Deep Dive Architecture & Security

How ClawBoard works

A complete walkthrough of what happens between "run audit" and the report in your Telegram. Every component, every handoff, every security check — explained exactly.

The short version

When ClawBoard runs an audit, three separate processes are involved. They run in a specific order, and each one has a defined job it never leaves.

Runtime architecture
OpenClaw
Gateway · port 3000
Receives input, serves UI
NemoClaw
Security · port 8080
Guards every LLM call
Deep Agents
Audit engine · internal
Runs parallel sub-agents
User input → OpenClaw → NemoClaw screens it → Deep Agents process it → NemoClaw screens output → Report delivered

The key principle: NemoClaw sits between your input and the LLM, and between the LLM and the report. It sees everything that passes through. OpenClaw is the front door. Deep Agents is the brain that does the actual analysis work.

Three components, three jobs

OpenClaw
Port 3000 · Public · Python/FastAPI
Serves the web UI at :3000
Accepts messages from Telegram, Slack, WhatsApp, and browser
Enforces the 1-account limit (open source)
Manages Google OAuth credentials locally
Schedules cron-based audit runs
Passes commands to Deep Agents as a subprocess
NemoClaw
Port 8080 · Internal only · Python/FastAPI
Intercepts every prompt before it reaches the LLM
Intercepts every LLM response before it enters the report
Runs NVIDIA NeMo Guardrails (Colang DSL)
Blocks prompt injection and off-topic requests
Prevents credential leakage in outputs
Falls back to Python validation if NeMo is unavailable
Deep Agents
Internal · Python/LangGraph · runs on-demand
Runs 4 parallel sub-agents simultaneously: Google Ads, Meta Ads, GA4, Report
Each sub-agent runs its own checklist (46 checks for Google Ads, 46 for Meta, 30 for GA4)
Uses Gemini Flash by default (free tier, 1M tokens/day)
Aggregates scores across platforms and generates a single branded PDF
Delivers reports via Telegram bot, Slack webhook, or WhatsApp

The complete audit — step by step

Here is exactly what happens from the moment you type "run audit" to the moment the report lands in Telegram. Every step, in order, with what runs it.

1
You send a command t=0ms
You type "run audit" in the browser UI, or send it via Telegram bot, Slack, or WhatsApp. All four channels feed into the same OpenClaw endpoint.
2
OpenClaw receives and validates t=5ms
OpenClaw's POST /chat endpoint receives your message. It checks that a Google Ads account is connected and that you haven't hit the account limit. If either check fails, you get a human-readable error before anything touches the LLM.
3
NemoClaw: input screening t=15ms
Before the prompt reaches Gemini, it is sent to NemoClaw's POST /guard/input. Two checks run in sequence:
Input screening — two layers
Layer 1 — Python keyword scan
Instant check against 8 known injection phrases. "ignore previous instructions", "reveal your api key", etc. Zero latency.
Layer 2 — NeMo Guardrails semantic check
The prompt is evaluated by a secondary LLM call that checks it against your Colang rails. This catches rephrased injection that keyword matching would miss.
Prompt is safe — passed to Deep Agents
4
Deep Agents: parallel audit starts t=30ms
The sanitised prompt is passed to audit_agent.py. A LangGraph orchestrator spawns 4 sub-agents at the same time — they don't wait for each other:
audit_agent.py — parallel execution
# All four start at the same time
google_ads_subagent # 46 checks: bids, quality score, wasted spend...
meta_ads_subagent # 46 checks: pixel health, CAPI, creative fatigue...
ga4_subagent # 30 checks: attribution, events, conversion paths...
report_subagent # waits for others, then aggregates + scores

# Each subagent calls guard_input() before its LLM prompt
NemoClaw screens each sub-agent prompt independently
5
Gemini Flash runs the analysis t=50ms–35s
Each sub-agent calls the Gemini API with its platform data (fetched from Google Ads API / Meta / GA4). Gemini Flash processes up to 1M tokens per day for free. The 4 sub-agents run simultaneously so total time is roughly equal to the slowest single sub-agent, not the sum of all four.
6
NemoClaw: output screening t=35s–36s
Every sub-agent output is passed through guard_output() before it enters the final report. This catches two specific risks:
Output screening — what it catches
Hallucinated figures
If the LLM invents a number ("I estimate your ROAS is approximately 4.2x") rather than reading it from your data, NemoClaw intercepts the phrase and replaces the section with a data-sourced caveat.
Credential leakage
If the LLM somehow echoes back a token, secret, or API key string in its output, NemoClaw blocks that section before it enters the PDF or Telegram message.
7
Report generation t=36s–45s
The report sub-agent aggregates all screened findings into a single structured report. It calculates a composite score (0–100) for each platform, formats everything into a branded HTML report, then converts to PDF via Chromium headless.
8
Delivery t=45s–48s
OpenClaw delivers the report to whichever channels you've configured: Telegram (sends the PDF as a file + a summary message), Slack (webhook with key findings), WhatsApp (summary via Twilio). The report is also saved locally to reports/ on your VPS.

