Local / solo
On your machine in minutes
Broker sudo and shell commands, SSH, and Apple Notes & Mail for OpenClaw, Codex, and Claude Code. Just the openscope CLI and openscoped daemon — one install, no server, no policy service, no control plane.
AI Agent Action Control
Your AI agent shouldn't be one step away from sending PII to a public model.
OpenScope brokers every privileged action your agents take — scoped, auditable, and stopped on demand by an out-of-band circuit breaker.
It can also scrub PII before prompts reach a model and route across providers. Customer-deployed, open source.
Just want it on your machine? Install locally →CLI v2.0.4
$ agent: clear user data for inactive accounts
@agent_call: delete_user_data(account_scope="all", confirmed=false)
Requested scope exceeds allowed action policy
BROKER: Request denied
Action: delete_user_data | Scope: all accounts | Confirmation: missing
Suggested safe action: view_eligible_accounts or delete_user_data(account_scope="single")
Two ways to run it
Run it on your laptop, or govern a fleet.
OpenScope is the same broker either way. Most of this page is the team story — here is the short version for a single machine.
Team / production
Govern an agent fleet
The same broker, plus the control plane, policy and audit, an out-of-band circuit breaker, and the optional prompt-side router for PII scrubbing and model routing. That is what the rest of this page covers.
How OpenScope works
Every privileged action runs through the broker.
Scoped, auditable actions. Instead of shell, database credentials, or a release pipeline, the agent gets named actions like refund_payment() or restart_service() — every call policy-checked and logged.
Stopped on demand. An out-of-band circuit breaker pauses the agent fleet immediately, with cryptographic attestation that it stopped — independent of the agent or its model.
The same platform can also scrub PII before prompts reach a model and route across providers — added when you need it.
A local install needs only the openscope CLI and the host daemon. The control plane, circuit breaker, and prompt-side router are team-tier — optional, not required to run it yourself.
The problem is not that agents are evil. It is that they are fast, literal, and one bad action can be irreversible.
A helpful agent can still delete the wrong database, restart the wrong service, or skip a publishing checklist and expose private source code. If the raw privileged path is available, the blast radius is available too.
Production deletion
An agent told to clean up or reset state can hit the wrong database if you hand it raw DB or shell access.
Release checklist failure
An agent can publish the wrong artifact or leak source if release safety steps live only in prompts or docs.
Literal execution
Agents often do exactly what seems locally useful, not what your broader operational intent required.
Fast blast radius
When an agent has raw power, mistakes happen at machine speed across sensitive systems.
Why teams choose OpenScope
The action broker, and the prompt-side controls around it.
Scoped actions and a circuit breaker are the heart of OpenScope. Prompt security and model routing extend it.
Action governance
Govern what the agent actually does — this is where most platforms stop
The agent gets refund_payment(charge_id=…), not your billing database; restart_service(name=…), not shell access; publish_build(version=…), not your release pipeline. Every call is policy-checked and logged, and an out-of-band circuit breaker can stop the fleet immediately with cryptographic attestation.
Prompt security
Stop sensitive data from reaching the model
Scrub PII, credentials, and proprietary IP out of prompts before any request leaves your environment — running on your infrastructure, never seeing your data leave it.
Model access
Unified model access on your terms
Route across Claude, GPT, Gemini, or self-hosted models through one API, with your own provider credentials and usage limits. No third-party sees your prompts, no token markup — or bring an existing gateway like LiteLLM or Bifrost.
OpenScope governs what your AI agents do — every privileged action brokered, scoped, and reversible on demand. It can also secure what they see, in one customer-deployed platform.
The OpenScope Model
OpenScope turns dangerous raw access into safe, reviewable actions.
Instead of giving the agent shell, database credentials, or a direct publishing path, you give it a brokered action like restart_service, publish_build, or refund_payment.
Capability example
restart_service(service="api") publish_build(build="2026.04.02") refund_payment(charge_id="...")
The broker keeps the key material, enforces the checklist, and exposes only the smaller action surface you meant the agent to use.
Security Difference
The key idea: do not ask the agent to be careful with raw power.
Use OpenScope when prompts, checklists, and monitoring are not enough because one wrong action would be too costly.
Execution containment
A monitored raw path is still a raw path.
If the agent can still reach the shell, production database, or release pipeline directly, catastrophic mistakes remain possible. OpenScope replaces that with a narrower action surface.
- The agent does not receive the raw privileged primitive.
- Policy applies to named actions and their parameters.
- The exposed surface is smaller, checklistable, and easier to review.
Key containment
The stronger requirement is that the agent never holds the dangerous path.
OpenScope keeps the key, token, database credential, or publishing control inside the broker instead of leaving it reachable through a raw tool path.
- Keys and broad permissions stay inside the broker.
- The agent sees approved capabilities, not credentials or unsafe shortcuts.
- The trust boundary is simpler to explain to engineering and security teams.
Use Cases
Where capability brokering becomes necessary
Best fit when a single wrong step could create a production, security, or customer-impacting incident. OpenClaw is a desktop AI agent for macOS; NemoClaw is its sandboxed variant — both run against a host-side broker instead of raw host power.
Production operations
SSH-based remediation
Sensitive databases
Internal admin APIs
Endpoint automation
Finance and support actions
OpenClaw on macOS
Sandboxed NemoClaw
Brokered Jira and SSH extensions
Architecture Overview
OpenScope sits between the intelligence layer and the execution layer.
A broker that converts high-level intents into narrow approved actions.
Already have an AI gateway?
OpenScope integrates with the gateways you already trust.
LiteLLM, Bifrost, Portkey, or direct provider APIs — OpenScope works with what you already have. The capability broker and circuit breaker work the same way regardless of how prompts flow in.
Keep your gateway
Routing, visibility, review, and broad traffic-plane control stay where they are.
Add the action broker
Scoped capabilities and key containment handle what the agent is allowed to do.
One trust boundary
Prompt-side and action-side controls reason about a single perimeter, not two.
Quick Start
Install it and broker your first action.
After the package install, an openclaw agent is pre-registered with scoped Apple Notes and Mail access. Point your agent at the CLI and go — no server to stand up.
openscope init --force openscope status openscope notes list_notes --agent openclaw --folder Work openscope notes read_note --agent openclaw --folder Work --note "My Note"