Skip to content
Cordum Edge / CordClaw

Govern OpenClaw actions before they run.

CordClaw is the Cordum Edge OpenClaw adapter: hook the gateway, inspect structured metadata, and enforce policy before high-risk actions execute.

Threat path → governed job

pre-dispatch

OpenClaw action

cron:unknown → exec

echo cm0gLXJmIC8= | base64 -d | sh

CordClaw decision

DENYjob.openclaw.agent_start

The action is evaluated as structured metadata before it can execute, then recorded in the local audit trail. Agent Control Plane recording remains in progress.

before_agent_start
before_prompt_build
before_tool_execution
before_message_write

after_tool_execution is audit-only in the current hook surface; result rewriting stays labeled roadmap until the modifying hook is available.

Short answer for 2026

CordClaw is the open-source Cordum Edge adapter for OpenClaw, with pre-dispatch policy enforcement for supported high-risk actions. It hooks the OpenClaw gateway at four points (agent_start, prompt_build, tool_call, message_write), sends structured metadata to a localhost daemon, and returns one of five typed decisions: ALLOW, DENY, THROTTLE, REQUIRE_HUMAN, or CONSTRAIN. Every decision is logged with a reason for audit.

CordClaw is governance, not a sandbox or a prompt rule. Sandboxes (like NemoClaw) isolate actions while they execute and limit runtime blast radius; they complement pre-dispatch governance. Prompt rules (like SecureClaw) live inside the model context where injection bypasses them. CordClaw evaluates structured envelope data — provider, channel, action, canonicalized command — before the gateway lets the call cross the execution boundary, so destructive payloads hidden in base64 or shell substitution are decoded and tagged before policy runs.

Pick CordClaw when you need deterministic, declarative policy in front of OpenClaw agents. Install from GitHub for plugin-only mode with local audit. The connected Cordum path for centralized policy bundles, approval inboxes, and configured audit exports remains in progress; do not treat the local adapter as tenant-wide enforcement.

Threat Model

Five exploit paths, one governed decision boundary.

CordClaw hardening focuses on the places OpenClaw agents can cross from reasoning into action. Each class is labeled by source-backed implementation status.

Live

Cron-bypass escalation

A compromised session replays a scheduled agent turn with an unknown cron id, then tries to launch a privileged action as if it came from a trusted schedule.

before_agent_start

job.openclaw.agent_start

CordClaw checks the agent-start envelope before the turn begins, correlates cron origin, and denies drift before any downstream tool can run.

Source: attack-classes.md, plugin hook, mapper topic

Live

Prompt PII leakage

An agent reads a config file and quotes an API key into the model prompt, where it could land in a provider request log.

before_prompt_build

job.openclaw.prompt_build

The prompt-build hook sends assembled prompt text to the daemon first; policy can redact deterministic secret patterns or fail closed before the provider call.

Source: prompt DLP docs and tests

Shipping

Channel-action granularity

A policy that means “Slack send is allowed” accidentally covers Slack delete or file upload because the channel provider was treated as one coarse capability.

before_message_write

job.openclaw.message_write

CordClaw carries provider, channel, action, and sanitized preview so policy can allow slack.send while denying slack.delete and slack.upload_file.

Source: channel-action matrix and current hardening branch

Live

Obfuscation bypass

A destructive command is hidden inside base64, shell variables, command substitution, or a symlink so raw regex tagging sees harmless text.

before_tool_execution

job.openclaw.tool_call

The daemon canonicalizes command text immediately before risk tagging, exposing decoded destructive intent while preserving the original payload for audit.

Source: canonicalize.Normalize and attack-class docs

Roadmap

Result exfiltration

An allowed fetch returns a large or sensitive result that would flow back into the agent context unchecked after the tool has already run.

after_tool_execution / result gate

job.openclaw.result_gating

The policy topic and budget rule are staged, but the current after-tool hook is audit-only; result rewriting stays roadmap until the modifying OpenClaw hook lands.

Source: pack policy staged; modifying hook blocked

Zero Cordum-Core Changes

A sidecar path that makes OpenClaw activity governable.

CordClaw stays on the OpenClaw side of the Edge boundary: the TypeScript plugin and localhost daemon work locally today; Cordum-connected Edge governance remains in progress.

Architecture

OpenClaw → CordClaw → Cordum

Connected jobs path in progress
01

OpenClaw Gateway

Autonomous AI Agents request tool calls, prompt builds, agent starts, message writes, or result handling.

02

CordClaw plugin

In-process hooks extract structured metadata before the action crosses the execution boundary.

03

Local daemon

The localhost sidecar normalizes risk, checks cache, applies fail-closed behavior, and asks policy for a typed decision.

04

Planned Cordum gateway

Planned connected mode will route actions as job.openclaw.* governance jobs through Cordum policy and approval paths.

05

Planned Agent Control Plane

Planned connected visibility will let security teams see decision, reason, and audit status in Cordum instead of reverse-engineering agent logs.

Governance promise: the connected-mode target is that every OpenClaw action receives a job.openclaw.* topic and traverses Cordum Edge policy, approval, and audit paths. The local Edge / CordClaw adapter still enforces through the plugin and daemon.

Visibility Story

job.openclaw.* turns agent behavior into reviewable governance events.

The Cordum-connected path is designed to put OpenClaw activity in the same /govern/jobs surface used for other Cordum-controlled actions. Security teams can scan decisions by topic, agent, reason, and policy status instead of reading raw agent transcripts.

