Your Agent Ran All Night. Do You Know What It Did?

If you run an OpenClaw agent, you have probably had a version of this morning. The agent worked while you slept. Crons fired, mail got read, messages went out, a skill touched a repo. Except this morning a client is asking why they received a contract that was still being negotiated. Or a credential is sitting in a channel it should never have entered. Or something changed in production overnight and nobody on the team remembers doing it. And the person across the table asks the only question that matters: what exactly did your agent do?

The honest answer, for almost everyone running agents today, is "trust me, I checked the logs." That answer is worth less than it sounds, because logs you control are not evidence. Anything that can write a log can rewrite it: a compromised skill, a hijacked tool call, a bug, or you. As agents take on more real work on our behalf, the gap between what you know and what you can prove starts costing real money, real clients, and real trust.

Today we are releasing our attempt at a better answer: Gate OC Audit, a free, open-source audit trail for OpenClaw agents, licensed Apache-2.0.

openclaw plugins install @constellation-network/gate-oc-audit openclaw audit setup

What it does

The plugin subscribes to every public lifecycle hook OpenClaw exposes and records what your agents actually do: every tool call with sanitized arguments, every prompt and response, every message in and out, every cron execution, session starts and ends, subagent spawns, and every plugin or skill install along with the result of OpenClaw's built-in security scan. All of it lands in a SQLite database on your machine.

What makes it an audit trail rather than another log file is the structure underneath. Each event is hashed with SHA-256 over canonicalized JSON and folded into a Sparse Merkle Tree, with checkpoints committed on a rolling cadence. Editing an event, deleting one, or reordering the sequence breaks the next verification. Run openclaw audit verify at any time and the chain is re-derived from scratch, offline, on your hardware. Integrity is a property of the data structure, not a promise from a vendor.

On top of the record sit the tools you actually use day to day. Deduplicated session timelines answer "what did it do" down to the second, with every allow and block decision inline:

$ openclaw audit report session s_3f9ac21b Session s_3f9ac21b · 14m 02s · 41 events (deduped from 96) 10:02:11 start agent jim-recruiter 10:02:14 tool github.repos.get ✓ allow 10:05:46 tool sendgrid.mail.send ✗ block external addr 10:08:22 tool github.issues.create ✓ allow 10:16:13 end 41 events recorded · chain intact

Built-in anomaly detectors flag the things you would want to know about before you knew to look: the same message sent twice to the same recipient, a tool invoked for the first time with no history behind it, a spike in denied calls, a new install. You can watch the files that matter, like your agent's soul and config, and get a Slack or Discord ping the moment anything changes them. Daily and weekly digests land in the same channel, covering activity, outbound messages, anomalies, and what your agents spent on LLM calls by provider and model. This combination is my favorite part of running the plugin myself: the agents work all day, and the things worth knowing find me, including what the day cost, without my asking. And openclaw audit ui serves a local dashboard straight from the plugin if you would rather browse than type.

Why OpenClaw

We could have started anywhere. We started with OpenClaw because it is where autonomous agents are most real right now. The numbers tell part of that story: the project has passed 375,000 stars on GitHub, and the npm package was downloaded nearly six million times in the past month. The more important part is what all those agents are doing. An OpenClaw agent is persistent. It runs crons, sends messages across channels, carries a soul file, and extends itself with community skills. That is exactly what makes it useful, and exactly what makes the question "what did it do" urgent. A chat window you supervise in real time does not need an audit trail. An agent that acts while you sleep does.

The people running these agents are also the people the existing audit industry was not built for. Enterprise audit tooling assumes a security team, a SIEM, a procurement cycle, and a compliance officer who reads the reports. The typical OpenClaw operator is one person with a server and real work being done on their behalf. There is no security team coming to review their agent's behavior. They are the security team.

That solo operator carries the same accountability a compliance department does, with none of the apparatus, and they feel it at exactly the moments the apparatus was built for: when a client asks what happened, when an accountant wants records, when production changed and nobody remembers touching it. I think this is the most underserved gap in AI security today, and it is not close. If audit tooling is going to exist for this community, it cannot arrive through a sales call. It has to install in one line, work without an account, and cost nothing. So that is what we built.

