NetSuite is a high-value target for AI agents because it holds financial records, vendor payments, purchase orders, and inventory data. Connecting an OpenClaw agent to NetSuite via official API requires a permissioned execution layer: a Work Policy Contract (WPC) that defines exactly which SuiteScript REST endpoints the agent may call, scoped tokens (CST) that pin those permissions per job, and gateway receipts that log every model call that led to an action. Without policy-as-code enforcement, a prompt-only guard can be bypassed by a single injection, and the agent writes a journal entry or approves a PO with no audit trail.
NetSuite integration with Claw EA is planned and connectable via official API with enterprise buildout controls. It is not available now as a native connector.
Step-by-step runbook
- Provision NetSuite API credentials. Create a dedicated integration record in NetSuite (Setup > Integration > Manage Integrations) using OAuth 2.0 client credentials or token-based auth. Assign a role with the minimum record-type permissions your agent needs (e.g., read-only on transactions, no access to payroll).
- Author a Work Policy Contract (WPC). Define allowed RESTlet endpoints, HTTP methods, and record types. Pin the NetSuite role ID and account ID in the contract so the agent cannot drift to a broader role. Register the WPC in the clawcontrols registry.
- Issue a scoped token (CST). Use clawscope to mint a CST with the WPC policy hash pinned. Bind the CST to a specific job or session so it cannot be replayed across runs.
- Route model calls through clawproxy. All LLM inference that drives NetSuite actions flows through clawproxy, which emits gateway receipts for each model call. This creates a causal chain from "model decided X" to "agent called NetSuite endpoint Y."
- Gate write operations on approval. For any write or admin action (creating vendor bills, approving purchase orders, modifying chart of accounts), require explicit human approval before the agent executes. The WPC encodes this as an approval gate on mutating HTTP methods.
- Collect proof bundles. After each job completes, the harness assembles a proof bundle containing gateway receipts, the WPC hash, CST metadata, and action logs. Store the bundle for audit.
- Review via Trust Pulse. Publish the proof bundle as a Trust Pulse artifact for stakeholders or auditors to inspect the full decision-to-action chain.
Threat model
| Threat | What happens | Control |
|---|---|---|
| Prompt injection triggers unauthorized journal entry | Agent posts a debit/credit to the general ledger, corrupting financials | WPC restricts allowed record types; write methods require approval gate |
| Over-privileged NetSuite role | Agent accesses payroll, employee SSNs, or bank account fields beyond its task | Least-privilege role in NetSuite + WPC pins the role ID; CST scope hash prevents token reuse with a different policy |
| Credential exfiltration via model output | Model leaks OAuth tokens in a response or log | Secrets never pass through the model context; clawproxy mediates API calls, and egress allowlists (planned) can restrict outbound destinations |
| Replay of a previous job's token | Attacker reuses a CST from a completed job to make new NetSuite calls | Marketplace anti-replay binding: CST is job-scoped and invalidated on completion |
| Silent data modification with no audit trail | Agent modifies records and no one can reconstruct why | Gateway receipts tie each model decision to the resulting API call; proof bundles preserve the full chain |
Policy-as-code example
{
"wpc_version": "1.0",
"name": "netsuite-ap-readonly",
"target": "netsuite",
"auth": {
"method": "oauth2_client_credentials",
"account_id": "TSTDRV1234567",
"role_id": "1042",
"pin_role": true
},
"allowed_endpoints": [
{
"path": "/record/v1/vendorBill",
"methods": ["GET"]
},
{
"path": "/record/v1/purchaseOrder",
"methods": ["GET"]
},
{
"path": "/record/v1/journalEntry",
"methods": ["GET", "POST"],
"require_approval": true
}
],
"denied_record_types": ["employee", "paycheck", "deposit"],
"max_results_per_query": 200,
"cst_binding": {
"scope_hash": true,
"policy_hash_pin": true,
"job_scoped": true
}
}This WPC allows read access to vendor bills and purchase orders. Journal entry creation requires an explicit approval gate. Employee and payroll records are denied outright.
What proof do you get?
Every model call routed through clawproxy produces a gateway receipt: a signed record of the prompt, model identifier, and timestamp. These receipts are collected into a proof bundle that also includes the WPC hash, CST metadata, and a log of which NetSuite endpoints were called and in what order.
The proof bundle can be published as a Trust Pulse artifact, giving auditors or finance controllers a single place to verify that the agent operated within its contract. Because the CST is job-scoped, each proof bundle maps to exactly one task, preventing cross-job confusion.
Rollback posture
| Action | Safe rollback | Evidence |
|---|---|---|
| Agent created a journal entry | Reverse the journal entry in NetSuite using a compensating entry; WPC approval gate should have caught this before commit | Proof bundle contains the model reasoning and the POST payload |
| Agent read sensitive records outside scope | Revoke the CST immediately via clawscope; rotate the NetSuite token | Gateway receipts show which endpoints were called and when |
| Suspected credential leak | Invalidate the NetSuite integration record; reissue with a new consumer key/secret | Proof bundle plus clawproxy logs identify the model output that may have contained credentials |
| Policy was too broad | Publish a new WPC with tighter endpoint restrictions; old CSTs bound to the previous policy hash are automatically invalid | WPC registry retains both versions for diff review |
FAQ
Is the NetSuite integration available as a native connector today?
No. NetSuite connectivity is planned and can be connected via official API with enterprise buildout controls. It is not shipped as an out-of-the-box connector. Write and admin actions require WPC approval gates, scoped tokens, and explicit least-privilege auth scopes.
Why is prompt-only gating insufficient for NetSuite?
A system prompt saying "do not create journal entries" can be overridden by prompt injection or model drift. Policy-as-code in a WPC is enforced at the proxy layer before the API call leaves the harness. The model never gets the chance to execute a denied action.
Can the agent use SuiteScript RESTlets or just standard REST API?
The WPC can specify either standard REST Web Services endpoints or custom RESTlet paths. Each path is individually gated with allowed HTTP methods and optional approval requirements.
How do gateway receipts help during a financial audit?
Gateway receipts create a causal link between a model's reasoning step and the NetSuite API call it triggered. During an audit, you can trace any record modification back to the exact model output and the policy that authorized it, all within a single proof bundle.
What happens if the agent's CST expires mid-job?
The agent loses the ability to call NetSuite endpoints. The job fails closed rather than falling back to a broader credential. A new CST must be issued, bound to the same WPC and job scope, before work can resume.