Skip to main content

What is OpenClaw?

OpenClaw is a self-hosted AI agent framework that runs on your hardware. It supports multi-agent workflows, tool execution, and integrations with MCP servers — all controlled through a local gateway. Unbound provides an OpenClaw plugin that enforces tool policies via the before_tool_call hook. This means every tool call your OpenClaw agent makes — terminal commands, MCP tools, and more — can be checked against your organization’s security policies before execution.

How It Works

The Unbound plugin intercepts tool calls at two levels:
  • Terminal commands (exec tool): Sent to the Unbound gateway for LLM-based command classification and policy matching. Commands like rm, curl, git push, etc. are classified into command families and matched against your configured policies.
  • MCP tools (mcp__server__tool format): Sent to the gateway for direct string matching against MCP tool policies. No LLM classification needed — policies match on server name and tool name.
Gateway decisions are mapped as follows:
Gateway DecisionOpenClaw Behavior
allowTool call proceeds normally
denyTool call is blocked with a reason message
askTool call is blocked (OpenClaw has no interactive ask UI)
The plugin defaults to fail-open — if the gateway is unreachable or returns an error, the tool call proceeds.

Prerequisites

Before setting up the integration, ensure you have:
  • OpenClaw: Version 2026.2.0 or higher
  • Unbound Security account: With an application and API key (Create Application)
  • Tool policies configured: Set up terminal command or MCP tool policies in the Unbound dashboard (Tool Policies)

Installation

Step 1: Install the Plugin

openclaw plugin install unbound-gateway

Step 2: Configure the Plugin

Add the plugin configuration to your ~/.openclaw/openclaw.json: 
{
  "plugins": {
    "entries": {
      "unbound-gateway": {
        "enabled": true,
        "config": {
          "gatewayUrl": "https://api.getunbound.ai",
          "failOpen": true
        }
      }
    }
  }
}

Step 3: Set Your API Key

Set the UNBOUND_API_KEY environment variable in your shell profile: 
export UNBOUND_API_KEY="your-api-key-here"
Alternatively, you can add the key directly to the plugin config: 
{
  "plugins": {
    "entries": {
      "unbound-gateway": {
        "enabled": true,
        "config": {
          "gatewayUrl": "https://api.getunbound.ai",
          "apiKey": "your-api-key-here",
          "failOpen": true
        }
      }
    }
  }
}

Step 4 (Optional): Use Unbound as Your LLM Provider

You can route OpenClaw’s LLM calls through Unbound for full visibility and guardrail coverage. Add a custom provider to your config: 
{
  "agents": {
    "defaults": {
      "model": {
        "primary": "unbound/claude-sonnet-4-20250514"
      }
    }
  },
  "models": {
    "providers": {
      "unbound": {
        "baseUrl": "https://api.getunbound.ai/v1",
        "apiKey": "${UNBOUND_API_KEY}",
        "api": "openai-completions",
        "models": [
          {
            "id": "claude-sonnet-4-20250514",
            "name": "Claude Sonnet 4",
            "contextWindow": 200000,
            "maxTokens": 8192
          }
        ]
      }
    }
  }
}

Configuration Reference

OptionTypeDefaultDescription
gatewayUrlstringrequiredYour Unbound gateway URL (e.g., https://api.getunbound.ai)
apiKeystring$UNBOUND_API_KEYAPI key for authentication. Falls back to the UNBOUND_API_KEY environment variable
failOpenbooleantrueWhen true, tool calls proceed if the gateway is unreachable. Set to false to block all tool calls when the gateway is down

Verification

After setup, verify the integration is working: Test 1: Safe command (should succeed) 
openclaw agent --local --message "run this shell command: echo hello world"
Expected: The command executes successfully. Test 2: Blocked command (requires a delete_file policy) 
openclaw agent --local --message "run this shell command: rm -f /tmp/test.txt"
Expected: [tools] exec failed: This command is blocked by your organization's policy.

Configuring Policies

Tool policies are managed in the Unbound dashboard under Tool Policies:
  • Terminal Command policies: Match against classified command families (e.g., delete_file, git_action, network_request)
  • MCP Tool policies: Match against specific MCP server and tool name combinations (e.g., slack / send_message)
Each policy can be set to Block (always deny) or Warn (deny for OpenClaw, since it has no interactive approval UI).

Create Application

Set up your Unbound application first

Tool Policies

Configure terminal command and MCP tool policies