Credit where it is due: OpenClaw's plugin architecture is what made this possible. The runtime exposes lifecycle hooks for everything from tool calls to subagent spawns to the install pipeline, which means a plugin can observe the entire surface without forking anything. The same openness applies to the skill ecosystem, which is also why the supply-chain features matter. When skills and plugins can come from anywhere, knowing exactly what is installed, what its hash was when you installed it, and the moment any of it changes underneath you is not paranoia. It is hygiene. openclaw audit inventory verifies the installed surface against recorded hashes, and every install event carries its security scan summary into the permanent record.

There is nothing OpenClaw-exclusive about the approach. The runtime hooks differ between agent frameworks, but the evidence layer underneath does not care what produced the events. OpenClaw is where we are starting, not where this ends.

Design principles

A few decisions shaped everything else, and they are worth stating plainly.

Local-first, no account. The database is created on your disk with owner-only permissions. There is no signup, no cloud ingest, and no telemetry. Nothing leaves your machine unless you explicitly point it somewhere: a webhook you configure, or an anchor you enable.

Private by default, verifiable anyway. Message and prompt content is stored compressed on your own disk, and sensitive values in tool arguments are redacted automatically before they are written. If you want to go further, redaction modes store SHA-256 fingerprints instead of prompt text entirely. The fingerprints still verify: anyone holding the original text can re-hash it and confirm it matches the record, without the plaintext ever touching the database. Every event is also committed as a dual hash, one over the full event and one over just its type and timestamp, so you can prove an event happened without revealing what it contained.

Fail-open. If the audit database is ever unavailable, your agent keeps running and the degraded state is surfaced the next time you look. An audit tool that can take your agent down is a tool you will eventually uninstall.

Anchoring is optional, and free. Out of the box, the trail is tamper-evident on your machine, and you can verify it yourself forever. If you want proof that stands up to someone who does not trust you, or does not trust your machine, one prompt in the setup wizard anchors the roots to Digital Evidence, and the free tier covers it. What gets published is a 32-byte root, never your data. From then on, anyone with an exported event and its proof can check it against a public anchor that neither you nor we can rewrite.

Open formats. Exports stream as JSON Lines or CSV with inclusion proofs attached, the report projections are published as versioned JSON schemas, and the local HTTP API returns the same bytes as the CLI's JSON output. Build your own dashboard on it. We will not be offended.

Where this fits in the Constellation story

Two weeks ago we announced Gate AI and published the benchmark work behind its prompt-injection defense. Gate OC Audit shares a name with Gate and a lineage with the network underneath it, but it stands entirely on its own. It is free, it is Apache-2.0, it works without a Gate account, and it always will.

The connection between the two is conviction. Constellation has spent years building Digital Evidence, a layer whose entire purpose is making records verifiable without trusting whoever wrote them. Our bet is that AI agents are the next domain where that property stops being a nice-to-have. The gateway applies it to traffic in flight. This plugin applies it to the agent runtime itself, and it belongs in the open, because an audit trail you have to pay for is an audit trail most of the community will simply not have. If verifiable agent records become normal because of this plugin, that is the outcome we want.

Where it goes from here

This is v0.1.0. The recording surface, the audit and anchoring layers, and the verification path are solid, and they are the parts we will be most conservative about changing. The parts we most want community pressure on are the judgment calls: which anomaly detectors earn their false positives, what the redaction defaults should be, what belongs in the daily digest, and which report projections are missing. The detectors that exist today came from watching real agent behavior, and the next ones should come from yours.

The repository has the full documentation, including every recorded event type, every configuration option, and the threat model. Issues and pull requests are open. If you maintain an OpenClaw skill or plugin and want your install story to be cleaner under audit, we would especially like to hear from you.

Getting started takes about two minutes:

openclaw plugins install @constellation-network/gate-oc-audit openclaw audit setup openclaw audit status

You will need OpenClaw 2026.4.24 or newer and Node 22.13 or newer. The package is on npm, the source is on GitHub, and the plugin page is at constellationgate.ai/openclaw-audit.

Your agents are already acting on your behalf, and sooner or later someone will ask you what they did. The next time that happens, you will have more than "trust me, I checked the logs." You will have an answer that holds up no matter who is asking, because what an answer is worth is exactly what you can prove.