How to Secure OpenClaw Agents with SpiderShield

> TL;DR: Install the SpiderShield plugin, set policy to "balanced", and every tool call your agents make gets checked against 15,923 rated servers, scanned for secrets/PII, and logged. Takes 2 minutes.

---

The Problem

Your OpenClaw agents run 24/7 — posting to social media, handling customer data, managing infrastructure. But you don't know:

• Which MCP servers are they calling?
• Are any of those servers rated F (malicious)?
• Is the agent accidentally leaking API keys in tool parameters?
• What did the agent do at 3am last Tuesday?

The Solution: SpiderShield Plugin

One install. Three-phase security:

1. before_tool_call — Check Trust Score + scan parameters for secrets
2. after_tool_call — Scan output for data leaks + write audit log
3. message_sending — Catch secrets in outbound messages

Setup (2 Minutes)

Step 1: Install

openclaw plugins install spidershield-openclaw-plugin

Step 2: Configure

Add to your openclaw.json:

{
  "plugins": {
    "entries": {
      "spidershield": {
        "enabled": true,
        "config": { "policy": "balanced" }
      }
    }
  }
}

Step 3: Done

Every tool call is now protected. No API key needed for basic protection.

Policy Modes

Start with audit-only to observe. Switch to balanced when confident.

What You'll See

After a day, check your audit log:

cat ~/.spidershield/audit/2026-03-24.jsonl | jq '.toolName' | sort | uniq -c | sort -rn

  89 x-twitter.post_tweet
  67 web-search.search
  45 file-system.write_file
  12 file-system.delete_file    <- why is the agent deleting files?
   3 [DLP: secret detected]     <- API keys in parameters!

Upgrade to Pro (Optional)

Add a SpiderRating API key for cloud features:

{ "config": { "policy": "balanced", "apiKey": "sr_..." } }

Enables: Cloud Dashboard (all agents in one place), Alert Rules (webhook notifications), Compliance Reports (PDF export).

---

*npm package | Source code (MIT) | SpiderRating*