Claude Skill

clawshell/clawshell

Clawshell is a Rust-based runtime security layer for OpenClaw/Hermes-agent, protecting PII and sensitive credentials from accidental exposure in AI agent workflows.

Overview

Stars298
Forks23
LanguageRust
Last pushed2026-05-30
Last synced2026-07-03
View on GitHub

Repository

Ownerclawshell
Repositoryclawshell
Full nameclawshell/clawshell
Repo ID1,157,400,044

Install this Skill

npm install -g @clawshell/clawshell

Registry

Typeopenclaw_skill
Quality score85/100
Verificationreadme_parsed
Last verified2026-06-16
Platforms
ClaudeOpenClawCodex
Capabilities
browsermemorysearchimageterminalworkflowaicredentialsharnesshermes
Detected files
README.mddocstests
Config keys
URLCLAWSHELL_API_KEY

Summary

Clawshell is a runtime security layer designed for OpenClaw/Hermes-agent, providing essential protection for personally identifiable information (PII) and sensitive credentials. Built in Rust, it acts as a safety harness to prevent accidental exposure of secrets during AI agent operations.

Chinese description

OpenClaw/Hermes-agent 的运行时安全层,是保护个人身份信息(PII)及敏感凭证的关键安全防护装置。

Key features

  • Runtime PII & credential protection
  • Safety harness for AI agent workflows
  • Built with Rust for performance and reliability
  • Seamless integration with Hermes-agent
  • Prevents accidental secret exposure

Use cases

  • Securing AI agent interactions with sensitive data
  • Protecting credentials in automated workflows
  • Runtime monitoring for PII leaks
  • Enhancing security in OpenClaw deployments
  • Safeguarding secrets in multi-agent systems

README excerpt

# ClawShell 🛡️ ![ClawShell Banner](docs/images/banner.png) > **Powered by Runta. The essential safety harness for OpenClaw/Hermes Agent's PII & Sensitive Credentials.** [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE) [![GitHub Actions Workflow Status](https://img.shields.io/github/actions/workflow/status/clawshell/clawshell/rust.yml)](https://github.com/clawshell/clawshell/actions) [![NPM Version](https://img.shields.io/npm/v/%40clawshell%2Fclawshell)](https://www.npmjs.com/package/@clawshell/clawshell) [![Crates.io Version](https://img.shields.io/crates/v/clawshell)](https://crates.io/crates/clawshell) ## 📖 Introduction **ClawShell** is a security-privileged process for the **OpenClaw/Hermes Agent** ecosystem. It sits between OpenClaw/Hermes Agent and upstream LLM API providers (OpenAI, Anthropic, OpenRouter), performing virtual-to-real API key mapping and DLP (Data Loss Prevention) scanning on request and response bodies. It can also expose an Email read endpoint with sender allowlist/denylist filtering. OpenClaw/Hermes Agent never holds real API keys, only virtual keys that ClawShell swaps for real ones before forwarding requests upstream. Real keys are stored in a privileged config directory (`/etc/clawshell`) protected by Unix file system permissions. ## Key Features ### 1. API Token Secure Binding ClawShell maps virtual API keys to real provider keys so that OpenClaw/Hermes Agent never has direct access to real credentials. - **Key Isolation**: Real API keys are stored in `/etc/clawshell/clawshell.toml`, readable only by the `clawshell` system user. OpenClaw/Hermes Agent holds only virtual keys. - **Multi-Provider Support**: Maps keys to OpenAI or Anthropic, injecting the correct authentication header format (`Authorizati

Topics

Explore more

Data from GitHub. Synced on 2026-07-03