OpenClaw Integration¶
After this page you have a local OpenClaw installation whose MCP tool calls go through the Preloop firewall, whose model traffic goes through the Preloop gateway, whose native tool calls (shell, file writes) wait for your approval on phone/watch/web, and which you can message live from the console.
Example Policies
Ready-to-use policy files: OpenClaw Policy Examples.
Why govern OpenClaw¶
OpenClaw runs locally and can execute shell commands, modify files, browse the web, and talk to external services. Preloop puts a decision point in front of that:
| Without Preloop | With Preloop |
|---|---|
| Any shell command runs immediately | Dangerous commands wait for approval |
| Files modified silently | Sensitive paths trigger review |
| No audit trail | Every governed call logged with the matched rule and approver |
| All-or-nothing access | Ordered allow / deny / approval rules per tool |
| Model spend invisible | Gateway attribution, budgets, session analytics |
Onboard with the CLI¶
curl -fsSL https://preloop.ai/install/cli | sh # if you don't have the CLI yet
preloop agents discover # detect OpenClaw (read-only, then offers onboarding)
preloop agents onboard openclaw --dry-run # preview every change first
preloop agents onboard openclaw
preloop agents install-plugin openclaw # Agent Control + native approvals plugin
preloop agents validate openclaw
(preloop agents enroll is an alias for onboard. Don't have OpenClaw installed yet? preloop agents install-runtime openclaw installs it and onboards in one step.)
Onboarding, against the default config at ~/.openclaw/openclaw.json:
- Backs up the original config next to it, so
preloop agents restore openclawcan undo everything local. - Imports the MCP servers configured in OpenClaw into your Preloop account where they can be represented, then rewrites the local MCP config so OpenClaw talks only to the managed
preloopentry — governed tool access through the MCP firewall. - Imports the configured model and rewrites OpenClaw to send model traffic through Preloop's OpenAI-compatible gateway with a managed credential. This works for Gemini models too (e.g.
google/gemini-3.1-pro-preview): Preloop preserves the upstream provider identity and routes through the gateway alias. If your OpenClaw build cannot express the provider/base-URL rewrite, MCP governance still completes and model settings stay manual — the onboarding summary tells you. - Creates the control-plane records: a managed agent (
agent_kind: openclaw), a durable runtime credential bound to it, and a runtime-session history — so this installation has one durable identity for audit, spend attribution, and operator controls. - Writes the Agent Control config for the runtime plugin (next section).
Two config patterns are handled on import: provider/model details under models.providers, and provider auth under auth.profiles (common for Google/Gemini). With auth.profiles, the model identity imports and the rewrite happens, but you may need to add the upstream provider secret in Preloop separately.
After enrollment, subject-scoped governance applies: account defaults → managed-agent scope → API-key scope, so this specific OpenClaw runtime can be limited to fewer tools and models than the rest of the account.
Rollback¶
preloop agents restore openclaw # restore the local config backup
preloop agents offboard openclaw # restore config + remove the managed enrollment
# (--remove-model / --remove-mcp-servers to also clean up imports)
The Agent Control plugin¶
The runtime plugin is @preloop-ai/openclaw-plugin (v0.1.1 on npm, Apache-2.0, vendored in the Preloop repo under runtime-plugins/openclaw-preloop). It owns the live side of the integration: the long-lived WebSocket to /api/v1/agents/control/ws, reconnect/backoff, presence/heartbeat, capability advertisement, operator-message delivery — and native tool approvals.
Install it through OpenClaw's plugin manager:
preloop agents install-plugin openclaw
# equivalent to:
openclaw plugins install @preloop-ai/openclaw-plugin
Then restart OpenClaw. When the plugin connects and advertises capabilities, Preloop marks Agent Control verified and Talk controls appear for the agent in the console and mobile apps.
Notes:
- The plugin installer runs inside OpenClaw's Node runtime — Node >= 20 is required. If OpenClaw reports
requires NodeorUnsupported engine, upgrade the Node executableopenclawuses and rerunpreloop agents install-plugin openclaw. - If native plugin installation is impossible, the CLI can fall back to Preloop's managed Agent Control sidecar so control readiness can still be verified.
