OpenClaw integration · governed agent backend

OpenClaw gives agents hands.
StealthQL gives them rules.

Connect OpenClaw to StealthQL MCP and turn an autonomous agent into a scoped backend actor: policy-bound reads, proposal-only writes, capsule memory, Agent WAF rules, and a replayable audit trail. For the data and tool calls that flow through StealthQL.

scopedevery read
proposedevery write
ledgeredevery call
01 / Badgeagent identity
Your OpenClaw agent gets a keypair, a trust class, and a real actor record — same primitive that authenticates a human admin, evaluated by the same policy engine.
02 / Scopeshare principal
A long-lived share defines what the agent may read, write, propose, or refuse. The same primitive your team already uses for vendor portals, applied to OpenClaw.
03 / Memorya capsule, not a blob
Memory is typed and queryable, not a vector blob. “Don't use the service client for member-supplied PATCH data” is a recallable rule, not a chunk of text the agent might or might not retrieve.
04 / ToolsMCP surface
MCP exposes the verbs the agent gets — query.shape, propose.update, memory.recall — all routed through the same policy layer as your humans.
05 / Auditevery call · ledgered
Every OpenClaw tool call lands in the StealthQL ledger as a signed event. Replay any session. Attest any action. The agent's behavior is provable, not just plausible.
06 / RulebookAgent WAF
Cloudflare Rules, but for AI agents. Block, redact, propose, deny based on actor kind, trust class, field flags, and code shape. Hot-pluggable into the policy layer that already governs your humans.
The Agent Capsule · hover to inspect · figure 3
Powerful agents used to be a scary idea.
Things that did things. Logs you couldn't reconstruct.
Mistakes you couldn't prove or undo.
That era is over.
We just stopped pretending agents need full keys
/ 01 The problem this page is here for

OpenClaw can actually do things.
That's the point. It's also the risk.

An agent that can touch channels, files, APIs, calendars, email, and internal tools is enormously useful — and enormously hard to govern. Business data is not just another tool. A model should not decide what it's allowed to see, and a vector memory should not be the audit trail.

i.

Reads that shouldn't have happened.

An agent connected to your backend with raw credentials sees everything. Cross-tenant. Internal notes. Fields you marked “don't send to AI.” The model decided, and you can't take it back.

ii.

Writes that landed silently.

The agent updated production. You see it tomorrow when something looks off. There's no diff, no proposal, no review, no reversal — just a row that looks different than it did yesterday.

iii.

Memory you can't prove.

The agent “remembers” that the rule said don't use service clients for member-supplied PATCH data. Sometimes. The vector store decided. Compliance can't verify.

iv.

Audit the regulator won't accept.

You ask “what did the agent do for this customer last Tuesday at 3pm?” You get fragments — a stdout file, a screenshot, a vector recall, a claim. Not a record. Not an authenticatable one.

None of these are OpenClaw failures. They're the absence of a governance layer between an agent that can act and a backend that holds business data. That layer is what StealthQL MCP is.

/ 02 The shift

Your OpenClaw agent
is a user now.

Stop treating it like a script with a credential. Treat it the way your backend already treats Alice the founder. Identity, scope, memory, tools, audit, delegation — the same primitives, applied to an agent that happens to be an LLM.

Your backend has known how to scope, log, and govern users for forty years. The runtime doesn't care if the actor is a human, an OpenClaw session, or a Stripe webhook. It's just an actor with a capsule.

/ 03 Agent WAF

Cloudflare Rules.
For AI agents.

Cloudflare protects apps from bad HTTP requests. StealthQL protects apps from bad agent actions. Hot-pluggable rules evaluate every tool call against actor kind, trust class, field flags, and code shape — and decide whether to allow, redact, propose, or deny.

Three small rules. Together they mean: an OpenClaw agent in your hosted-cloud trust class cannot mutate production silently, cannot read fields you marked private to AI, and cannot ship a confused-deputy route into the codebase. Every refusal is a ledger event. Every rule lives in your repo.

/ 04 What this lights up

Five OpenClaw shapes,
with adult supervision.

The integration isn't a sandbox — it's a different posture. The agent can act. The runtime decides what counts as a legitimate action.

i.

Support agent.

Inspect a customer issue without exposing the rest of your customer base. Read the support share, see allowed fields, recall prior case memory, propose a fix, produce an evidence packet. Cannot read internal notes, cross-tenant rows, or mutate silently.

ii.

Sales / admin assistant.

Ask OpenClaw to draft follow-ups, invoice reminders, or customer summaries. The MCP returns only allowed shapes and fields. Status changes, billing edits, contract fields — all go through the proposal queue, never direct mutate.

iii.

Coding agent with backend rules.

Cursor, Claude Code, Codex — all happily build features through MCP. The Agent WAF's code rules deny the confused-deputy pattern at write time, so the model can't ship a route that hands its service token to member-supplied data.

iv.

