OpenClaw plugin for Prisma AIRS (AI Runtime Security) from Palo Alto Networks. 12 security hooks provide layered protection — blocking, scanning, auditing — across every stage of the agent lifecycle.
-
Hard Blocking
Block unsafe content at the persistence layer. Inbound and outbound messages are scanned before they are written — threats never reach the conversation history.
-
Full-Context Scanning
Scan assembled conversation context before prompt build. Catches multi-message injection attacks that single-message scanning misses. DLP redaction strips PII from tool outputs.
-
Audit Logging
Every message, LLM call, and tool execution scanned through AIRS with structured JSON audit logs. Definitive compliance trail at every boundary.
-
Tool Gating
Block dangerous tools (Bash, Write, Edit) during active threats. Two layers: cache-based gating from message scans, plus active AIRS scanning of tool inputs before execution.
-
DLP Masking
Mask sensitive data instead of blocking. SSNs, credit cards, emails, API keys, and phone numbers are redacted in outbound responses and tool outputs.
-
Per-Hook Configuration
Enable or disable each of the 12 hooks independently. Choose deterministic (always-on) or probabilistic (model-decides) mode per feature. Fail-closed by default.
How It Works¶
flowchart LR
SCM["Strata Cloud Manager<br/><i>Security profiles, detection rules</i>"]
Plugin["Prisma AIRS Plugin<br/><i>12 hooks, scan cache, DLP</i>"]
AIRS["AIRS API<br/><i>Real-time scanning</i>"]
Agent["OpenClaw Agent<br/><i>LLM + tools</i>"]
SCM -->|profile config| AIRS
Agent <-->|messages, tools| Plugin
Plugin <-->|scan requests| AIRSAll detection configuration happens in Strata Cloud Manager. The plugin connects to your SCM security profile and enforces the actions it returns.
12 Security Hooks¶
| Hook | Event | Purpose | Can Block |
|---|---|---|---|
| prisma-airs-inbound-block | before_message_write |
Block unsafe user messages | Yes |
| prisma-airs-outbound-block | before_message_write |
Block unsafe assistant messages | Yes |
| prisma-airs-outbound | message_sending |
Block/mask outbound responses | Yes |
| prisma-airs-tool-guard | before_tool_call |
Scan tool inputs via AIRS | Yes |
| prisma-airs-tools | before_tool_call |
Gate tools via cached scan | Yes |
| prisma-airs-prompt-scan | before_prompt_build |
Full context scanning | No |
| prisma-airs-tool-redact | tool_result_persist |
Redact PII from tool outputs | No |
| prisma-airs-context | before_agent_start |
Inject threat warnings | No |
| prisma-airs-guard | before_agent_start |
Security reminder on startup | No |
| prisma-airs-audit | message_received |
Audit log inbound messages | No |
| prisma-airs-llm-audit | llm_input / llm_output |
Audit log LLM I/O | No |
| prisma-airs-tool-audit | after_tool_call |
Audit log tool outputs | No |
Quick Start¶
# Install the plugin
openclaw plugins install @cdot65/prisma-airs
# Set your API key (via web UI or config file)
# plugins.entries.prisma-airs.config.api_key = "your-key"
# Restart the gateway
openclaw gateway restart
# Verify
openclaw prisma-airs
Detection Capabilities¶
Powered by Prisma AIRS (configured in Strata Cloud Manager):
| Category | Description |
|---|---|
| Prompt Injection | Attempts to override agent instructions |
| Data Leakage (DLP) | PII, credentials, sensitive data |
| Malicious URLs | Phishing, malware, disallowed categories |
| Toxic Content | Harmful, abusive, inappropriate content |
| Malicious Code | Malware, exploits, dangerous code |
| AI Agent Threats | Multi-step manipulation attacks |
| Database Security | SQL injection, dangerous queries |
| Grounding Violations | Hallucinations, unverified claims |
| Custom Topics | Organization-specific policy violations |
Requirements¶
- Node.js 18+
- OpenClaw v2026.2.1+
- Prisma AIRS API key from Strata Cloud Manager