2025-10-27 · Authensor

How to Set Up SafeClaw in 60 Seconds

Clawdbot exposed 1.5 million API keys in under a month. That happened because agents ran with no guardrails. SafeClaw exists so that does not happen to you. It provides action-level gating for AI agents -- and you can install it in a single command.

This guide walks you through the entire setup. No config files. No CLI expertise. One command, a browser dashboard, and your first security policy.

Prerequisites

You need one thing: Node.js (version 18 or later).

Check if you have it:

node --version

If you see v18.x.x or higher, you are ready. If not, install Node.js from nodejs.org or use your preferred version manager.

That is the only prerequisite. SafeClaw has zero dependencies beyond the Node.js runtime. No databases, no Docker containers, no cloud accounts.

Step 1: Run the Install Command

Open your terminal and run:

npx @authensor/safeclaw

That is the entire install. npx downloads and executes the SafeClaw package directly. No global install, no npm install -g, no cluttering your system.

What happens when you run this:

  1. The SafeClaw client downloads (100% open source)
  2. A local evaluation engine starts on your machine
  3. Your default browser opens to the SafeClaw dashboard
The dashboard runs at a local address. Everything evaluates locally. Your policies, your rules, your machine. Sub-millisecond evaluation, no round-trips to a remote server.

Step 2: The Browser Dashboard Opens

When the dashboard loads, you will see the SafeClaw setup wizard. It walks you through three things:

  1. Account creation -- Free tier, no credit card required. You get a 7-day renewable API key.
  2. Agent selection -- Tell SafeClaw which agent framework you use: Claude, OpenAI, LangChain, or a custom setup.
  3. Your first policy -- The wizard generates a starter policy based on your selection.
The free tier gives you everything you need to get started. Keys renew every 7 days. No payment wall, no trial expiration traps.

Step 3: Understand the Default State

SafeClaw operates on a deny-by-default principle. Before you add any rules, every agent action is blocked. This is the correct starting point.

Think of it like a firewall. Nothing gets through until you explicitly allow it. This means:

The three action categories SafeClaw gates are:

| Action Type | What It Covers |
|---|---|
| file_write | Any file creation or modification |
| shell_exec | Any shell/terminal command execution |
| network | Any outbound network request |

Each rule you create targets one of these action types with specific patterns -- path patterns for files, command patterns for shell, destination patterns for network.

Step 4: Create Your First Policy

In the dashboard, navigate to Policies and click New Policy. Here is a minimal example that lets an AI coding agent write files in your project directory but nowhere else:

{
  "name": "dev-agent-basic",
  "rules": [
    {
      "action": "file_write",
      "effect": "allow",
      "pathPattern": "/home/user/projects/my-app/**"
    },
    {
      "action": "file_write",
      "effect": "deny",
      "pathPattern": "**"
    }
  ]
}

SafeClaw uses first-match-wins evaluation, processed top-to-bottom. The first rule allows writes inside your project. The second rule denies writes everywhere else. Order matters.

Because deny-by-default is already active, the second rule is technically redundant here -- but including it makes your intent explicit and readable.

Step 5: Test with Simulation Mode

Before enforcing your policy, toggle Simulation Mode in the dashboard. In simulation mode, SafeClaw evaluates every action against your rules but does not actually block anything. Instead, it logs what it would allow and what it would deny.

This lets you verify your policy works as expected before you flip the switch to enforcement. Run your agent through a typical workflow and review the simulation log. If something that should be allowed shows as "would deny," adjust your rules. If something that should be denied shows as "would allow," tighten them.

Once you are confident, disable simulation mode. Your policy is now live.

Step 6: Verify the Audit Trail

Every action SafeClaw evaluates -- whether allowed, denied, or simulated -- gets recorded in a tamper-proof audit trail. Each log entry is hashed with SHA-256 and chained to the previous entry, making it cryptographically impossible to alter the record after the fact.

In the dashboard, navigate to Audit Log to see the history. You will see:

This is not optional logging you have to enable. It is always on.

What You Just Set Up

In roughly 60 seconds, you now have:

SafeClaw is built on the Authensor framework with 446 tests under TypeScript strict mode and zero external dependencies. It works with Claude, OpenAI, and LangChain out of the box.

Quick Reference

| Task | How |
|---|---|
| Install | npx @authensor/safeclaw |
| Dashboard | Opens automatically in browser |
| Free tier | No credit card, 7-day renewable keys |
| Documentation | safeclaw.onrender.com |
| Authensor framework | authensor.com |

Next Steps

Now that SafeClaw is running, you should:

  1. Add rules for shell_exec and network -- the starter policy only covered file_write. Think about which commands and which destinations your agent actually needs.
  2. Set up agent identity rules -- if you run multiple agents, you can scope policies to specific agent identities.
  3. Review simulation logs after a full work session -- let your agent run through real tasks and review what SafeClaw flagged.
The setup takes 60 seconds. The security it provides is ongoing. Every action your AI agent takes now passes through a policy you control, evaluated locally, logged immutably. That is the difference between running agents responsibly and hoping nothing goes wrong.

Try SafeClaw

Action-level gating for AI agents. Set it up in your browser in 60 seconds.

$ npx @authensor/safeclaw