Halt Documentation

Agent monitoring, smart rules, and a kill switch for OpenClaw. One plugin. Total control.

Quick Start

Get from zero to monitored in under 2 minutes.

1. Install the plugin

Terminal
openclaw plugins install @halt/plugin

2. Set up (one command)

Terminal
npx halt init

This handles authentication, API key generation, and config in one command. Or manually: sign up at app.halt.dev, copy your API key, and add it to your openclaw.json:

openclaw.json
{
  "plugins": {
    "entries": {
      "halt": {
        "config": {
          "apiKey": "clw_live_your_key_here"
        }
      }
    }
  }
}

3. Agents are auto-discovered

When the plugin starts, it reads your openclaw.json and registers all agents with Halt. They appear on your agents page as “discovered” — activate the ones you want to monitor.

To register agents before running them:

Terminal
npx halt discover

Configuration

All configuration goes inside the config object in your openclaw.json.

apiKeystringrequired
Your Halt API key. Starts with clw_live_.
backendUrlstringdefault: https://api.halt.dev
Backend API endpoint. Override for self-hosted or development.
spendLimitnumberdefault: 100
Max spend per session in USD. Agent auto-pauses when this limit is reached.
rateLimitnumberdefault: 120
Max tool calls per minute. Agent auto-pauses when this rate is exceeded.
toolBlockliststring[]default: []
Tool names to always block. Case-insensitive. Example: ["execute_bash", "rm"]
redactionPatternsstring[]default: []
Additional regex patterns for redacting sensitive data from event logs.
Full example — openclaw.json
{
  "plugins": {
    "entries": {
      "halt": {
        "config": {
          "apiKey": "clw_live_abc123",
          "spendLimit": 50,
          "rateLimit": 60,
          "toolBlocklist": ["execute_bash", "delete_file"],
          "redactionPatterns": ["sk-[a-zA-Z0-9]{32}"]
        }
      }
    }
  }
}

Event Monitoring

Halt captures every action your agent takes through OpenClaw's hooks system.

Event types

tool_useEvery tool invocation with name, params, result, duration
llm_callLLM requests with token count, cost, model name
message_sentOutbound messages from the agent
message_receivedInbound messages to the agent
agent_lifecycleSession and agent lifecycle events
subagentSub-agent creation and completion

Privacy

Sensitive data (API keys, passwords, tokens) is automatically redacted before transmission. Data sharing for aggregate pattern improvement is opt-in and off by default.

Rules & Alerts

Rules evaluate against incoming events and trigger alerts or block actions. Free tier gets 3 pattern rules. Paid tiers get unlimited rules including natural language.

Rule types

Keyword

Match actions containing specific strings. Block, alert, or both. Case-insensitive by default.

{ "type": "keyword", "keywords": ["rm -rf", "DROP TABLE"], "matchMode": "any" }
Rate

Alert or block when event frequency exceeds a threshold in a time window.

{ "type": "rate", "eventType": "tool_use", "maxCount": 20, "windowMinutes": 5 }
Threshold

Alert or block when a numeric field crosses a limit in a time window.

{ "type": "threshold", "field": "cost_usd", "operator": "gt", "value": 10, "windowMinutes": 60 }
Natural LanguagePro

Describe what to monitor in plain English. Block, alert, or both. Evaluated by AI.

{ "type": "nl", "promptText": "Block any action that sends emails to more than 10 recipients" }

Per-agent scoping

Rules can apply to all agents (default) or be scoped to specific agents. Set the scope when creating a rule — select “All agents” or pick specific agents. The plugin only fetches rules relevant to its agent, so scoped rules never fire on the wrong agent.

Agent-visible rules

Rules can be visible or silent. Visible rules are injected into the agent's system prompt so it knows what's being enforced and can comply proactively. Silent rules enforce without the agent's knowledge. Set per-rule when creating, or override system-wide from Settings (All visible / Per rule / All silent).

Alert channels

Free tier: email only. Paid tiers: email, Telegram, Discord, and SMS. Enterprise adds custom webhooks with HMAC-SHA256 signing.

Shield Pro

Built-in injection detection engine that scans both tool inputs (before execution) and tool outputs (after execution). 140 detection patterns across 6 categories, 3 severity tiers. Zero latency — pure pattern matching, no API calls.

Detection Categories

  • Critical (always blocked): Destructive commands (rm -rf, DROP TABLE, curl|bash), credential exfiltration (AWS keys, GitHub tokens, Stripe keys, JWTs, private keys, 30+ service-specific patterns)
  • High (block by default): Prompt injection (instruction overrides, system prompt manipulation, jailbreaks, stealth patterns like "do not tell the user", multi-turn manipulation)
  • Medium (alert by default): Encoding tricks (zero-width chars, homoglyphs, RTL overrides), data exfiltration (PII in outputs, crypto addresses, healthcare IDs)

How It Works

Shield runs as a standalone scanner in the plugin hook chain, before cached rules. It scans tool parameters on every call, and tool results after execution (catching indirect injection from RAG, APIs, and databases).

Pro+ users get three Shield rules auto-enabled on signup. Critical threats cannot be downgraded. High and medium tiers are configurable — set to block or alert per your preference. Per-tool allowlists prevent false positives on known-safe tools.

Output Scanning

Shield is the only agent monitoring tool that scans tool outputs at the plugin level. This catches indirect prompt injection — malicious instructions hiding in API responses, database results, or RAG documents. Output detections trigger alerts and feed into auto-kill escalation.

Kill Switch

Three layers of pre-action defense. Every tool call and message is checked before execution. If any layer triggers, the action is blocked in-process with zero network latency.

