Real-time prompt injection defence
Scan every piece of content before it reaches your AI agent. One plugin, zero config, continuous protection.
Per machine. Run unlimited agents on one machine.
Continuous real-time scanning
Every piece of content scanned automatically
All 20+ file types
PDF, Word, Excel, PPTX, email, calendar, Google Docs, and more
Runtime shard detection
Catches multi-step attacks that evade static scanning
OpenClaw plugin
Drop-in integration, zero config
Automatic rule updates
New detection patterns pushed as threats evolve
Multi-channel alerts (8 providers)
Instant notification when threats are blocked
Direct support
Email support, 24h response
FAQ
Which AI agents does Sentinel work with?
Sentinel works natively with OpenClaw — install the plugin and you are protected immediately. The underlying Python package (sentinel-security) works with any Python-based agent framework: LangChain, AutoGPT, CrewAI, or anything custom. If your agent reads external content and passes it to an LLM, Sentinel can protect it.
What does Sentinel protect against?
Sentinel defends against two threat classes. First, prompt injection: attackers hiding instructions in content your agent processes — emails, documents, web pages, API responses — designed to hijack what your agent does. Second, secret and credential exposure: your agent accidentally leaking API keys, tokens, or passwords in its outputs. Both threats are detected at the agent runtime layer before damage occurs.
How do I get alerted when a threat is blocked?
Configure one or more alert destinations with /sentinel alerts add. Sentinel supports Telegram, Slack, Discord, email, Teams, WhatsApp, iMessage, and custom webhooks. Every blocked threat triggers an alert to all configured destinations instantly. You can also query your block history with /sentinel blocks.
What do I get as a subscriber?
A Sentinel Standard subscription gives you the full OpenClaw plugin with automatic scanning on every agent action, real-time alerts across 8 channels, block history and telemetry, the system prompt auditor, and secret scanning. More importantly, you get access to continuously updated threat intelligence — our security team actively researches new attack techniques, runs them through a dedicated red team suite, and ships validated detection rules automatically with every update. You stay protected against threats that didn't exist when you first installed. We plan to introduce additional tiers as the product evolves.
How does billing work?
£5/month per machine — run as many agents as you like on that machine. Billed monthly via Stripe. Cancel anytime, no contracts, no lock-in. Your protection continues until the end of the billing period.
What happens to my data?
All scanning runs on your infrastructure. We never see, collect, or store the content you scan. Your data stays yours.
How do I get started?
Click "Get Sentinel Standard" on the pricing page. You'll be taken to a secure Stripe checkout. After payment, you'll receive your licence key instantly — just set it as an environment variable and you're protected.
Why does OpenClaw need this?
OpenClaw agents read emails, browse the web, process documents, and execute tools on your machine. Every piece of external content is an attack surface. CrowdStrike, Cisco, and Kaspersky have all published research showing how a single prompt injection in an email can exfiltrate private keys, send messages on your behalf, or trigger tool calls you never authorised. Sentinel was built specifically because we run OpenClaw agents in production ourselves and needed this protection. It is not theoretical — it is operational.
My system prompt already has safety rules. Why do I need scanning?
System prompt rules tell the LLM what to do. Scanning catches threats before the LLM ever sees them. These are different layers. A well-crafted injection can convince the model to ignore its system prompt — that is the whole point of prompt injection. Sentinel strips or flags the malicious content before it reaches the model, so the model never has to decide whether to obey it. Think of it like this: system rules are a seatbelt, scanning is the brakes. You want both.
Does Sentinel let me use my agent more freely?
Yes. The biggest barrier to giving AI agents real autonomy is trust. Without scanning, you either restrict what your agent can access (limiting its usefulness) or accept the risk of it processing malicious content (limiting your safety). Sentinel removes that trade-off. Scan everything that comes in, block what is dangerous, and let your agent work on the rest. More surfaces scanned means more tasks you can confidently delegate.
What are the limitations? What can Sentinel not catch?
Sentinel uses pattern-based detection, not LLM-based classification. That means it is fast and deterministic, but it will not catch novel zero-day attacks that do not match any known pattern. Semantic attacks (instructions that look like normal text to a pattern matcher but carry malicious intent to an LLM) are harder to detect without an LLM in the loop — that is on the roadmap. We also cannot protect against attacks embedded in images, audio, or video yet. We publish known limitations openly: transparency builds more trust than marketing.
What data does Sentinel collect?
Sentinel runs entirely on your machine. The detection engine never sends your content, prompts, or documents anywhere. Telemetry is disabled by default — opt in by setting SENTINEL_SHARE_LOGS=true. When enabled, it sends anonymous usage stats only (scan count, detection counts, version) to help us prioritise rule updates. No content, no prompts, no file contents. You can verify this yourself: the detection engine runs entirely on your infrastructure.
Will this slow down my agent?
Average scan time is under 600ms. For most workflows (reading emails, processing documents), that is imperceptible. Sentinel runs synchronously before content reaches the LLM, so there is a small latency addition per content item. For batch processing (scanning hundreds of files), you can run scans in parallel. The runtime shard detector adds zero latency — it monitors asynchronously.
What is the Exposure Assessment?
A quick questionnaire that evaluates your agent's attack surface based on the data sources it accesses, the permissions it holds, and the defences you have in place. It takes under two minutes and gives you a qualitative risk rating. No account required.
How do detection rules get updated?
Rules update automatically with every plugin update. Our security team runs a continuous research and red team cycle — monitoring emerging attack vectors, testing new techniques, and shipping validated patterns. You get protection against threats that weren't known when you first installed. No manual updates, no stale rules. It's the same principle as antivirus software: the scanner is straightforward, the continuously updated intelligence is what keeps you safe.
What are shard attacks, and why do I need runtime detection?
A shard attack splits a malicious payload across multiple innocuous-looking documents. Each piece passes static scanning because individually it looks clean. The runtime detector monitors your agent's behavior across multiple actions and catches the pattern. Without it, shard attacks are invisible.
Still have questions?