The shellriff every lobster needs 🦞🤠 Content security for OpenClaw.
Project description
🦞🤠 Outclaw 🤠🦞
The shellriff every lobster needs.
Content security for OpenClaw.
The problem
Molty can run commands, edit files, and access the internet. That's what makes Molty useful. It's also what makes Molty dangerous. 🌶️
A prompt injection — hidden instructions in a webpage, a comment in code, a crafted API response — can hijack Molty into:
- Deleting your files (
rm -rf /) - Stealing your API keys and sending them to an attacker's server
- Opening a backdoor on your machine (reverse shells)
- Leaking your personal information — emails, passwords, credit card numbers — to the AI provider
- Downloading and running malware from the internet
These aren't hypothetical. They happen today. Even if Molty's access controls are locked down, a single piece of untrusted content — a web page, a pasted log, an email attachment — can slip past the front door.
The fix
Outclaw is the shellriff that rides between Molty and the outside world. 🤠 It watches everything coming in and going out — and anything that looks like trouble gets stopped at the gate.
Your secrets trying to leave town? Outclawed. 🔑
A prompt injection sneaking in? Outclawed. 🧠
A destructive command about to fire? Outclawed. 🛡️
pip install outclaw
outclaw warmup # download security models (one time)
UPSTREAM_BASE_URL=https://api.openai.com/v1 outclaw # start the lobster tank 🦞
# point your agent at localhost:8080. done.
Six security checks. Every request. Every response. If it's clean, it rides through. If it's not — well, there's a new shellriff in town. 🤠
You --> Molty --> Outclaw --> AI Service
🦞🤠
watches everything
stops the bad stuff
lets the rest ride
How it fits with OpenClaw
OpenClaw already gives you strong controls: sandboxing, tool policies, DM pairing, allowlists. Those control who can talk to Molty and where Molty can act.
Outclaw adds a different layer — it inspects what is actually being sent and received. Even with perfect access controls, untrusted content can still sneak in through web fetches, browser pages, pasted code, or attachments. Outclaw catches that stuff.
OpenClaw is the bouncer at the door. Outclaw is the shellriff inside. 🦞🤠
Quick start
1. Install
pip install outclaw
outclaw warmup # downloads security models (~90MB, one time)
2. Start Outclaw
Tell Outclaw which AI service Molty uses:
| AI Service | Command |
|---|---|
| OpenAI | UPSTREAM_BASE_URL=https://api.openai.com/v1 outclaw |
| Anthropic | UPSTREAM_BASE_URL=https://api.anthropic.com/v1 outclaw |
| Google Gemini | UPSTREAM_BASE_URL=https://generativelanguage.googleapis.com/v1beta outclaw |
| Groq | UPSTREAM_BASE_URL=https://api.groq.com/openai/v1 outclaw |
| Ollama (local) | UPSTREAM_BASE_URL=http://127.0.0.1:11434/v1 outclaw |
3. Point Molty at Outclaw
Change Molty's API base URL to http://localhost:8080/v1:
openclaw config set models.providers.openai.baseUrl http://localhost:8080/v1
That's it. Molty works exactly like before — but now every request rides through the shellriff first. 🤠🦞
What it protects against
Six guards riding patrol, all on by default. Batteries included — no configuration needed.
| Protection | What it stops | Example |
|---|---|---|
| 🛡️ Dangerous commands | Blocks destructive shell commands, reverse shells, privilege escalation | Molty told to run rm -rf / or open a backdoor |
| 📁 File system escape | Keeps Molty inside its project folder | Molty told to write to /etc/passwd or ~/.ssh/authorized_keys |
| 🌐 Data exfiltration | Blocks connections to unknown or malicious websites | Molty told to send your code to pastebin.com |
| 🔑 Secret leaks | Catches API keys, tokens, and credentials before they leave your machine | Your .env file contents about to be sent to the AI |
| 🙈 Personal info leaks | Scrubs emails, SSNs, phone numbers, and 30+ types of personal data | Your real name and email about to be included in a prompt |
| 🧠 Prompt injection | Detects attempts to manipulate Molty into doing harmful things | Malicious instructions hidden in a webpage Molty reads |
Learn more
- 🔧 Configuration — customize guards, set environment variables, tune each protection
- 🔒 Security — what Outclaw doesn't cover, roadmap, and hardening your setup
- ⚙️ How it works — technical architecture and what each guard does under the hood
- 🧑💻 Development — building from source and running tests
License
MIT — see LICENSE.
"There's a new shellriff in town. And never trust a lobster outside its shell." 🦞🤠
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file outclaw-0.1.0.tar.gz.
File metadata
- Download URL: outclaw-0.1.0.tar.gz
- Upload date:
- Size: 301.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e806c998271baaca773ab7c9517905c72d3e046c1bade9b4ea0e6a2b81d7151e
|
|
| MD5 |
39e00a0de8aecfebcb3b9d295c126b22
|
|
| BLAKE2b-256 |
823b6d46ce50fb2934567ac35a0fea8f8064528f8f3eaadd4509fd6ed32a0863
|
File details
Details for the file outclaw-0.1.0-py3-none-any.whl.
File metadata
- Download URL: outclaw-0.1.0-py3-none-any.whl
- Upload date:
- Size: 23.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4bf2aba7878119bc516cd080e382cc579b1afd2f4fee094704fe1fdbd6e78d1c
|
|
| MD5 |
f274bfb49e3038e973af9adbd461587e
|
|
| BLAKE2b-256 |
3af081f23e6b807ed677d2ce8b1417e3829ff7baaefc72e57be22fef2d9724e4
|