1
Server Kill State

Click "Kill" in your dashboard. A WebSocket signal reaches the plugin instantly. All subsequent actions are blocked until you resume.

2
Local Failsafe

Spend circuit breaker, rate limiter, and tool blocklist. Always active, even when offline. Configured via your openclaw.json.

3
Cached Rule Evaluation

Your server-side rules are fetched every 60 seconds and evaluated locally. Keyword, rate, and threshold rules run pre-action without a network round-trip.

Anomaly DetectionPro

Halt builds a 72-hour behavioral baseline for each agent — typical event rates, tool usage patterns, cost per session. After the learning period, it flags deviations automatically.

No configuration needed. Baselines are built from your agent's actual behavior, not generic thresholds.

Cost Tracking

Every LLM call and tool use captures cost data from OpenClaw's native tracking. Halt aggregates this into actionable spend analytics on your dashboard:

  • Per-agent cost cards — see which agents cost the most, with token counts and event volume
  • 7-day spend chart — daily trend visualization with week-over-week comparison
  • Top costly events — your 10 most expensive individual calls ranked, with model and timestamp
  • Spend today + trend — stats row shows today's spend with a percentage change arrow

Cost data comes from OpenClaw's native cost_usd and tokens_used fields in event metadata. Halt does not calculate costs — it uses what OpenClaw reports.

Decision Traces

On each agent's detail page, you can see a visual timeline of recent sessions. Click any session to expand its full decision trace — every tool call, LLM request, and message in order.

  • Session cards — date, duration, event count, total cost per session
  • Expandable timeline — color-coded dots per event type (tool=sky, LLM=purple, message=green, subagent=yellow)
  • Per-call detail — action name, target, model, cost, severity highlighting
  • Subagent attribution — subagent lifecycle events show their ID with indented positioning

Navigate to Agents → click an agent → Sessions tab. Sessions are tracked with full lifecycle (active, completed, killed) including duration, event count, and cost. Subagent events are nested within their parent session. Blocked events show a BLOCKED badge with the reason and source rule.

TeamsTeam

Free tier includes 1 team with 2 members. Team tier scales to 10 members with full role management (owner, admin, editor, viewer) and unlimited shared rules.

Shared rules apply across all team members' agents. Invite members via email — invitations expire after 7 days.

Offline Resilience

If the Halt backend is unreachable, the plugin keeps working:

  • Events are cached locally (up to 50MB / 7 days)
  • Local failsafe (spend limits, rate limits, tool blocklist) stays active
  • Cached rules continue evaluating pre-action
  • On reconnect, queued events flush automatically

Your agents stay protected even when the internet isn't.

API Reference

All API endpoints require a Bearer token (Authorization: Bearer clw_live_...) unless marked as public.

POST/api/eventsIngest batch of events (up to 100)
GET/api/eventsList events with pagination
GET/api/agentsList all agents
POST/api/agentsCreate agent
GET/api/rulesList rules
POST/api/rulesCreate rule
PUT/api/rules/:idUpdate rule
DELETE/api/rules/:idDelete rule
GET/api/alertsList alerts
POST/api/agents/:id/killKill (pause) agent
POST/api/agents/:id/resumeResume agent
GET/api/statsDashboard stats
GET/api/toolsKnown tools (discovered from config + seen in events)
GET/api/spendSpend analytics (per-agent, per-day, top events)
GET/api/sessionsList sessions (filter by agent, status)
GET/api/sessions/:idSession detail
GET/api/sessions/statsSession aggregates (duration p50/p95, plugin versions)
GET/api/agents/:id/sessionsAgent sessions with events (decision traces)
GET/api/savesList saves (blocked actions)
GET/api/saves/countTotal save count
GET/api/statusHealth check (public)

Pricing

Open SourceFreeUnlimited agents, Unlimited pattern rules, Local history. Kill switch + auto-kill, injection detection, spend/rate limits, local dashboard.
Pro$5/mo1 (+$3/ea) agents, Unlimited + 5 NL rules, 90 days history. Cloud dashboard, AI detection, cost analytics, session timelines, all alerts, 14-day trial.
Team$19/mo5 (+$2/ea) agents, Unlimited + 20 NL + shared rules, 1 year history. 10 members, 5-min eval, auto-kill, full role management.
EnterpriseCustomUnlimited agents, Unlimited rules, Unlimited history. SSO, audit logs, custom webhooks, custom roles.

Troubleshooting

Events not showing up on the dashboard

Check that your API key is correct and starts with clw_live_. Verify the backend URL is reachable. Events are batched every 5 seconds — wait a moment after starting your agent.

Kill switch didn't trigger

Free tier gets 1 kill per month. Pro and above get unlimited kills. If you've used your monthly kill, upgrade to Pro. Check that the WebSocket connection is active (look for reconnection logs). The local failsafe (spend limits, rate limits, tool blocklist) always works regardless of tier.

Rule not firing

Check that the rule is enabled. Verify the event type matches (e.g., a rate rule on 'tool_use' won't trigger on 'llm_call'). Keyword rules are case-insensitive by default. NL rules require backend connectivity.

Agent paused unexpectedly

Check your spend limit (default $100/session) and rate limit (default 120 calls/min). These fire automatically via the local failsafe. Adjust in your openclaw.json config.

Can't connect to WebSocket

The plugin reconnects automatically with exponential backoff (1s to 60s). If behind a firewall, ensure outbound WebSocket connections to api.halt.dev are allowed. HTTPS fallback is always active.

Need help? Email support@halt.dev

Home / Demo / Pricing