@atbash/atbash-openclaw
@atbash/atbash-openclaw
OpenClaw plugin that gates every tool call against the ATBASH policy service. A thin adapter on top of @atbash/sdk — the SDK does the audit pipeline, this package wires it into OpenClaw's before_tool_call hook.
If you're not using OpenClaw and want to use ATBASH from your own code, install the SDK directly.
Install
openclaw plugins install @atbash/atbash-openclawThe plugin signs audit transactions locally with your agent's secp256k1 private key. The key never leaves your machine; only signed bytes plus the corresponding public key are transmitted.
Get an agent key
The plugin reads from ~/.config/atbash/guard-client-key by default. The file is JSON:
{
"privKey": "your-hex-private-key-64-chars",
"pubKey": "your-hex-public-key-66-chars"
}…or key=value:
privkey=your-hex-private-key-64-chars
pubkey=your-hex-public-key-66-charsContact the ATBASH team to register an agent and obtain a key pair.
Configure it in OpenClaw
Open ~/.openclaw/openclaw.json and add:
{
"plugins": {
"allow": [
"openclaw"
],
"load": {
"paths": [
"/Users/<your-username>/.openclaw/extensions/openclaw"
]
},
"entries": {
"openclaw": {
"enabled": true,
"config": {
"enabled": true,
"enforceDecision": true,
"chromiaSecretPath": "~/.config/atbash/guard-client-key"
},
"hooks": {
"allowConversationAccess": true,
"allowPromptInjection": true
}
}
}
}
}Config fields
| Field | Type | Default | What it does |
|---|---|---|---|
enabled |
bool | true |
Master switch. false = plugin returns immediately. |
enforceDecision |
bool | true |
Surfaced to logs. The plugin always blocks on BLOCK. |
chromiaSecretPath |
string | ~/.config/atbash/guard-client-key |
Path to the agent key file. Supports ~/. |
debug |
bool | false |
Reserved. No-op today. |
Updating
openclaw plugins update @atbash/atbash-openclawUninstalling
openclaw plugins uninstall @atbash/atbash-openclawThe agent key file at ~/.config/atbash/guard-client-key is not removed — delete it manually if you want to retire the agent identity.
Secret redaction
Before each tool call is sent to the judge, the underlying @atbash/sdk scans the args and context for secret-shaped values and replaces matches with [REDACTED:<kind>]. Redaction is client-side and happens before signing, so secrets never reach the signed bytes, the request body, the on-chain log, or the AI provider.
When the redactor fires, OpenClaw will surface a warning like:
[atbash] redacted secrets before judge call { tool: "exec", count: 2, kinds: ["anthropic", "generic_token"] }The kinds field shows which patterns matched. anthropic / openai / aws_access_key / jwt / etc. indicate real vendor secrets. generic_token is a catch-all for long random-looking strings — it can also match UUIDs and content hashes; the judge still gets enough context to evaluate the action, but worth knowing if you see it unexpectedly.
The agent's own tool execution is unaffected — only the data sent to the judge is scrubbed. Full kind list and behaviour reference: see the SDK README.
Troubleshooting
Tool calls aren't being audited.
Check enabled: true is set both on the entry (plugins.entries.openclaw.enabled) and inside config (config.enabled).
Every tool call is blocked, even safe ones.
The plugin is fail-closed: any pipeline error blocks. Look for [atbash] … warnings in the OpenClaw log. Most often: missing key, expired key, or restricted egress.
License
Proprietary — all rights reserved. See LICENSE. Commercial licensing inquiries: contact the Atbash team.