Integrating Bastion into OpenClaw: Security for AI Agents

AI agents are evolving from chat assistants into autonomous executors — they read and write files, call APIs, and operate databases. But when an agent can run shell commands, who’s watching every LLM request it sends?

The Problem: Agent Blind Spots

In agent platforms like OpenClaw, communication between agents and LLMs is a black box. The prompts agents send may contain API keys, database passwords, and credit card numbers — all transmitted directly to cloud LLM providers.

A subtler issue is tool calls: an agent’s tools can trigger dangerous operations — deleting files, sending emails, modifying configurations — and the platform itself lacks fine-grained security auditing.

The Solution: Bastion as a Security Layer

Bastion is a locally-running HTTPS proxy deployed between agents and LLM providers. Every request passing through Bastion is automatically processed:

1. DLP scanning. Detects sensitive information in prompts and responses (API keys, passwords, PII), with four policy modes: pass, warn, redact, or block.
2. Tool Guard monitoring. Audits agent tool calls, identifies high-risk operations, and alerts or blocks based on configurable rules.
3. Audit logging. Records complete metadata for every LLM interaction — provider, model, token usage, latency.
4. Zero cloud dependency. All processing happens locally. Sensitive data never leaves your machine.

Integration: 4 Steps

We packaged Bastion as an OpenClaw skill. The entire setup takes 4 steps:

1. Copy skill files to ~/.openclaw/skills/bastion/
2. Add "alsoAllow": ["exec", "read"] to openclaw.json to enable agent permissions
3. Run docker-setup.sh to install Bastion inside the container
4. Restart OpenClaw and verify in a new session

Once installed, the agent can query DLP findings, view usage statistics, and adjust security policies — all through natural language.

Lessons from Docker

The Docker environment presented a chain of engineering challenges:

ESM module resolution. Skill scripts run from ~/.openclaw/, but @aion0/bastion is installed in /app/node_modules/. Node.js ESM resolves dependencies based on the script’s file path, and NODE_PATH doesn’t work for ESM. The solution: read the package.json exports field and use pathToFileURL() for dynamic import.

Native module compilation. better-sqlite3 requires native bindings, and pnpm add skips compilation by default. The setup script includes a prebuild-install fallback.

Container lifecycle. docker compose down/up destroys all runtime-installed packages. We solved this with a one-click setup script and recommend restart over down/up.

Permission model. OpenClaw’s tool profile system only gives messaging agents message-related tools by default. The alsoAllow mechanism lets us add exec and read without switching to a full coding profile.

Security as Infrastructure

In traditional software, security belongs to firewalls and WAFs. In the agent era, security must be embedded in the agent’s communication path — not post-hoc auditing, but real-time interception.

That’s Bastion’s positioning: it doesn’t change agent behavior, it simply makes every LLM interaction visible, auditable, and controllable.

Source: github.com/aiwatching/bastion-skills