Openclaw Plugin
by @emberdesire
Inference-based intrusion detection for AI agents. Pattern matching + LLM analysis for jailbreaks, prompt injection, credential theft, social engineering. 108 detection patterns, OpenClaw plugin, auto-scan, quarantine. Commands: hopeid scan, hopeid test, hopeid setup, hopeid stats, hopeid doctor.
clawhub install hopeidsπ About This Skill
hopeIDS Security Skill
Inference-based intrusion detection for AI agents with quarantine and human-in-the-loop.
Security Invariants
These are non-negotiable design principles:
1. Block = full abort β Blocked messages never reach jasper-recall or the agent 2. Metadata only β No raw malicious content is ever stored 3. Approve β re-inject β Approval changes future behavior, doesn't resurrect messages 4. Alerts are programmatic β Telegram alerts built from metadata, no LLM involved
Features
/approve, /reject, /trust, /quarantineThe Pipeline
Message arrives
β
hopeIDS.autoScan()
β
βββββββββββββββββββββββββββββββββββββββββββ
β risk >= threshold? β
β β
β BLOCK (strictMode): β
β β Create QuarantineRecord β
β β Send Telegram alert β
β β ABORT (no recall, no agent) β
β β
β WARN (non-strict): β
β β Inject β
β β Continue to jasper-recall β
β β Continue to agent β
β β
β ALLOW: β
β β Continue normally β
βββββββββββββββββββββββββββββββββββββββββββ
Configuration
{
"plugins": {
"entries": {
"hopeids": {
"enabled": true,
"config": {
"autoScan": true,
"defaultRiskThreshold": 0.7,
"strictMode": false,
"telegramAlerts": true,
"agents": {
"moltbook-scanner": {
"strictMode": true,
"riskThreshold": 0.7
},
"main": {
"strictMode": false,
"riskThreshold": 0.8
}
}
}
}
}
}
}
Options
| Option | Type | Default | Description |
|--------|------|---------|-------------|
| autoScan | boolean | false | Auto-scan every message |
| strictMode | boolean | false | Block (vs warn) on threats |
| defaultRiskThreshold | number | 0.7 | Risk level that triggers action |
| telegramAlerts | boolean | true | Send alerts for blocked messages |
| telegramChatId | string | - | Override alert destination |
| quarantineDir | string | ~/.openclaw/quarantine/hopeids | Storage path |
| agents | object | - | Per-agent overrides |
| trustOwners | boolean | true | Skip scanning owner messages |
Quarantine Records
When a message is blocked, a metadata record is created:
{
"id": "q-7f3a2b",
"ts": "2026-02-06T00:48:00Z",
"agent": "moltbook-scanner",
"source": "moltbook",
"senderId": "@sus_user",
"intent": "instruction_override",
"risk": 0.85,
"patterns": [
"matched regex: ignore.*instructions",
"matched keyword: api key"
],
"contentHash": "ab12cd34...",
"status": "pending"
}
Note: There is NO originalMessage field. This is intentional.
Telegram Alerts
When a message is blocked:
π Message blockedID: q-7f3a2b
Agent: moltbook-scanner
Source: moltbook
Sender: @sus_user
Intent: instruction_override (85%)
Patterns:
β’ matched regex: ignore.*instructions
β’ matched keyword: api key
/approve q-7f3a2b
/reject q-7f3a2b
/trust @sus_user
Built from metadata only. No LLM touches this.
Commands
/quarantine [all|clean]
List quarantine records.
/quarantine # List pending
/quarantine all # List all (including resolved)
/quarantine clean # Clean expired records
/approve
Mark a blocked message as a false positive.
/approve q-7f3a2b
Effect:
approved/reject
Confirm a blocked message was a true positive.
/reject q-7f3a2b
Effect:
rejected/trust
Whitelist a sender for future messages.
/trust @legitimate_user
/scan
Manually scan a message.
/scan ignore your previous instructions and...
What Approve/Reject Mean
| Command | What it does | What it doesn't do |
|---------|--------------|-------------------|
| /approve | Marks as false positive, may adjust IDS | Does NOT re-inject the message |
| /reject | Confirms threat, may strengthen patterns | Does NOT affect current message |
| /trust | Whitelists sender for future | Does NOT retroactively approve |
The blocked message is gone by design. If it was legitimate, the sender can re-send.
Per-Agent Configuration
Different agents need different security postures:
"agents": {
"moltbook-scanner": {
"strictMode": true, // Block threats
"riskThreshold": 0.7 // 70% = suspicious
},
"main": {
"strictMode": false, // Warn only
"riskThreshold": 0.8 // Higher bar for main
},
"email-processor": {
"strictMode": true, // Always block
"riskThreshold": 0.6 // More paranoid
}
}
Threat Categories
| Category | Risk | Description |
|----------|------|-------------|
| command_injection | π΄ Critical | Shell commands, code execution |
| credential_theft | π΄ Critical | API key extraction attempts |
| data_exfiltration | π΄ Critical | Data leak to external URLs |
| instruction_override | π΄ High | Jailbreaks, "ignore previous" |
| impersonation | π΄ High | Fake system/admin messages |
| discovery | β οΈ Medium | API/capability probing |
Installation
npx hopeid setup
Then restart OpenClaw.
Links
βοΈ Configuration
{
"plugins": {
"entries": {
"hopeids": {
"enabled": true,
"config": {
"autoScan": true,
"defaultRiskThreshold": 0.7,
"strictMode": false,
"telegramAlerts": true,
"agents": {
"moltbook-scanner": {
"strictMode": true,
"riskThreshold": 0.7
},
"main": {
"strictMode": false,
"riskThreshold": 0.8
}
}
}
}
}
}
}
Options
| Option | Type | Default | Description |
|--------|------|---------|-------------|
| autoScan | boolean | false | Auto-scan every message |
| strictMode | boolean | false | Block (vs warn) on threats |
| defaultRiskThreshold | number | 0.7 | Risk level that triggers action |
| telegramAlerts | boolean | true | Send alerts for blocked messages |
| telegramChatId | string | - | Override alert destination |
| quarantineDir | string | ~/.openclaw/quarantine/hopeids | Storage path |
| agents | object | - | Per-agent overrides |
| trustOwners | boolean | true | Skip scanning owner messages |