Keel
Persistent safety policies and cryptographic audit trails for tool-using agents. Keel keeps constraints on disk, not in the prompt. Policies survive context compaction. Every action is logged to a tamper-evident hash chain.
Install
# Install the Keel skill from ClawHub
clawhub install threshold-keel
# Keel loads automatically on session start.
# The SKILL.md instructs your agent to classify,
# approve, and log every tool action.
# If the CLI is installed, the agent uses it
# for real cryptographic hashing and deterministic
# policy checks. Without it, the agent follows
# the same rules using file tools directly.Package not yet published to ClawHub. Coming soon. The SKILL.md can be installed manually by copying it to your OpenClaw skills directory.
# Install the Keel CLI
pip install threshold-keel
# Initialise (creates ~/.keel/ with default policies)
keel init
# Check status
keel --human status
# The CLI works with any agent that can run shell
# commands: Claude Code, Codex, custom agents.
# Your agent calls keel check-policy before acting
# and keel wal-append to log every action.Package not yet published to PyPI. Coming soon. The library and CLI are functional and tested (493 tests passing).
# MCP server integration is on the roadmap.
# This will allow Keel to sit at the MCP transport
# boundary, intercepting tool calls before execution.
#
# For now, Keel works through the CLI.
# Agents call keel check-policy and keel wal-append
# via shell, which provides the same safety guarantees.MCP server is planned. The CLI provides equivalent safety today for any agent that can execute shell commands.
Want Cloud sync? Set KEEL_CLOUD_API_KEY and the CLI handles routing automatically. See Cloud plans.
How it works
Keel operates in three modes, automatically selected. Instructions-only mode works with zero dependencies. The CLI adds cryptographic integrity. Cloud adds persistence and multi-agent coordination.
Instructions only (free, zero deps)
✓ Tiered risk classification
✓ Structured approval flows
✓ Policy store on disk
✓ WAL logging (plain text)
✓ Blast radius caps
✓ Context compaction survival
— Cryptographic hash chains
— Deterministic policy evaluation
— Chain integrity verification
With CLI (free, pip install)
✓ Everything in instructions mode
✓ SHA-256 hash-chain WAL
✓ Deterministic policy checking
✓ Chain integrity verification
✓ Fidelity self-checks
✓ Structured JSON output
+ Cloud sync when KEEL_CLOUD_API_KEY is set.
Dashboard, multi-agent coordination, compliance exports.
Core concepts
Risk tiers
T0 Read-only
Fetch email, list files, check calendar, web search. Logged but not gated.
T1 Reversible
Create files, add labels, make directories. Logged with notice.
T2 Reversible within window
Archive email, move to bin, relocate files. Requires brief approval. Quarantine period applies.
T3 Irreversible
Send email, permanent delete, publish, execute payment. Full structured approval. Policy-blockable.
Defaults are conservative. Policies can tighten or relax per tool, per target, per scope.
Why this exists
Tool-using agents are valuable because they can act. That is also the failure mode. In February 2026, 386 malicious skills were found on ClawHub. 30,000+ OpenClaw instances had no tool-call safety layer. Keel is a structural response: policy, approval, and audit at the boundary where actions happen.
Get started
Start local with the SKILL.md or CLI. Add Cloud when you want synced policies, a dashboard, and multi-agent coordination. Driftwatch and Helmsman integrate later for teams shipping agent workflows with evaluation gates and runtime confidence scoring.