v1.0 — Now Available

Your AI agents work.
Until they cost you $3k overnight.

AgentSentinel™ wraps any AI agent with spend limits, human-in-the-loop approvals, security controls, and real-time audit logging — in under 60 seconds, with no infrastructure changes.

Install the SDK Read the Docs
No infrastructure changes OpenAI · Anthropic · Any LLM Open source — MIT license Zero external dependencies Designed for OpenClaw agents

Open Source SDK

MIT license — read, fork, and contribute

Framework Agnostic

Wraps any Python or TypeScript function

Zero Infrastructure

Pure SDK — no proxies, sidecars, or cloud required

Sound Familiar?

Has your agent ever…

These aren't edge cases. They happen to every team running AI agents in production.

Burned through your budget overnight

A retry loop ran for 6 hours while you slept. You woke up to a $5,247 OpenAI invoice — your entire month's allocation, gone.

"We burned our entire month's budget in one night."

Embarrassed you in front of everyone

Your customer-facing bot sent 47 Slack messages at 3am, spamming your entire org — including your CEO — with half-formed drafts.

"It was not a fun Monday morning stand-up."

Did something irreversible

You gave an agent database access to "clean up old records." It deleted 3 months of production data. No backup. No undo.

"I had to call every customer to explain what happened."

Core Features

One wrapper. Total control.

Wrap your agent tools with AgentSentinel and get spend controls, approval gates, and a full audit trail instantly.

Hard Spend Limits

Set daily and hourly budgets per agent or per workspace. When a limit is hit, the agent auto-pauses — or alerts you and keeps running at a reduced rate. Your call.

policy = AgentPolicy(
  daily_budget=10.00,  # max $10/day
  hourly_budget=2.00# max $2/hour
  audit_log=True      # log all calls
)

Human-in-the-Loop Approvals

Define action patterns that require a human to approve before execution. Get a Slack or email notification with full context — approve or deny in one click.

policy = AgentPolicy(
  require_approval=[
    "delete_*",     # any delete
    "send_email"# outbound comms
    "execute_sql" # DB writes
  ]
)

Full Audit Trail

Every action, every cost, every decision — timestamped and stored. Export for compliance, review anomalies in the dashboard, or stream to your own data warehouse.

policy = AgentPolicy(
  audit_log=True,
  alert_channel="console"
)
# Extend: add your own AuditSink
guard.audit_logger.add_sink(my_sink)

Rate Limiting & Anomaly Detection

Cap how many times a tool can fire per minute, hour, or session. Automatic anomaly detection flags unusual spikes before they spiral — with a Slack ping, not a surprise bill.

policy = AgentPolicy(
  rate_limits={
    "search_web": 10/min,
    "*": 100/hour
  }
)

Security-First Design

OpenClaw Ready

Built for agents with real tool access — shell commands, file system, API calls. Permanently block catastrophic tools, auto-redact API keys and passwords from audit logs, and enable sandbox_mode for untrusted agent code.

security = SecurityConfig(
  blocked_tools=["rm_rf", "drop_database"], # hard kill list
  sensitive_tools=["execute_shell", "delete_*"], # always approve
)
policy = AgentPolicy(
  security=security, sandbox_mode=True
)

Security

Defence in depth for production agents

OpenClaw agents wield real power — shell execution, file I/O, API calls. AgentSentinel provides layered, overlapping controls so no single failure can cause catastrophic damage. Full security details →

Principle of Least Privilege

Agents only access explicitly approved tools. Wildcard patterns (delete_*, write_file_*) give granular control. Everything else is default-deny.

Defence in Depth

Multiple independent layers: budget limits + rate limits + approval gates + audit logs. No single point of failure. Graceful degradation when any limit is hit.

Audit Everything

Complete trail of every tool invocation — timestamps, parameters, costs, decisions. Exportable for compliance and forensics via the pluggable AuditSink interface.

Secrets Protection

SDK never logs sensitive parameters by default. Configurable redaction patterns scrub API keys, passwords, and bearer tokens from all audit output before they touch any sink.

Agent Isolation

Per-agent budget isolation and per-session rate limiting. Each guard instance is independent — no cross-agent data leakage or shared state between concurrent agent runs.

OpenClaw

Built for Real Tool Access

See the full OpenClaw integration guide — protecting shell execution, file writes, and API calls with sandbox mode enabled.

View OpenClaw Example →

Quick Start

Up and running in 60 seconds

Works with OpenAI, Anthropic, LangChain, AutoGen, CrewAI, OpenClaw, and any Python or Node.js agent.

1 · Install

pip install agentsentinel-core
npm install @agentsentinel/sdk

2 · What you get

  • Daily & hourly budget enforcement
  • Human-in-the-loop approval gates
  • Per-tool rate limiting (sliding window)
  • Structured audit log (console + in-memory)
  • Wildcard tool-name pattern matching
  • Slack / webhook alerts (roadmap) 
from agentsentinel import AgentGuard, AgentPolicy

# 1. Define your safety policy
policy = AgentPolicy(
    daily_budget=10.00,        # hard stop at $10/day
    hourly_budget=2.00,       # never more than $2/hour
    require_approval=[
        "delete_*",            # any destructive action
        "send_email",          # outbound comms
        "execute_sql",         # database writes
    ],
    rate_limits={"search_web": "10/min"},
    audit_log=True,
)

# 2. Create a guard from your policy
guard = AgentGuard(policy=policy)

# 3. Decorate any tool that needs protection
@guard.protect(tool_name="send_email")
def send_email(to, subject, body):
    # ⏸ Raises ApprovalRequiredError —
    # swap in InMemoryApprover for tests.
    email_client.send(to, subject, body)

How It Works

Up and running in three steps

One line of code. Complete control. No infrastructure changes required.