OpenClaw — the gateway

OpenClaw is the only service that is publicly accessible. It runs on port 3000 and handles everything that comes from outside: browser requests, Telegram webhooks, Slack webhooks, and WhatsApp callbacks.

server.py — key routes
GET / → Chat interface (web UI)
POST /chat → Receives message, dispatches to audit agent
GET /connect → Google Ads OAuth flow (1 account limit enforced here)
GET /agents → Agent picker + cron scheduler
GET /settings → Telegram / Slack / WhatsApp configuration
POST /webhook/telegram → Telegram bot updates

NEMOCLAW_URL = http://127.0.0.1:8080
# NemoClaw is never exposed publicly — only OpenClaw calls it

OpenClaw enforces the 1-account limit at the connection layer. If a second account tries to connect simultaneously, OpenClaw shows the upgrade wall before any audit runs. This means NemoClaw and Deep Agents never see unauthorised multi-account requests.

NemoClaw — the security layer

NemoClaw is a standalone FastAPI service that runs on port 8080 internally. It is never accessible from the public internet — only OpenClaw and Deep Agents can reach it via localhost.

How NVIDIA NeMo Guardrails works

NeMo Guardrails is an open-source Python library from NVIDIA's research team. It works differently from simple string filtering: it uses a secondary LLM evaluation to determine whether content matches defined behavioural rules.

The rules are written in Colang, NVIDIA's domain-specific language for conversation behaviour. A Colang rail looks like this:

nemoclaw/config/rails.co — example rails
# Define what "prompt injection attempt" looks like
define user ask prompt injection
  "ignore previous instructions"
  "pretend you are"
  "bypass your guidelines"

# Define the flow: if detected, block it
define flow block prompt injection
  user ask prompt injection
  bot refuse prompt injection

# Define the response
define bot refuse prompt injection
  "I can only help with marketing audit analysis."

The examples in define user are semantic examples, not exact-match strings. NeMo uses them to train the checking LLM on what the intent looks like. This means it catches rephrased variants too — not just the exact string "ignore previous instructions".

The two guard endpoints

EndpointCalled byChecks
POST /guard/inputaudit_agent.py before any LLM callInjection patterns, credential requests, off-topic intent
POST /guard/outputaudit_agent.py after each LLM responseHallucination phrases, credential strings in output
GET /healthOpenClaw, Docker healthcheckReturns NeMo load status and mode

What NemoClaw actually protects — and what it doesn't

Honest scope

NemoClaw is built for a specific threat model: AI-layer attacks and misbehaviour. It is not a firewall, not a WAF, and not a full application security layer. Here is exactly what it does and doesn't protect against.

What it does protect against

Prompt injection — a user (or bad actor with access to your VPS) trying to override the AI's instructions via crafted input
Credential exposure — the AI accidentally echoing back a token, key, or secret it received in context
Hallucinated financial figures — the AI inventing specific numbers that aren't in the account data
Off-topic abuse — using the marketing audit AI to generate unrelated content

What it doesn't protect against

Network-level attacks (use your VPS firewall and fail2ban for those)
Auth bypasses (OpenClaw has no auth by default — put it behind a VPN or password-protect it)
Semantic attacks that use entirely new phrasing NeMo hasn't seen examples of — no AI guardrail is 100%
Your API keys being compromised at the OS level — that's a VPS security question, not an AI question
The real data privacy guarantee

The most important security property of ClawBoard is not the guardrails — it's the architecture. Your ad account data, credentials, and reports never leave your VPS. No ClawBoard server receives your data. The only external calls are to the Google Ads API, Meta API, and Gemini API — the same services you're already using. NemoClaw adds an AI behavioural layer on top of that foundation.

Deep Agents — the audit engine

Deep Agents is a LangGraph-based orchestrator that runs multiple specialised agents in parallel. The key design decision is parallelism: instead of running Google Ads → Meta → GA4 sequentially, all three run at the same time against the same LLM, with a fourth agent waiting to aggregate.

LangGraph execution — actual topology
┌─ google_ads_agent ─┐
orchestrator ───────┼─ meta_ads_agent ───┼──── report_agent
└─ ga4_agent ────────┘

# Sequential would take: 46+46+30 checks × avg 0.8s = ~97s
# Parallel takes: max(46, 46, 30) checks × avg 0.8s = ~37s
# Plus 67% fewer tokens via shared context compression

What each sub-agent checks

Sub-agentChecksExamples
google_ads_agent46Quality Score distribution, impression share lost, wasted spend, bidding strategy fit, negative keyword gaps, ad schedule analysis
meta_ads_agent46Pixel health, CAPI implementation, EMQ scores, creative fatigue, audience overlap, frequency caps
ga4_agent30Attribution model, cross-channel path analysis, conversion event configuration, data stream health
report_agentAggregates findings, calculates 0–100 score per platform, formats PDF

Timing and performance

Typical audit timing on a standard Hostinger VPS (2 vCPU, 4GB RAM):

PhaseDurationWhat's happening
OpenClaw receives command~5msHTTP request parsed, account validated
NemoClaw input check~10–200msPython validation instant; NeMo LLM call 100–200ms
Google Ads API fetch~2–8sPulling campaign, ad group, keyword data
Parallel LLM analysis~20–40sGemini Flash running 3 sub-agents simultaneously
NemoClaw output check~10–200msScreening 3 sub-agent outputs
PDF generation~5–10sChromium headless rendering
Telegram delivery~1–2sFile upload to Telegram API
Total (typical)35–60 secondsFull audit, all three platforms, PDF delivered
NemoClaw latency note

When NeMo Guardrails is fully loaded (nemoguardrails installed), each guard check makes a secondary Gemini API call. This adds ~100–200ms per check. It's a deliberate trade-off: semantic accuracy over pure speed. If NeMo is unavailable, the Python validation layer runs instead — ~1ms latency, keyword matching only.

← Installation guide Upgrade to Pro →