{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":[]},"type":"markdown"},"seo":{"title":"OpenClaw Integration","description":"Control the power of AI Agents in runtime.","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"openclaw-integration","__idx":0},"children":["OpenClaw Integration"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Connect OpenClaw to Capsule Security for complete visibility into AI coding agent activity, including tool execution, agent replies, session lifecycle, and message writes — with optional inline blocking on policy-violating actions for async hooks."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"overview","__idx":1},"children":["Overview"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This integration uses ",{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://openclaw.dev"},"children":["OpenClaw's plugin system"]}," to capture and govern AI coding agent activity. The Capsule plugin runs in-process inside the OpenClaw runtime, forwards every hook event to your Capsule tenant over HTTPS, and applies policy verdicts for OpenClaw hooks that support async decisions."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The following hooks are configured:"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Hook Event"},"children":["Hook Event"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Type"},"children":["Type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["before_tool_call"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Blocking"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Tool execution requests — can block, rewrite parameters, or require human approval"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["after_tool_call"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Observation"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Tool execution results after completion"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["before_agent_reply"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Blocking"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Agent replies before they reach the user — can cancel or substitute a synthetic reply"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["agent_end"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Observation"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Agent turn completion"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["before_message_write"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Synchronous audit"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Outbound messages before they are persisted — forwarded for audit; async Capsule verdicts are not applied inline"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["before_install"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Blocking"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Plugin installation requests — can block untrusted plugins"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["session_start"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Observation"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Session initialization and context"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["session_end"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Observation"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Session termination and cleanup"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["before_compaction"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Observation"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Conversation compaction is about to run"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["after_compaction"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Observation"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Conversation compaction has completed"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["model_call_started"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Observation"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Underlying LLM call started"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["model_call_ended"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Observation"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Underlying LLM call ended"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"prerequisites","__idx":2},"children":["Prerequisites"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Before you begin, ensure you have:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OpenClaw"]}," installed (Node.js 18 or later)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["A ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Capsule Security"]}," account with admin access"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Network access from your developer machines to your Capsule agentsecurity endpoint (e.g. ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://agents.capsule.security"]},")"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-1-generate-a-plugin-token","__idx":3},"children":["Step 1: Generate a Plugin Token"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Log in to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Capsule Security"]}," portal"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Integrations"]}," and locate ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["OpenClaw"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Install"]}," — Capsule generates a JWT scoped to your tenant and OpenClaw environment. The token contains the tenant and environment claims required by the agentsecurity endpoint; treat it as a secret."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Copy the generated token. You will reference it from your OpenClaw plugin configuration in the next step."]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-2-install-the-plugin","__idx":4},"children":["Step 2: Install the Plugin"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Install the published Capsule plugin in the project or environment where OpenClaw runs:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"npm install @capsulesecurity/openclaw-capsule\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Or with yarn:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"yarn add @capsulesecurity/openclaw-capsule\n","lang":"bash"},"children":[]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-3-configure-the-plugin","__idx":5},"children":["Step 3: Configure the Plugin"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Register the plugin in your OpenClaw configuration. The plugin reads its options from the standard OpenClaw plugin config block:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"js","header":{"controls":{"copy":{}}},"source":"import { capsulePlugin } from \"@capsulesecurity/openclaw-capsule\";\n\nexport default {\n  plugins: [\n    {\n      plugin: capsulePlugin,\n      config: {\n        endpoint: \"https://agents.capsule.security\",\n        token: process.env.CAPSULE_OPENCLAW_TOKEN,\n        blockOnRisk: true,\n        failOpen: true,\n        timeoutMs: 5000,\n        allowConversationAccess: false,\n      },\n    },\n  ],\n};\n","lang":"js"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"configuration-options","__idx":6},"children":["Configuration Options"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Option"},"children":["Option"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Type"},"children":["Type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Default"},"children":["Default"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["endpoint"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["string"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"em","attributes":{},"children":["(required)"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Capsule agentsecurity endpoint, e.g. ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["https://agents.capsule.security"]}]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["token"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["string"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"em","attributes":{},"children":["(required)"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["JWT generated in Step 1, scoped to your tenant and environment"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["blockOnRisk"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["boolean"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["true"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Apply server ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["block"]}," decisions inline. Set to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["false"]}," to run in observe-only mode"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["failOpen"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["boolean"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["true"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["When Capsule is unreachable or returns an error, allow the agent to proceed. Set to ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["false"]}," to fail closed"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["timeoutMs"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["number"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["5000"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Per-request timeout in