- The plugin's config is written by the CLI under
plugins.entries.preloop-plugin.config(the plugin's runtime id ispreloop-plugin) withcontrol_ws_url,bearer_token, andruntime_principal_id. Do not hand-author thebearer_token, and do not write Agent Control metadata as a top-levelpreloopobject — OpenClaw builds that validate config schemas reject unknown root keys. - Validation reports
control_config_written,control_plugin_installed,control_plugin_verified, andcontrol_channel_configuredseparately, so MCP/gateway onboarding succeeds even while the plugin is not yet loaded.
Native tool approvals (before_tool_call)¶
MCP governance only sees tool calls that go through the MCP server. OpenClaw's native tools — shell exec, file writes — never do. The plugin closes that gap: its before_tool_call hook intercepts every native tool call and asks Preloop for a decision at POST /api/v1/agents/permission-check, which runs your approval workflows and blocks for up to ~300 seconds while you decide on web, mobile, or watch. deny blocks the tool with the reason; anything else lets it run.
- Fail-closed by default. If Preloop is unreachable, the tool call is blocked. Set
tool_approval_fail_open: truein the plugin config only if you accept ungoverned execution during outages.tool_approval_enabled: falsedisables the gate entirely. - Local pre-filter. The plugin honors OpenClaw's own
~/.openclaw/exec-approvals.jsonfirst: locally denied commands are denied outright, locally allowed ones run untouched — only calls that would have prompted you round-trip to Preloop. - Per-subject control: the
native_tool_approvals: enforce | offgovernance toggle, and a pinned approval workflow per agent (Console → the agent's governance settings).
Approval requests from this path show tool source agent and land in the same audit trail as MCP calls.
Manual MCP configuration¶
If you would rather wire only the MCP firewall by hand (no gateway, no Agent Control):
{
"mcp": {
"servers": {
"preloop": {
"transport": "http",
"url": "https://YOUR_PRELOOP_URL/mcp/v1",
"headers": {
"Authorization": "Bearer YOUR_API_KEY"
}
}
}
}
}
Create the API key in the console under Settings → API Keys. The CLI-managed path above is strictly better: durable per-agent identity, gateway routing, backups, and validation.
Policies for OpenClaw tools¶
Manage policies as YAML and apply them from the CLI:
preloop policy validate shell-approval.yaml
preloop policy apply shell-approval.yaml
preloop policy apply -r policies/ # apply a directory
preloop policy diff shell-approval.yaml # preview against the live account
preloop policy list
The canonical shape (see Policy-as-Code for the full schema):
approval_workflows:
- name: "shell-approval"
timeout_seconds: 300
approvals_required: 1
tools:
- name: "bash"
source: mcp
approval_workflow: "shell-approval"
conditions:
- expression: "args.command.contains('sudo ') || args.command.contains('rm -rf')"
condition_type: "cel"
action: "require_approval"
description: "Privilege escalation and destructive deletes"
Conditions evaluate against args (the tool-call arguments) — that is the only variable bound. Compound expressions and functions like contains() / startsWith() / endsWith() need condition_type: "cel"; the default simple evaluator handles single comparisons (==, !=, >, <, >=, <=). Rules are ordered; first match wins; deny beats waiting.
The example policies cover shell safety, file protection, and browser safety, ready to preloop policy apply.
Troubleshooting¶
MCP server not responding
Check the API key is valid, has no stray whitespace, and was not revoked.
Managed enrollment succeeded, but model traffic still bypasses Preloop
- Verify the imported AI model in Preloop has gateway routing enabled.
- Confirm the rewritten OpenClaw provider/base-URL points at Preloop's OpenAI-compatible gateway.
- If the original config used
auth.profiles, add the upstream provider secret in Preloop. - MCP governance is active even while the model rewrite needs manual follow-up.
Plugin installed but the agent never shows online
- Restart OpenClaw after installing the plugin.
preloop agents validate openclaw— check thecontrol_*fields.- Check OpenClaw's Node version (>= 20).
Agent appears in Preloop but no session activity
- Start a fresh OpenClaw session and trigger at least one MCP or model action.
- Check Agents and Runtime Sessions in the console.
- If model calls were expected, verify the runtime uses the managed gateway path.
Policy not triggering
preloop policy diff <file>to confirm what is live.- Conditions with functions or
||/&&needcondition_type: "cel". - Rules evaluate in order — an earlier
allowwins.
More: Troubleshooting.
Related¶
- OpenClaw Policy Examples
- Agent Control Runtime Adapters — the wire protocol and adapter contract
- Conditional Approval (CEL)
- Team-Based Approvals
- Mobile Apps