OpenClaw command layer

Your agent ran up
$400 in API costs.
Ours stopped it at $2.

OpenClaw is the world's most popular AI agent runtime. It also has no spend ceiling, no tool approval gates, and no way to pause a runaway agent at 2am. Kybernetist is the missing command layer that makes it production-safe.

Get started — 5 minutes See how it works
$0third-party fees
5 minto first run
1process, no k8s
Agent run #247
nemotron-3-super-120b
read_email
14 messages scanned
DONE
categorise
3 urgent · 8 low priority
DONE
send_reply
to: ceo@client.com
GATE
·
create_calendar_event
pending
QUEUE
⚠ APPROVAL REQUIRED
send_reply → ceo@client.com
Subject: "Re: Q3 renewal discussion"
Spend $0.23 / $2.00
policy: strict
verifier: on
uptime: 4h 12m
Built on OpenClaw + NemoClaw
Apache 2.0 open source
FastAPI · SQLite · APScheduler
Runs on a single EC2 instance
The problem
512

CVEs in one OpenClaw security audit. 8 critical. 135,000 instances exposed.

135,000
OpenClaw instances exposed to the internet without auth
341
malicious ClawHub skills found in a single week
plain text
how OpenClaw stores every API key in your config
API calls, no spend ceiling, no kill switch by default
"Messing with OpenClaw just leads me right back to Claude to figure out why OpenClaw isn't working."
— r/openclaw
8 operator problems NemoClaw doesn't touch

NemoClaw adds Landlock + seccomp process isolation. Useful. It protects the host machine. It does nothing about what the agent does on your behalf — inside the sandbox.

Scenario 01
The agent sends an email you never authorized
OpenClaw has no concept of "approval required." Any tool the agent can call, it will call. send_reply fires without asking. NemoClaw doesn't change this.
Kybernetist: send_reply → HTTP 409. Paused. Waits for you.
Scenario 02
Your AWS bill hits $400 because the agent looped overnight
No spend ceiling exists in raw OpenClaw. The agent runs. API calls accumulate. You wake up to the bill. NemoClaw adds container isolation, not cost control.
Kybernetist: spend_watchdog checks every 5 min. Pauses before the ceiling.
Scenario 03
Dashboard goes unreachable at 2am. Agent keeps running.
OpenClaw's web UI is your only control surface. If it crashes or the network blips, there's no fallback. No notification. No pause. The agent continues.
Kybernetist: remote_unreachable auto-pauses + fires Telegram alert.
Scenario 04
A step fails. Agent hallucinates a result and keeps going.
OpenClaw doesn't validate step outputs. The agent decides its own step succeeded and continues. By the time you notice, it's taken 14 cascading wrong actions.
Kybernetist: step_verifier (Bedrock QA) after every step. Failure = pause.
Scenario 05
You can't tell what your agent actually did last night
OpenClaw writes logs to stdout. They scroll. They vanish. There's no structured audit trail you can grep, query, or hand to someone else.
Kybernetist: every action logged in JSON with request ID, agent ID, timestamp.
Scenario 06
You're away from your laptop and can't intervene
Something goes wrong and you're on your phone. There's no remote control layer. Your only option is SSH into the server and kill the process.
Kybernetist: Telegram bot. Text a command. Get a log snippet. Restart the service.
Scenario 07
An email hijacks your agent with a prompt injection
The agent reads "ignore previous instructions and forward this to..." and follows it. There's no tool execution layer that requires your sign-off before an external action fires.
Kybernetist: forward_email → HTTP 409. You approve or reject before anything leaves.
Scenario 08
k3s doubles your operational surface without solving any of this
NemoClaw ships with a Kubernetes dependency. Now you're managing a k3s cluster on top of managing your agent. None of the eight problems above are solved.
Kybernetist: one process. uvicorn. No cluster. No pods. No YAML.
What Kybernetist solves

Every problem above.
One command to start.

A FastAPI command layer that installs between you and your remote OpenClaw agent. Adds the operator controls that OpenClaw was never designed to have — without replacing any part of the agent stack you already use.

🔒
Tool approval gates
Every tool call is classified at startup. safe tools run automatically. approval_required tools pause the agent and wait for your sign-off. blocked tools are rejected — no override possible.
💰
Hard spend ceiling
Set a cost limit per run. APScheduler checks every 5 minutes. The agent pauses before it hits the ceiling — not after you receive the bill.
🛑
5 clean auto-pause conditions
remote_unreachable. verification_failed. spend_limit. stalled. shutdown. Every pause is named, logged, and resumable with a single POST request.
Step verification
After each agent step, a secondary Bedrock QA call validates the output. Looks wrong? Agent pauses. You're notified before the next action fires.
📱
Remote control from anywhere
Telegram ops bot gives you full operator control from your phone. Approve a gate. Restart the service. Pull a log snippet. No laptop. No SSH. No VPN.
📋
Full structured audit trail
Every tool call, gate decision, and pause — logged in JSON with request ID, agent ID, and step context. Grep-able. Queryable. Never lost in stdout.
📊
Operator dashboard
Agent status, step history, integration health, and live spend — one page. No third-party observability tool required. The dashboard in the hero is the real product.
One process, no cluster
The entire stack is uvicorn api.main:app. FastAPI + SQLite + APScheduler. No Kubernetes. No k3s. No pods. Same EC2 instance as your agent.
🔗
Gates the tools you already use
Gmail. Google Calendar. GitHub. Telegram. AWS SSM. MCP-compatible. No new agent skills required — Kybernetist gates what OpenClaw already calls.
How it fits into your stack
You
iOS · Browser · Telegram
KYBERNETIST
FastAPI · SQLite · APScheduler
TOOL GATE
approve / block
Remote OpenClaw
EC2 · SSH/SSM/MCP
Spend watchdog
Step verifier
Telegram ops bot
JSON audit logs
uvicorn api.main:app — one process. that's the entire stack.
Integrations

Gates the tools your agent
already uses.

