Claude Skill
clawshell/clawshell
Clawshell is a Rust-based runtime security layer for OpenClaw/Hermes-agent, protecting PII and sensitive credentials from accidental exposure in AI agent workflows.
Overview
Repository
Install this Skill
npm install -g @clawshell/clawshellRegistry
Summary
Clawshell is a runtime security layer designed for OpenClaw/Hermes-agent, providing essential protection for personally identifiable information (PII) and sensitive credentials. Built in Rust, it acts as a safety harness to prevent accidental exposure of secrets during AI agent operations.
OpenClaw/Hermes-agent 的运行时安全层,是保护个人身份信息(PII)及敏感凭证的关键安全防护装置。
Key features
- Runtime PII & credential protection
- Safety harness for AI agent workflows
- Built with Rust for performance and reliability
- Seamless integration with Hermes-agent
- Prevents accidental secret exposure
Use cases
- Securing AI agent interactions with sensitive data
- Protecting credentials in automated workflows
- Runtime monitoring for PII leaks
- Enhancing security in OpenClaw deployments
- Safeguarding secrets in multi-agent systems
README excerpt
# ClawShell 🛡️  > **Powered by Runta. The essential safety harness for OpenClaw/Hermes Agent's PII & Sensitive Credentials.** [](LICENSE) [](https://github.com/clawshell/clawshell/actions) [](https://www.npmjs.com/package/@clawshell/clawshell) [](https://crates.io/crates/clawshell) ## 📖 Introduction **ClawShell** is a security-privileged process for the **OpenClaw/Hermes Agent** ecosystem. It sits between OpenClaw/Hermes Agent and upstream LLM API providers (OpenAI, Anthropic, OpenRouter), performing virtual-to-real API key mapping and DLP (Data Loss Prevention) scanning on request and response bodies. It can also expose an Email read endpoint with sender allowlist/denylist filtering. OpenClaw/Hermes Agent never holds real API keys, only virtual keys that ClawShell swaps for real ones before forwarding requests upstream. Real keys are stored in a privileged config directory (`/etc/clawshell`) protected by Unix file system permissions. ## Key Features ### 1. API Token Secure Binding ClawShell maps virtual API keys to real provider keys so that OpenClaw/Hermes Agent never has direct access to real credentials. - **Key Isolation**: Real API keys are stored in `/etc/clawshell/clawshell.toml`, readable only by the `clawshell` system user. OpenClaw/Hermes Agent holds only virtual keys. - **Multi-Provider Support**: Maps keys to OpenAI or Anthropic, injecting the correct authentication header format (`Authorizati