Zedly Shield: Runtime Safety for Agentic AI
Evidence and enforcement layer for OpenClaw. PII redaction, policy-based tool blocking, human approval gates, and tamper-evident audit logs.
For engineering leads, security teams, and compliance officers deploying agentic AI on sensitive workflows.
How Shield Hooks Into the Agent Lifecycle
Every tool call passes through the same five-step pipeline.
Agent Requests Tool Call
LLM decides to run exec, read, write, or HTTP
before_tool_call Hook Fires
Shield intercepts before execution
Policy Engine Evaluates
Rules checked against tool + args
Allow, Block, or Redact
Dangerous calls blocked, PII stripped
Log Tamper-Evident Event
SHA-256 hash-chained to previous event
What Shield Does
Six layers of runtime protection for agentic workflows.
PII Redaction
Emails, SSNs, and credit card numbers are detected and tokenized before they reach the model provider. Rehydration happens locally after the response returns.
Read the guide →Policy-Based Blocking
Block dangerous shell commands, restrict file write paths, and deny network access from unattended cron sessions. Rules match tool name and argument patterns.
Read the guide →Human Approval Gates
Queue sensitive operations for human review before execution. Policy decides which tool calls need approval based on tool type, arguments, and session context.
Read the guide →Immutable Audit Log
Every event is a JSON line with a SHA-256 hash linking it to the previous event. Tamper with one line and the chain breaks. Exportable for compliance review.
Read the guide →Fleet Dashboard
Manage multiple Shield instances from a single control plane. See events, blocks, and redactions across all deployments. Push policy changes from the cloud.
Read the guide →Ops Visibility
Session runs with status, duration, and tool counts. Event timeline filterable by type. Cost tracking per job, tool, and model.
Read the guide →Cloud Dashboard for Your Fleet
One place to see what every Shield instance is doing. View session runs, event timelines, policy blocks, and PII redactions across all deployments. Push policy changes from the dashboard; the plugin pulls them on its next poll.
- Fleet-wide stats: instances, events, blocks, redactions
- Session run table with status, duration, and tool breakdown
- Event timeline filterable by type and session
- Policy editor with save and sync to instances
- API key management and instance provisioning
Dashboard screenshot coming soon.
Join the waitlist for early access.
How It Compares
What you get with Shield vs. the alternatives.
| Capability | No Protection | DIY Middleware | Zedly Shield |
|---|---|---|---|
| PII redaction (email, SSN, credit card) | None | Build your own regex | Built-in, on by default |
| Tool-call blocking | None | Custom hook code | Policy-as-JSON rules |
| Human approval gates | None | Build approval queue | before_tool_call interception |
| Audit trail integrity | Terminal scrollback | Append-only log file | SHA-256 hash chain |
| Multi-instance dashboard | N/A | Build from scratch | Fleet view, per-instance drill-down |
| Install & upgrade | N/A | Manual deployment | openclaw plugins install |
| Policy-as-code | None | Hardcoded logic | JSON config, cloud-synced |
Get Started
Create your Shield instance, install the plugin, and see events in the dashboard within a minute.
1 Create your Shield instance
Sign up for free, open the Shield dashboard, and create a new instance. Copy the API key it generates.
2 Install the plugin
Requires Node.js 22+ and OpenClaw CLI installed.
3 Add your API key
Merge this into your openclaw.json. All protections (PII redaction, shell blocking, audit logging) are on by default. Only add extra keys if you want to disable something.
4 Restart the gateway
Look for Zedly Shield starting in the output. Events will appear in your dashboard immediately.
↑ Upgrade later
New protections are enabled by default on upgrade. No config edits needed.
Shield Guides
Deep dives on each layer of agentic AI security.
How to Add PII Redaction to OpenClaw
Detect, tokenize, and rehydrate emails, SSNs, and credit card numbers before data leaves your environment.
OpenClaw Tool Call Audit Log
Capture every agent action with structured event logging: tool name, arguments, result, and timing.
OpenClaw Immutable Audit Log
Build a tamper-evident event chain with SHA-256 hashing. Detect tampering, export for compliance.
Human Approval for Sensitive Actions
Add gates before tools execute. Policy-based blocking, argument-pattern matching, and structured audit events.
OpenClaw Cron Run History Dashboard
Track every scheduled job: start time, duration, exit status, tool calls, and policy blocks.
OpenClaw Tool Call History Dashboard
See what your agents actually do. Filterable timeline of every tool invocation across sessions.
OpenClaw Cost Dashboard
Track agent spend by job, tool, and model. Spot runaway costs before they hit your invoice.
Frequently Asked Questions
before_tool_call, tool_result_before_model, tool_result_persist, agent_start, agent_end) to intercept, evaluate, redact, and log every action. Install with openclaw plugins install zedly-shield and add it to your openclaw.json.openclaw plugins update zedly-shield to pull the latest version from npm. New protection features (like credit card redaction) are enabled by default on upgrade, so you do not need to edit your openclaw.json configuration.Get Early Access to Zedly Shield
Join the waitlist for the cloud dashboard, fleet management, and policy-as-code. The open-source plugin is available now via npm.
You're on the list.
We'll reach out when early access opens. In the meantime, install the plugin and start protecting your OpenClaw deployment locally.
No spam. We'll email you when early access opens.
Protect Your Agentic AI Workflows Today
Install the plugin for free. Join the waitlist for the cloud dashboard.