Gate AI ×

OpenClaw

Know what
OpenClaw did.
Prove it.

An open-source plugin that records every tool call, message, skill, and cron to a tamper-evident trail on your machine. When anyone asks what your agent did, you don’t explain. You show them.

then openclaw audit setup: a wizard wires the hooks and optional anchoring

View on GitHub Read the Blog Post

Free · no account required Local-first · your disk, your data Apache-2.0 · open source

Why an audit trail

An OpenClaw agent acts on your behalf: calling tools, sending mail, firing crons. You should know exactly what it did.

Gate records all of it to your own machine: not logs you scroll, but a queryable trail that answers questions, raises alarms, and stands up as evidence.

And because plain logs can be edited or lost, every event is hashed into a Merkle chain. Nobody can quietly rewrite the record. Including you.

Answer “what did it do?”

Replay the exact, deduplicated timeline of any session or cron, with every allow and block decision inline, down to the second.

Catch what’s off

Built-in detectors flag duplicate outbound messages, never-before-seen tools, and denial spikes before you knew to look.

Know when your surface changes

Every plugin and skill install is recorded with its security-scan summary, and inventory hashes expose anything that changes underneath you.

Prove it to anyone

Roots anchor to Constellation Digital Evidence. Anyone can re-derive the chain offline. No trust in Gate required.

See the CLI in action

One CLI. The whole trail.

Every command runs against a tamper-evident log. Pick one to watch it return a real snapshot: health, daily digests, anomaly tripwires, deduplicated timelines, the installed surface, and an offline Merkle verification.

Copied

openclaw audit · live

Tripwires & digests

Alerts when something’s off. Digests on a schedule.

The trail is queryable, but you shouldn’t have to remember to query it. Two separate webhook channels: incident pokes when something needs you now, scheduled digests for everything else.

Watch the files that matter.

Point the watcher at your agent’s soul, skills, and configs. The moment anything changes them, the change is recorded and a webhook pings your channel.

fileWatchPatterns

Pinged when it matters.

Integrity violations, config changes, and anchor divergence go straight to Slack, Discord, or any webhook. Incidents get their own channel, so they’re never buried.

notificationWebhook

Digests, not homework.

Daily and weekly summaries delivered to a channel after midnight. Same projection as audit report, so a skim replaces a CLI habit.

reportWebhook

The dashboard

The same trail, in a local dashboard.

openclaw audit ui serves a dashboard straight from the plugin. It runs on your machine, loopback-only by default. Browse the trail, replay a session, and read back every decision your agents made, without touching the CLI.

Every agent action in a readable, deduplicated timeline.

Allow and block decisions inline, each with its reason.

Drill from a daily digest down to a single verified event.

127.0.0.1 · openclaw audit ui LOCAL

Local-first

Your trail never leaves your machine.

Recording happens to a SQLite file on your disk, owner-readable only. There’s no account, no cloud ingest, and anchoring publishes a 32-byte root — never the data.

Local SQLite, created 0600: readable by you, nobody else.

Anchoring publishes only a Merkle root. Content stays home.

Redaction modes store SHA-256 fingerprints instead of prompt text, still fully verifiable.

Fail-open by design: if the audit DB is ever unavailable, your agent keeps running.

config · redaction

Tamper-evident by construction

How a claim becomes proof.

Four steps turn raw runtime activity into an independently verifiable record.

Hash

Each tool call, skill, cron, and policy decision is hashed with the canonical Digital Evidence hash: SHA-256 over RFC-8785 JSON.

Batch

Hashes fold into a per-runtime Sparse Merkle Tree. A checkpoint is committed on a ~60-second integrity cadence.

03 OPTIONAL

Anchor

One wizard prompt enables anchoring to Constellation Digital Evidence. Once finalized, the anchor is permanent and publicly checkable.

Verify

Anyone with the leaf, root, and siblings re-derives the root locally; openclaw audit verify does it offline. No trust in Gate required.

Part of Gate AI

The record is half the story.
The other half is prevention.

This plugin is free and standalone. When you want defense in front of the model too, point OpenClaw at the Gate AI gateway: prompt-injection screening that leads public benchmarks, secret scanning, and automatic token savings. Same evidence pipeline, one line of config.

Explore the Gate AI gateway Benchmark report

Screens every request, both directions Leader in public prompt-injection benchmarks Works with every major model

Trust, but verify.

Free, open source, and recording in two minutes. Know exactly what your agents did, and prove it to anyone.