Can AI Agents Be Truly Controlled? Auditing, Cost, and Security Insights for OpenClaw

OpenClaw, a leading open‑source AI agent platform in 2026, enables large language models to execute system commands, browse the web, and send messages, but this autonomy expands its attack surface. Industry incidents and internal code audits reveal frequent security fixes, especially in the tools/ and gateway/ modules, which together account for 61% of the vulnerable code.

1. Session Audit Logs

Session logs capture every user request, assistant response, tool call, and tool result, providing a complete, queryable record of who asked the agent to do what, which model was used, the incurred cost, and the outcome. Example JSONL entries illustrate how the type, message.role, usage.cost.total, and tool arguments are stored.

{
  "type": "message",
  "id": "70f4d0c5",
  "parentId": "b5690259",
  "message": {
    "role": "user",
    "content": [{"type": "text", "text": "Read /etc/passwd"}]
  }
}

Key audit scenarios include detecting sensitive data leakage, skill‑usage analysis, high‑risk tool monitoring, and cost attribution. Queries can filter for tool calls like read, match patterns such as API keys, or aggregate token usage by model.

2. Application Logs

Application logs, generated by the OpenClaw gateway with tslog, record system‑level events such as WebSocket authentication failures, HTTP tool invocation errors, request parsing problems, device permission upgrades, and fatal crashes. Each log entry includes a structured _meta object with log level, timestamp, source file, and a custom subsystem field for precise component identification.

{
  "0": "{\"subsystem\":\"gateway/ws\"}",
  "1": "unauthorized conn=e32bf86b remote=127.0.0.1 reason=token_mismatch",
  "_meta": {"logLevelName":"WARN","date":"2026-02-27T07:46:20.727Z"}
}

Typical security‑focused log queries aggregate WARN/ERROR/FATAL events by subsystem, surface unauthorized connections, and highlight permission‑denied tool executions.

3. OTEL Metrics and Traces

The built‑in diagnostics-otel plugin exports Prometheus‑compatible metrics and OpenTelemetry traces via OTLP/HTTP. Exported dimensions cover LLM usage ( openclaw_cost_usd, model.usage), webhook latency, queue depth, session health, and token consumption. Example dashboards visualize token growth, model‑wise cost, session‑level latency, and high‑risk tool call rates.

# Token consumption rate (tokens/min)
sum(rate(openclaw_tokens[10m]))

# Session stuck count (alert when >0)
sum(rate(openclaw_session_stuck[5m]))

4. Multi‑Source Correlation Workflow

When OTEL alerts indicate an anomaly (e.g., sudden token spike or high error rate), analysts drill down into application logs to locate the exact subsystem and error message, then retrieve the corresponding session logs to reconstruct the full tool‑call chain, model prompts, and cost details. This three‑layer loop—Metrics → Logs → Session—provides a complete, auditable narrative from symptom to root cause.

5. Conclusion

Answering the question “Is the agent truly under controlled operation?” requires four pieces of evidence: who initiated the action, how much it cost, which high‑risk tools were used, and whether the entire behavior is traceable. OpenClaw’s extensive code‑level security patches, combined with session audit logs, structured application logs, and OTEL observability, deliver the necessary data to satisfy all four criteria and establish a trustworthy, controllable AI‑agent ecosystem.