Step 1

Define your policy

Set your daily budget, hourly limits, approval gates, and rate caps in a single AgentPolicy object. No YAML. No config files. Pure code.

Works with any LLM provider
Step 2

Protect your tools

Wrap any function with @guard.protect. The decorator intercepts every call, enforces your policy, and raises structured errors before unsafe actions execute.

Zero infrastructure changes
Step 3

Stay in control

Every invocation produces a typed AuditEvent — timestamp, tool name, cost, decision. Review in your dashboard or stream to your own data store.

Full audit trail from day one

🎉 v1.0 — Now Available on PyPI & npm

AgentSentinel v1.0 is production-ready — install via pip install agentsentinel-core or npm install @agentsentinel/sdk. Follow the repo for updates.

Pricing

Simple, Transparent Pricing

Start with a free trial, scale as you grow

7-DAY FREE TRIAL

Starter

$7.99 /mo

after 7-day free trial

  • 1 agent
  • 1,000 events/month
  • Dashboard included
  • Basic policy controls
  • Email support
Get Started
MOST POPULAR

Pro

$39 /mo

flat monthly rate

  • 5 agents
  • 50,000 events/month
  • Full dashboard
  • All integrations
  • Policy editor
  • Priority email support
Get Started

For teams & enterprise

Pro Team from $49/mo + $29/seat

Everything in Pro · team management · per-seat scaling

Configure seats →
Enterprise custom pricing

Unlimited agents · SSO/SAML · on-premise · dedicated SLA

Contact us →

FAQ

Common questions, answered

Do I need to change my infrastructure? +
No. AgentSentinel is a pure Python / Node.js SDK — a decorator layer around your existing tools. Install the package, wrap your functions, done. There are no proxies, sidecars, or infrastructure changes required. It runs inside your Lambda, Docker container, or local script as-is.
Does it work with LangChain, AutoGen, or CrewAI? +
AgentSentinel wraps at the tool / function level, making it framework-agnostic. Use the @guard.protect decorator with any Python callable or the TypeScript guard.protect(fn) wrapper. First-class LangChain, AutoGen, and CrewAI adapters are on the roadmap.
How accurate is the cost tracking? +
In v1.0.0, cost is tracked by the explicit cost= parameter you pass to @guard.protect, or by a cost_estimator function you provide. Automatic token-count-based estimation (reading from OpenAI / Anthropic API responses) is on the roadmap.
What happens when a budget limit is hit? +
By default, the agent raises a BudgetExceededError and stops execution cleanly. You can configure it to: (a) pause and wait for a human to approve resumption, (b) send an alert and throttle to a lower rate, or (c) hard-stop and page your on-call engineer. All modes produce a full audit event.
Can I self-host the dashboard? +
The SDK itself runs entirely in-process — no cloud component is needed. A self-hosted dashboard for reviewing audit events is on the roadmap for Enterprise partners. In the meantime, direct events to your own storage by implementing the AuditSink interface.
Do you ever see my prompts or agent data? +
By default we log metadata only: timestamps, tool names, and cost estimates. Prompt content and tool arguments are never logged unless you explicitly opt in via the metadata field on an AuditEvent. The SDK is open source — you can read exactly what is collected.
Is AgentSentinel safe for production use with powerful tools (shell, file system)? +
Yes — this is the primary use case. For agents with real tool access (shell commands, file I/O, API calls), configure a SecurityConfig with blocked_tools (permanent kill-list), sensitive_tools (always require approval), and set sandbox_mode=True. See the OpenClaw integration example for a complete production-ready setup.
How do I prevent prompt injection from bypassing controls? +
AgentSentinel enforces policy at the tool call level — not the prompt level — so prompt injection cannot bypass budget limits, rate limits, or blocked-tool checks. An injected prompt that convinces an agent to call a blocked tool will still be rejected by the guard before execution. For sensitive tools, combine the require_approval list with an ApprovalHandler that requires human sign-off so any suspicious call is human-reviewed before it runs.
What data does AgentSentinel collect or transmit? +
Nothing. The SDK runs entirely in-process; it does not phone home, transmit telemetry, or contact any external service. All audit data stays inside the AuditSink instances you configure — in-memory, local file, or your own infrastructure. Parameter values are redacted by default using configurable regex patterns in SecurityConfig.redact_patterns.
🎉 v1.0 — Now Available on PyPI & npm

Stop losing money to
runaway agents.

Install the SDK, wrap your tools, and sleep a little better at night.

Install the SDK — free & open source Read the Docs
No sign-up required MIT license Zero external dependencies