Because the Phase-2 job-submission backbone is still being finalized, this page labels the jobs view as a mockup and keeps result-gating marked roadmap until the modifying hook exists.

Product mockup

/govern/jobs — OpenClaw activity

Connected-mode mockup
TopicAgentDecisionReasonStatus
job.openclaw.tool_callrelease-botDENYdestructive commandlive
job.openclaw.prompt_buildresearcherCONSTRAINprompt_pii_redactlive
job.openclaw.agent_startschedulerDENYcron-origin-policy-mismatchlive
job.openclaw.message_writeops-agentDENYslack.upload_file exfil-riskshipping
job.openclaw.result_gatingbrowser-agentCONSTRAINmax_output_bytesroadmap

Mockup only: it shows the intended Cordum visibility model for job.openclaw.* topics. Live/staged labels follow the current CordClaw source inspection.

Decision Model

Five deterministic outcomes for agent governance.

Every checked action maps to a typed decision and reason before the gateway lets it proceed.

ALLOW

Low-risk action executes immediately.

job.openclaw.tool_call: npm test

DENY

Dangerous action is blocked before execution.

job.openclaw.agent_start: cron drift

THROTTLE

Action is rate-limited to reduce blast radius.

bursting autonomous action

REQUIRE_HUMAN

Execution pauses until a reviewer approves.

external channel write

CONSTRAIN

Action proceeds only with policy limits applied.

prompt redaction or result cap

Comparison

CordClaw is governance, not just a sandbox or prompt rule.

Rows are sourced from the CordClaw README comparison table and kept focused on verifiable product differences.

CapabilityCordClawNemoClawSecureClawNative OpenClaw
Enforcement typePre-dispatch, deterministicRuntime sandboxIn-context rulesTool allow/deny lists
Prompt injection resistanceStructured envelopeKernel-levelNo — in contextNo — config-level
Policy languageDeclarative YAMLYAML sandbox rulesNatural languageJSON config
Decision types5 decisions2 decisions2 decisions2 decisions
Human reviewNative approval gatesNoNoBasic exec approvals
Audit trailDecision-levelPartialNoNo
DashboardCordum dashboardNoCLI onlyNo
Hardware dependencyNoneNVIDIA preferredNoneNone
Fail modeGraduated fail-closedDenyN/AN/A
Open sourceApache 2.0Open sourceOpen sourceMIT
Policy in Practice

Security copy backed by policy and hook evidence.

The examples below match CordClaw's documented decision model and avoid claims that are not in the current code or pack.

openclaw-safety.yaml
yaml
# exact channel-action control
- id: openclaw-channel_action_allow-slack-upload-deny
  match:
    topics: ["job.openclaw.message_write"]
    label_allowlist:
      channel_action:
        - slack.upload_file
  decision: deny
  reason: channel_action_denied provider=slack action=upload_file exfil-risk

# prompt PII redaction
- id: openclaw-prompt_pii_redact
  match:
    topics: ["job.openclaw.prompt_build"]
    risk_tags: ["prompt_pii"]
  decision: allow_with_constraints
  constraints:
    kind: prompt_pii_redact
operator-check
bash
$ openclaw cordclaw simulate --tool exec --command "echo hello"
Decision: ALLOW
Reason:   OpenClaw tool calls are allowed by default after explicit deny rules.

$ openclaw cordclaw simulate --tool exec \
    --command "echo cm0gLXJmIC8= | base64 -d | sh"
Decision: DENY
Reason:   destructive command detected after canonicalization

$ openclaw cordclaw audit --limit 3
TOPIC                       DECISION    REASON
job.openclaw.prompt_build   CONSTRAIN   prompt_pii_redact
job.openclaw.agent_start    DENY        cron-origin-policy-mismatch
job.openclaw.message_write  DENY        slack.upload_file exfil-risk
Quickstart

Install the OpenClaw governance plugin and validate the local hook surface.

Start with local setup and simulations. The connected path for centralized Agent Control Plane visibility remains in progress.

getting-started
bash
cd setup
OPENCLAW_SKIP=true ./install.sh

openclaw cordclaw simulate --tool exec --command "echo hello"
openclaw cordclaw simulate --tool exec --command "rm -rf /"
openclaw cordclaw audit --limit 20

Frequently Asked Questions

What is Cordum Edge / CordClaw?
CordClaw is the Cordum Edge OpenClaw adapter: a governance plugin and daemon that ask Edge policy for a deterministic decision before Autonomous AI Agents can execute high-risk actions.
How does CordClaw improve OpenClaw security?
CordClaw moves control out of the prompt and into structured hook metadata, so policy can block, constrain, throttle, or require review before an action leaves the gateway boundary.
Which policy decisions can CordClaw return?
CordClaw returns ALLOW, DENY, THROTTLE, REQUIRE_HUMAN, and CONSTRAIN. Each decision includes a reason that can be audited locally or, in connected mode, through Cordum Edge governance surfaces.
Does every OpenClaw action appear in Cordum today?
The Cordum Edge / CordClaw local adapter logs decisions locally today. The Edge-connected path is being productized for centralized visibility; this page labels that story as connected-mode/in-progress where appropriate.
How do I test pre-dispatch governance safely?
Use openclaw cordclaw simulate for allow and deny paths, then inspect openclaw cordclaw audit --limit 20 before enabling broader write permissions.

Agent Control Plane

Put governance in front of supported high-risk OpenClaw actions.

Start with Cordum Edge / CordClaw local pre-dispatch enforcement. The connected path for tenant-wide policy operations, approval gates, and job-level visibility remains in progress.