I had a Raspberry Pi 5 from a summer project that became my first OpenClaw install. Once it was running I turned to the problem, what watches the agent while you're not watching?
The idea for UNWIND came from Apple's Time Machine. If something goes wrong, you should be able to see what happened and roll it back. CRAFT, the tamper-evident audit chain, came from a separate cryptographic project I'd been working on for months before. Combining the two with a deterministic enforcement pipeline was the design I wanted to build.
UNWIND works as an MCP stdio proxy. It wraps any MCP server, intercepts every tool call on the way through, and the agent never knows it's there. If you're using Claude Desktop, Cursor, Windsurf, or VS Code Copilot with MCP servers, that's the primary integration path and the one that works most reliably right now. OpenClaw support exists but has unresolved adapter issues, so the MCP stdio path is the one to use today.
Claude Codehandled planning. Codex on the Pi was the builder. I chose Codex because OpenAI lets Pro users OAuth into OpenClaw with no API costs. I gave Codex a soul.md (the instruction file OpenClaw agents use) that defined its role as a security analyst: evidence first, flag unknowns, never assume, and for every finding produce a structured assessment of what happened, why it matters...With that framing it consistently found 5 or 6 real structural issues in every plan Claude Code produced.
UNWIND is a deterministic security proxy that sits between the agent and every tool call. 15 checks run on every call. No LLM in the enforcement path, just rules and pattern matching. Every action logged in a tamper-evident hash chain. File changes snapshotted for rollback.
Three packages, all on PyPI right now:
*craft-auth* : Tamper-evident command authentication. Zero dependencies, pure Python stdlib, 1,605 lines. Try it in 10 seconds: `pip install craft-auth && craft-auth demo`. The output speaks for itself.
*ghostmode* : Dry-run proxy for MCP servers. See what your agent would do without letting it do anything. Writes intercepted, reads pass through, nothing changes. `pip install ghostmode && ghostmode -- npx @modelcontextprotocol/server-filesystem ~/Documents` (needs Node.js for the upstream MCP server, Ghost Mode itself is pure Python).
*unwind-mcp* : The full enforcement engine. `pip install unwind-mcp && unwind serve -- npx @modelcontextprotocol/server-filesystem ~/Documents` then point Claude Desktop or Cursor at it. Every tool call shows ALLOW/BLOCK decisions in the terminal. Dashboard at localhost:9001 with `unwind dashboard` (start the sidecar first with `unwind sidecar serve`).
after install,Codex was immediately flagged TAINTED by its own dashboard. It had been fetching web pages during setup, then tried to execute a command. The security stack it helped build caught it on its first live action.
Rough edges.
Requires Python 3.10+. Mac ships with 3.9.6 and the import will crash. Homebrew Python 3.11+ works fine. Windows is untested. Pure Python and cross-platform in principle but nobody has verified it.
The taint system works correctly but is too aggressive for unattended use. Normal agent workflow, triggers taint immediately, which blocks execution until a human approves. When you're sitting there, this is fine. When the agent is running on its own, it's effectively frozen. The tension between "external content could carry prompt injection" and "the agent's normal job involves external content" is a genuine design problem I haven't solved cleanly.
First real human testers welcome.
UNWIND and Ghost Mode are AGPL-3.0. craft-auth is standalone with zero AGPL dependencies and can be licensed separately.
github.com/unwind-mcp