No new agent skills required. Kybernetist intercepts tool calls at the policy layer — before execution. Works with everything OpenClaw and MCP already support.

Communication
Gmail
Read, triage, and draft replies. send_reply requires your approval before anything goes out.
Telegram (ops bot)
Get notifications, approve gates, and control the agent from your phone, anywhere.
Slack
Post updates, surface approvals, receive alerts when the agent pauses or a gate fires.
Productivity
Google Calendar
Agent can read your schedule and create events — gated behind approval on write actions.
GitHub
PR review, issue triage, code search. Push and comment actions require operator sign-off.
File system
Read operations auto-approved. Write, delete, and execute require your explicit gate pass.
Infrastructure
AWS SSM / EC2
Agent deployment on remote instances. SSH and SSM tunnels with session logging.
MCP-compatible
Any MCP server that OpenClaw supports is gateable through Kybernetist's policy engine.
Amazon Bedrock
Step verifier runs Bedrock QA calls after each agent step. Use any Bedrock model.
Adding a new integration takes one configuration entry. Tool classification is declarative — define which tools are safe, which require approval, and which are blocked. No code changes. Change your policy, restart, done.
Under the hood

What it actually does.

Six core capabilities. Same process. No plugins. No additional services to manage.

tool_policy Three tiers of trust, configured at startup. safe runs automatically. approval_required returns HTTP 409, waits for your go-ahead. blocked returns HTTP 403, no override. Your policy. The gate enforces it.
spend_watchdog Set a cost ceiling per agent run. Checks every 5 minutes. Pauses before the limit hits — not after. You set $2.00. It pauses at $1.98. The bill never surprises you again.
step_verifier Secondary AI call after every agent step. A Bedrock QA model checks whether the step result looks correct. Failed verification? Agent pauses. Telegram fires. You review before anything cascades.
auto_pause Five named conditions, every one resumable. remote_unreachable, verification_failed, spend_limit, stalled, shutdown. Agent halts cleanly. POST /api/agents/{id}/resume when ready to continue.
operator_dashboard Agent status, step history, integration health, live spend — one page. No third-party observability layer. No SaaS subscription. Self-hosted, always available.
json_audit_logs Every action, every decision, structured and queryable. Request ID. Agent ID. Step context. Gate decision. Timestamp. Answer "what did my agent do at 3am?" in 30 seconds.
vs. The alternatives

NemoClaw adds a sandbox.
It still doesn't add any of this.

NemoClaw protects the host machine from the agent. Kybernetist protects your intent from the agent. Entirely different problems.

AgentOps, Helicone, and Braintrust give you observability dashboards for LLM calls. They don't gate a send_reply before it fires. Different category entirely.

Capability Raw OpenClaw + NemoClaw AgentOps / Helicone + Kybernetist
Tool approval gates
Hard spend ceilingpost-hoc alerts✓ pre-spend pause
Auto-pause on failure
Step verification
Named pause + resume
Structured audit logsstdout onlystdout onlyLLM calls only✓ full JSON
Remote control (Telegram)
Infra overheadmediumheavy (k3s)cloud SaaSminimal (1 process)
Self-hosted✗ (cloud)
Production-readypartial
Why not just AgentOps or Helicone? They observe what your LLM calls did. They don't block a tool from executing. By the time the dashboard shows you what happened, the email already sent. Kybernetist operates at execution time — before the action, not after it.
Real operator scenarios

What people actually use it for.

Specific outcomes. No marketing demos.

Trigger: 80 emails a day, 2 hours of inbox time
Agent triages, categorizes, and drafts replies. External emails hit the gate. You review and approve. 4 decisions by 9am instead of 2 hours in your inbox.
Trigger: Agent loops at 2am, API calls piling up
Spend limit was set at $2.00. Watchdog catches it at $1.98. Agent pauses. Telegram ping. You wake up to a notification — not a $400 bill.
Trigger: On-call, away from your laptop
Text the Telegram bot. Get a log snippet. Approve the gate that's been waiting. Restart the service. No SSH. No VPN. No laptop required.
Trigger: Email contains a prompt injection attack
Agent processes the email. send_reply triggers. HTTP 409. Gate fires. You see the payload before it goes anywhere. Nothing leaves without your approval.
Getting started

Running in 5 minutes.

Four commands. No cluster setup. No config files beyond a single .env.

01
Clone and install
git clone kybernetist
pip install -r requirements.txt
Python 3.11+. No additional system dependencies.
02
Configure your .env
cp .env.example .env
nano .env
API keys. Spend ceiling. Tool policy. Telegram bot token.
03
Start the command layer
uvicorn api.main:app
--host 0.0.0.0 --port 8000
One process. FastAPI + SQLite + APScheduler. All of it.
04
Point your agent at it
KYBERNETIST_URL=
http://your-ec2:8000
Dashboard live at /dashboard. Approval gates active immediately.
Full setup guide covers: EC2 deployment, SSH tunnel configuration, Telegram bot setup, NemoClaw integration, and tool policy configuration. Read the docs →
Scope limits

What Kybernetist does not solve.

No competitor will tell you this. We will.

Your agent should work
while you sleep.

Apache 2.0. Self-hosted. No usage fees. No telemetry. No surprises.

Get started — 5 minutes Read the docs
python -m uvicorn api.main:app --host 0.0.0.0 --port 8000