strict
Highest control. Best for regulated or high-blast-radius environments.
CORDCLAW_PROFILE=strict OPENCLAW_SKIP=true ./install.sh
CordClaw Quickstart
Install CordClaw and verify OpenClaw governance in 5 minutes.
The hard part is not writing policy text. It is proving your OpenClaw runtime will block dangerous calls before execution.
5-minute setupAllow + deny simulation checksProfile switch path included
TL;DR
- -Most guardrail docs explain policy concepts, not OpenClaw runtime setup.
- -This page gives a command-level 5-minute install and verification loop.
- -Run two simulations before real tool calls: one expected ALLOW and one expected DENY.
- -Pick a profile (`strict`, `moderate`, `permissive`) based on risk and rollout speed.
The production problem
Teams often have guardrail docs, but no repeatable proof that their OpenClaw runtime will stop risky commands. If your first deny test happens in production, that is not a test plan.
This guide focuses on command-level validation. You install once, run two simulations, and inspect the audit timeline. Then you can tune profile strictness with intent.
What top guides cover and what they miss
| Source | Covers | Misses for OpenClaw teams |
|---|---|---|
| OpenAI Agents SDK Guardrails | Input/output/tool guardrail concepts and where checks execute. | No OpenClaw plugin wiring, local daemon checks, or profile rollout commands. |
| LangChain Guardrails | Middleware patterns, PII checks, and human-in-the-loop hooks. | No pre-dispatch daemon boundary for OpenClaw, and no audit CLI verification flow. |
| Amazon Bedrock Guardrails | Policy types, prompt/response interventions, and runtime behavior. | No local OpenClaw setup path, no command simulations, no profile switching workflow. |
5-minute quickstart guide
Run this exactly once in a local environment. You should see one ALLOW, one DENY, and fresh audit records.
1. Install CordClaw
From the setup directory run OPENCLAW_SKIP=true ./install.sh to install CordClaw in local mode.
2. Check daemon and plugin health
Verify local daemon and plugin wiring with /health and openclaw cordclaw status.
3. Run allow and deny simulations
Simulate one safe command and one destructive command to confirm ALLOW and DENY behavior.
4. Review decision history
Run openclaw cordclaw audit --limit 20 to inspect decisions and reasons.
quickstart
bash
cd setup OPENCLAW_SKIP=true ./install.sh # check local health and plugin status curl -sS http://127.0.0.1:19090/health | jq . openclaw cordclaw status # run one allow-path and one deny-path simulation openclaw cordclaw simulate --tool exec --command "echo hello" openclaw cordclaw simulate --tool exec --command "rm -rf /" # inspect recent decisions openclaw cordclaw audit --limit 20
Try strict, moderate, and permissive profiles
Start with moderate for most teams. Switch to strict for sensitive workloads. Move to permissive only when low risk and strong monitoring are already in place.
moderate
Balanced default for teams moving from staging to production.
CORDCLAW_PROFILE=moderate OPENCLAW_SKIP=true ./install.sh
permissive
Lower friction for internal automation where speed is the main goal.
CORDCLAW_PROFILE=permissive OPENCLAW_SKIP=true ./install.sh
profile-switch-check
bash
# apply profile by reinstalling with a profile flag CORDCLAW_PROFILE=strict OPENCLAW_SKIP=true ./install.sh CORDCLAW_PROFILE=moderate OPENCLAW_SKIP=true ./install.sh CORDCLAW_PROFILE=permissive OPENCLAW_SKIP=true ./install.sh # sanity-check profile behavior openclaw cordclaw simulate --tool exec --command "echo profile check" openclaw cordclaw simulate --tool exec --command "rm -rf /"
Limitations and tradeoffs
Strict profile adds friction. Expect slower flow for commands that require human review.
Simulations validate policy decisions, not every downstream system side effect in production.
Pre-dispatch governance helps at decision time. You still need runtime isolation and post-incident review.
Get the full governance playbook by email
Includes rollout phases, simulation payload patterns, and outage-mode checks for CordClaw deployments.
- - Profile migration checklist for staging to production
- - Pre-dispatch failure-mode matrix
- - Audit query examples for incident review
Get the governance playbook
One practical email sequence for install, validation, and production hardening.
No spam. Unsubscribe anytime.
Frequently Asked Questions
What is the fastest way to install CordClaw?
Run OPENCLAW_SKIP=true ./install.sh from setup, then validate with openclaw cordclaw status and one allow-plus-deny simulation pair.
Do I need the full Cordum stack to start?
No. You can start in local mode, validate policy behavior with simulation commands, and connect to a broader deployment later.
How do I verify governance is really active?
Run a safe simulation and a destructive simulation, then check openclaw cordclaw audit --limit 20 for decision and reason records.
Next step
Run the quickstart block above, confirm one DENY decision, then move to the full setup tutorial for profile tuning.
Need broader platform docs? See Cordum quickstart.