · all-access

$40one-time

Every persona, plus every future one.

Developer Trader SRE Researcher
  • All four personas — Developer, Trader, SRE, Researcher — merged and deduplicated into one setup
  • Switch role anytime — no re-buying, no re-tiering
  • Every future persona ships free
  • Add Guardrails monitoring whenever you want for $9.99/mo
Add Guardrails Monitoring +$9.99/mo
  • Real-time alerts to Slack, Discord, Telegram, or email
  • Searchable 90-day alert history (we host it for you)
  • Daily security digest

Bundled rate · Added during checkout · Cancel anytime

Introductory rate for the first 6 months, then $19.99/mo.

One-time payment. All future personas included.

Get started in three minutes.

Pick a persona, click the email link, paste one install command. After that, Clawmont guards every prompt, tool call, and result flowing through your OpenClaw gateway — automatically, from your very first message.

Get Started Read the setup guide