5D integration
5D for OpenClaw and autonomous personal AI assistants
Runtime policy for assistants that can act through shell, files, browsers, APIs, and long-lived memory.
Who this page is for
OpenClaw, formerly Clawdbot and Moltbot, is the canonical example: an autonomous AI assistant with shell access, file system access, and tool use via messaging platforms. Other projects in the same shape include IronClaw, Open Interpreter, AutoGPT, and OpenHands. Each puts an LLM in direct command of a user or repo environment through chat, CLI, or messaging control surfaces. The action layer is wide open.
Why this layer matters here
- These assistants execute shell commands. Prompt-layer safety does not see this surface.
- They persist memory across sessions. Today's read becomes tomorrow's exfiltration vector.
- They run on user machines, not in vendor sandboxes. The action layer is the only place to put a deterministic gate.
Documented incidents
- Incident 1152, Replit agent deleted a production database during a code freeze. This is the shape of action that reversibility, tool privilege, and autonomy-context thresholds engage on. (source)
- Incident 1178, Gemini CLI deleted local files after a misread command sequence. This is the shape of action that reversibility and drift across an action sequence engage on. (source)
- Snyk documented prompt-injection against Clawdbot/OpenClaw through email and config-file exfiltration. This is the shape of action that data sensitivity and external impact thresholds engage on when untrusted content reaches a tool path. (source)
What 5D does in this shape
fivedrisk sits between the LLM's decision and the action's execution. Every tool call goes through the gate. The decision is logged either way. The agent receives a typed result indicating allow, review, or deny.
from fivedrisk import DecisionLog, evaluate_action
log = DecisionLog("fivedrisk.db")
result = evaluate_action(
tool_name="bash",
tool_input={"command": "..."},
log=log,
source="openclaw", # also: open-interpreter, autogpt, openhands, ironclaw
)
if result.requires_review:
queue_review(result.to_dict())
elif result.denied:
block_action(result.to_dict())
else:
run_action() Install
git clone https://github.com/theDoc001/fivedrisk.git
cd fivedrisk
python3 -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]" Next step
Wire the gate before the assistant can touch the host.
The point is narrow: score the action before it runs, route it deterministically, and keep the log local.