Regulated workflows.

Healthcare, legal, finance, HR, insurance, field services. The agent can act. The capsule records what it saw, what it proposed, which rule blocked it, and what a human accepted. Designed for HIPAA §164.312(b), FRE 803(6), FRCP 37(e).

v.

External portals.

“Send the vendor a portal link for this invoice.” OpenClaw doesn't hand the vendor a database connection — it asks StealthQL to mint a scoped share with field-level visibility, expiration, and revoke. The portal is a share, not raw access.

/ 05 The demo that lands the meeting

I gave OpenClaw access to my SaaS backend.
StealthQL made it ask permission.

Same agent, same MCP session, same capsule. The runtime knows exactly what it can and can't touch, and every step is recorded in the ledger.

↳ what you watch on screen

Ten steps. One audit replay.

The agent works. It doesn't wander. The conversation between OpenClaw and StealthQL MCP is the entire story — and it's on file for as long as you keep your ledger.

It canscoped by the support_session share
✓ connect to stealthql mcp ✓ query.shape("myInvoices") ✓ inspect allowed fields ✓ recall prior case memory ✓ propose status corrections ✓ run policy + security tests ✓ produce an evidence packet // every action is a ledger event, // signed by the deployment key.
It cannotrefused at the runtime · ledgered
✗ read internal_note (aiReadable=false) ✗ read unrelated customer rows ✗ mutate production silently ✗ delegate beyond its sub-share ✗ ship a confused-deputy route ✗ claim "i ran the tests" without proof // every refusal is a ledger event too. // the agent's reach is its capsule's reach.

When the customer asks what your AI did for them last Tuesday at 3pm, you don't reconstruct from logs. You replay the capsule. The same primitive that scoped the agent's reach produced the record of how it used it.

/ 06 Setup

Two commands. One MCP entry.

Add the StealthQL MCP server to your OpenClaw MCP tool configuration, then give the agent a StealthQL actor, share, or service scope. That's the whole integration.

Verify the exact OpenClaw MCP config field against your installed version — the shape evolves. The StealthQL command line stays stable: npx stealthql mcp spins up the server, your OpenClaw config tells the agent how to find it.

/ 07 What this isn't

Honest about the boundary.

StealthQL governs the data, tool calls, proposals, memory, and audit that pass through StealthQL MCP. Not every possible OpenClaw action. Precision is the safest claim and the strongest differentiator.

StealthQL governseverything routed through MCP
✓ unscoped reads — refused ✓ direct agent writes — proposed ✓ aiReadable=false fields — redacted ✓ unsafe proposals — blocked ✓ disallowed delegations — denied ✓ confused-deputy code shapes — denied ✓ tool calls — ledgered ✓ sessions — replayable
StealthQL doesn't governactions outside the StealthQL MCP path
✗ tools served by other MCP servers ✗ direct shell, file, or browser actions ✗ third-party APIs the agent calls itself ✗ code edits made outside the WAF path ✗ host-level network or filesystem isolation // for runtime hardening (NemoClaw / OpenShell // territory), pair StealthQL with a sandboxed // agent runtime. they're complementary stacks.

NemoClaw / OpenShell help secure where OpenClaw runs. StealthQL helps govern whatOpenClaw can do with your backend data. That isn't redundant — that's a stack.

/ 08 The honest FAQ

The questions that actually come up.

Q.

Does StealthQL replace OpenClaw?

No. OpenClaw is the agent and gateway. StealthQL is the governed backend and MCP data layer the agent talks to. They're complementary; the integration is the product.

Q.

Does StealthQL replace NemoClaw?

No. NemoClaw helps run OpenClaw more safely at the runtime / system level. StealthQL governs backend data, tool calls, proposals, memory, and audit through MCP.

Q.

What can StealthQL block?

Actions that pass through StealthQL MCP: unscoped reads, direct agent writes, hidden field access, aiReadable=false data, unsafe proposals, disallowed delegations, and confused-deputy code shapes when the WAF code-rule path is wired up.

Q.

What can it not block?

Tools outside StealthQL MCP, direct shell / file / browser actions OpenClaw runs through other servers, or code edits performed outside the StealthQL rules / scanner workflow. That's where the runtime hardening stack belongs.

Q.

Can OpenClaw still use other tools?

Yes. The MCP entry for StealthQL sits next to whatever other servers your agent uses. StealthQL governs its own surface — every other tool keeps its own posture.

Q.

Can I self-host?

Yes. Apache 2.0. npx stealthql mcp on your own machine, your own Droplet, your own VPC — same MCP server, same policies, same ledger.

Powerful agents.
With boundaries.

$npx stealthql mcp
or

 

Apache 2.0. Works with OpenClaw, Claude Code, Cursor, Codex,
and any MCP-compatible agent.