milliseconds"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["allowConversationAccess"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["boolean"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["false"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["When ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["true"]},", forward parsed session JSONL transcript lines to Capsule. Required for full conversation observability and policies that rely on conversation context"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["pluginVersion"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["string"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"em","attributes":{},"children":["(none)"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Optional identifier sent on every event to help the server correlate plugin versions during rollouts"]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["user"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["string"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["process.env.USER"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["User identifier sent on every event"]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"token-storage","__idx":7},"children":["Token Storage"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Never commit the JWT to version control. Recommended approaches:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Read the token from an environment variable (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["process.env.CAPSULE_OPENCLAW_TOKEN"]},")"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Source it from your secret manager (1Password, AWS Secrets Manager, HashiCorp Vault) at runtime"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["For MDM-managed deployments, deliver it through the same channel that distributes the OpenClaw configuration"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-4-restart-openclaw","__idx":8},"children":["Step 4: Restart OpenClaw"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For the plugin to take effect, restart any running OpenClaw sessions:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Exit OpenClaw"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Restart OpenClaw with the updated configuration"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"step-5-verify-the-installation","__idx":9},"children":["Step 5: Verify the Installation"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Start a new OpenClaw session and execute a simple task to generate activity:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"header":{"controls":{"copy":{}}},"source":"Create a new file called test.txt with the content \"Hello World\"\n"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Log in to the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Capsule Security"]}," portal"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Inventory > Agents"]}," and confirm your OpenClaw agent appears"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Click on the agent and review the audit logs to verify events are captured:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Session start event"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Tool execution (Write tool)"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Agent reply"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":["Session activity"]}]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["To view the full conversation, navigate to ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Observability"]}," and filter by ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Activity Type — Session"]}," (requires ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["allowConversationAccess: true"]},")"]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"troubleshooting","__idx":10},"children":["Troubleshooting"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["If events are not appearing:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Verify the endpoint is reachable"]}," from the host running OpenClaw:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"bash","header":{"controls":{"copy":{}}},"source":"curl -sS -o /dev/null -w \"%{http_code}\\n\" https://agents.capsule.security/health\n","lang":"bash"},"children":[]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Verify the token is set"]}," — the plugin will not start without a valid ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["token"]},". Check the OpenClaw logs for plugin initialization errors."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Check for timeouts"]}," — if your network has high latency to the Capsule endpoint, increase ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["timeoutMs"]}," or confirm ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["failOpen"]}," is set appropriately."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Confirm the plugin is loaded"]}," — OpenClaw lists active plugins on startup; the Capsule plugin registers under id ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["capsule"]},"."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Inspect OpenClaw logs"]}," for hook execution errors. The plugin logs structured warnings when requests fail."]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Contact Capsule Security support"]}," if issues persist."]}]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"security-considerations","__idx":11},"children":["Security Considerations"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The Capsule plugin runs in-process inside OpenClaw and observes every tool call, agent reply, and message write. Before deploying:"]},{"$$mdtype":"Tag","name":"ol","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Protect the JWT"]}," — anyone with the token can post events on behalf of your tenant. Rotate it through the portal if it is exposed."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Choose ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["failOpen"]}," deliberately"]}," — ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["failOpen: true"]}," (the default) prioritizes developer productivity; ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["failOpen: false"]}," prioritizes policy enforcement and will block agent activity when Capsule is unreachable."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Decide on conversation access explicitly"]}," — ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["allowConversationAccess: true"]}," forwards session transcript lines to Capsule. Enable this only after reviewing the data residency and retention implications with your security and privacy teams."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Pin a plugin version"]}," in production. Use a lockfile (",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["package-lock.json"]}," / ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["yarn.lock"]},") and review changelogs before upgrading."]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Use TLS-only endpoints"]},". The plugin sends a Bearer token on every request — never configure an ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["http://"]}," endpoint."]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"support","__idx":12},"children":["Support"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For help with this integration:"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Email"]},": support@capsule.security"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Include"]},": Your organization ID, integration status, plugin version, and any error messages"]}]},{"$$mdtype":"Tag","name":"hr","attributes":{},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"references","__idx":13},"children":["References"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://openclaw.dev"},"children":["OpenClaw Documentation"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://openclaw.dev/docs/plugins"},"children":["OpenClaw Plugin SDK"]}]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"a","attributes":{"href":"https://www.npmjs.com/package/@capsulesecurity/openclaw-capsule"},"children":["Capsule OpenClaw Plugin on npm"]}]}]}]},"headings":[{"value":"OpenClaw Integration","id":"openclaw-integration","depth":1},{"value":"Overview","id":"overview","depth":2},{"value":"Prerequisites","id":"prerequisites","depth":2},{"value":"Step 1: Generate a Plugin Token","id":"step-1-generate-a-plugin-token","depth":2},{"value":"Step 2: Install the Plugin","id":"step-2-install-the-plugin","depth":2},{"value":"Step 3: Configure the Plugin","id":"step-3-configure-the-plugin","depth":2},{"value":"Configuration Options","id":"configuration-options","depth":3},{"value":"Token Storage","id":"token-storage","depth":3},{"value":"Step 4: Restart OpenClaw","id":"step-4-restart-openclaw","depth":2},{"value":"Step 5: Verify the Installation","id":"step-5-verify-the-installation","depth":2},{"value":"Troubleshooting","id":"troubleshooting","depth":3},{"value":"Security Considerations","id":"security-considerations","depth":2},{"value":"Support","id":"support","depth":2},{"value":"References","id":"references","depth":2}],"frontmatter":{"seo":{"title":"OpenClaw Integration"}},"lastModified":"2026-05-06T05:31:07.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/openclaw","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}