Quick Start
Get OpenClaw Shield protecting your bot in 5 minutes.
Prerequisites
Before you begin, make sure you have:
- ✅ OpenClaw v2026.1.0 or newer installed
- ✅ Node.js 18+ and npm 8+
- ✅ A working OpenClaw bot (WhatsApp, Telegram, Discord, etc.)
Visit openclaw.org to get started with OpenClaw first.
Step 1: Get Your Bot Token
Shield can work standalone OR with the SecureCheck backend for centralized monitoring.
Option A: Standalone (No Backend)
Skip to Step 2 - you don't need a token! Shield will work with local rules only.
Option B: With Backend (Recommended)
- Visit dashboard.securecheck.io
- Sign up or log in
- Click "Create Bot"
- Copy your bot token (starts with
sct_...)
- Centralized alerts across all bots
- Community threat intelligence
- Auto-updating rules
- Analytics and reporting
Step 2: Install Shield
npm install openclaw-shield
This installs the Shield plugin into your Node.js environment.
Step 3: Configure OpenClaw
Edit your OpenClaw configuration file at ~/.openclaw/openclaw.json:
Minimal Configuration (Standalone)
{
"plugins": {
"openclaw-shield": {
"enabled": true
}
}
}
With Backend Integration
{
"plugins": {
"openclaw-shield": {
"enabled": true,
"botToken": "sct_your_token_here"
}
}
}
- Linux/Mac:
~/.openclaw/openclaw.json - Windows:
C:\Users\YourName\.openclaw\openclaw.json
Create the file if it doesn't exist.
Step 4: Restart OpenClaw
openclaw gateway --verbose
Look for this in the logs:
🛡️ OpenClaw Shield initializing...
✓ Loaded 42 built-in rules
✓ Inbound filtering: enabled
✓ Outbound filtering: enabled
✓ Semantic detection: ready
✅ OpenClaw Shield initialized successfully
Step 5: Test It Works
Send a malicious test message to your bot:
Via Your Bot's Channel
Send this message through WhatsApp/Telegram/Discord:
'; DROP TABLE users; --
Expected Result:
🛑 Message blocked by security filter
Reason: SQL injection detected
Via Shield Command
Message your bot:
/shield test '; DROP TABLE users; --
Expected Result:
⚠️ Message would be BLOCKED
Threats detected:
- sql_injection
Test message: "'; DROP TABLE users; --"
✅ Success!
Your bot is now protected! Shield is:
- ✅ Blocking SQL injection, XSS, prompt injection
- ✅ Scanning all inbound messages
- ✅ Scanning all outbound bot responses
- ✅ Using semantic AI to catch novel attacks
What's Next?
Basic Setup (Recommended)
-
Enable Rate Limiting - Prevent spam floods
{
"rateLimit": {
"enabled": true,
"maxMessages": 20,
"window": 60
}
} -
Configure Redaction - Protect sensitive data in logs
{
"redaction": {
"enabled": true,
"mode": "secrets"
}
} -
Set Up Allowlist - Skip checks for trusted users
{
"allowlist": {
"enabled": true,
"senders": ["+15551234567"]
}
}
Advanced Setup
- Custom Rules - Create your own threat patterns
- Notifications - Get alerted about threats
- Advanced Settings - Fine-tune detection thresholds
Learn More
- Shield Commands - Control Shield from your bot
- Dashboard - Monitor threats via web interface
- Troubleshooting - Common issues and solutions
Common Issues
Plugin Not Loading
Error: Cannot find module 'openclaw-shield'
Solution:
npm install openclaw-shield
openclaw gateway --verbose
No Logs Appearing
Problem: Don't see Shield initialization logs
Solutions:
- Check
enabled: truein config - Verify config file location:
~/.openclaw/openclaw.json - Make sure OpenClaw version is 2026.1.0+
- Check for syntax errors in JSON (use jsonlint.com)
False Positives
Problem: Legitimate messages being blocked
Solutions:
- Use
"inboundMode": "flag"instead of"block"to allow messages with warnings - Add trusted users to allowlist
- Adjust semantic threshold (higher = less sensitive):
{
"semanticThreshold": 0.85
}
Need Help?
- 📖 Full Documentation - Complete guides and references
- 💬 Discord Community - Get help from the community
- 🐛 GitHub Issues - Report bugs
- 📧 Email: support@securecheck.io