Description

OAuth for the agentic era. Consent-gating for ALL sensitive agent actions. 75+ data-driven threat definitions with auto-updates (like antivirus signatures)....

README (SKILL.md)

Agent Passport (OpenClaw)

Name: Agent Passport
Author: markneville

30-Second Setup

# Initialize and register your agent
./mandate-ledger.sh init agent:my-assistant "Your Name" "personal assistant" "openclaw"

# Grant dev tool access (git, npm, docker, etc.)
./mandate-ledger.sh create-from-template dev-tools

# That's it! The agent will now check permissions before sensitive actions.

Templates available: dev-tools · email-team \x3Cdomain> · file-ops \x3Cpath> · web-research · safe-browsing · coding · email-assistant · read-only · full-auto Run ./mandate-ledger.sh templates to see all options.

⚡ Agent Behavioral Contract

If you are an agent reading this skill, these are your rules. Follow them.

When to Check

Before performing ANY of these actions, you MUST call check-action first:

Action	Category	Example target
Running a shell command	`system`	`"git pull"`, `"npm install"`
Sending a message/email	`communication`	`"[email protected]"`
Writing/deleting a file	`data`	`"/path/to/file.txt"`
Making an API call with side effects	`external_api`	`"api.github.com"`
Spending money	`financial`	`"merchant_amazon"` with amount
Acting publicly as the user	`identity`	`"twitter_post"`

You do NOT need to check: reading files, web searches, internal reasoning, or anything with no side effects.

How to Check

SCRIPT_DIR="$HOME/.openclaw/skills/agent-passport/scripts"

result=$($SCRIPT_DIR/mandate-ledger.sh check-action "\x3Cyour_agent_id>" "\x3Ccategory>" "\x3Ctarget>" [amount])

Parse the result:

authorized: true → proceed, then log the action afterward
authorized: false → STOP. Ask the user.
If response includes kill_switch: true or reason Kill switch engaged → STOP immediately and ask user to run mandate-ledger.sh unlock

The Flow

1. You want to do something sensitive
2. Call check-action
3. IF authorized:
   a. Do the thing
   b. Log it: mandate-ledger.sh log-action \x3Cmandate_id> \x3Camount> "\x3Cdescription>"
4. IF denied:
   a. Tell the user what you want to do and why
   b. Suggest a mandate (show scope, duration, constraints)
   c. Wait for approval
   d. If approved, create the mandate, then proceed

How to Ask for Permission

When denied, present it clearly and concisely:

I need to [ACTION] but don't have a mandate for it.

📋 [CATEGORY]: [what you want to do]
🎯 Target: [specific target]
⏰ Suggested duration: [reasonable TTL]

Want me to set this up? I can also create a broader mandate if you'd
prefer (e.g., all emails to @company.com for 30 days).

DO NOT:

Bypass the check and do it anyway
Ask repeatedly for the same thing if denied
Create mandates yourself without user approval
Pretend you checked when you didn't

DO:

Suggest templates when appropriate ("Want me to set up dev-tools?")
Batch similar requests ("I'll need to run several git commands — want a dev-tools mandate?")
Log every action after completion
Mention remaining limits when relevant ("3/20 daily emails used")

First-Time Setup

If check-action returns "hint": "templates", the ledger is empty. Guide the user:

Agent Passport isn't set up yet. It takes 30 seconds:

  mandate-ledger.sh init agent:me "Your Name" "assistant" "openclaw"
  mandate-ledger.sh create-from-template dev-tools

Want me to run this for you?

Logging Actions

After every authorized action, log it:

$SCRIPT_DIR/mandate-ledger.sh log-action "\x3Cmandate_id>" \x3Camount> "\x3Cdescription>"

For financial: amount = dollars spent
For everything else: amount = 1
Description should be human-readable: "Sent email to [email protected] re: Q1 report"

Kill Switch Behavior

If the user engages the kill switch, all operations are frozen until unlocked.

./mandate-ledger.sh kill "user requested freeze"
./mandate-ledger.sh unlock

Agent behavior when kill switch is active:

Do not attempt sensitive actions
Do not retry check-action in a loop
Tell user operations are blocked and request explicit unlock

Overview

Agent Passport provides a consent layer for agent autonomy. Instead of all-or-nothing permissions, users grant mandates with specific constraints:

"I authorize this agent to [ACTION] with [CONSTRAINTS] until [EXPIRY]"

This isn't just about purchases — it's consent-gating for all sensitive actions.

Action Categories

Category	Examples	Typical Constraints
`financial`	Purchases, transfers, subscriptions	Spending cap, merchant allowlist
`communication`	Emails, messages, tweets, posts	Recipient allowlist, rate limit
`data`	Delete files, edit docs, DB writes	Path allowlist, require backup
`system`	Shell commands, installs, configs	Command allowlist, no sudo
`external_api`	Third-party API calls	Service allowlist, rate limit
`identity`	Public actions "as" the user	Human review required

Wildcard Patterns

Allowlists and deny lists support three wildcard styles:

Pattern	Matches	Example
`prefix *`	Anything starting with prefix	`git *` → `git pull`, `git status`
`*.suffix`	Anything ending with suffix	`*.env` → `config.env`, `.env`
`middle`	Anything containing middle	`/.git/` → `repo/.git/config`
`*@domain`	Email domain match	`*@company.com` → `[email protected]`
`exact`	Exact match only	`api.github.com`

Modes

Local mode (default): Mandates stored in ~/.openclaw/agent-passport/. Free tier is fully offline. Pro tier makes periodic API calls to api.agentpassportai.com for license validation and threat definition updates.
Preview mode: No storage, no network. Generates validated payloads and curl templates.
Live mode (roadmap): Future connection to Agent Bridge backend for multi-agent sync and compliance. Not yet implemented.

Quick Start Commands

# Initialize with identity
./mandate-ledger.sh init \x3Cagent_id> \x3Cprincipal> [scope] [provider]

# Templates (auto-detects agent if registered)
./mandate-ledger.sh templates
./mandate-ledger.sh create-from-template dev-tools
./mandate-ledger.sh create-from-template email-team \x3Cdomain>
./mandate-ledger.sh create-from-template file-ops \x3Cpath>
./mandate-ledger.sh create-from-template web-research
./mandate-ledger.sh create-from-template safe-browsing
./mandate-ledger.sh create-from-template coding
./mandate-ledger.sh create-from-template email-assistant
./mandate-ledger.sh create-from-template read-only
./mandate-ledger.sh create-from-template full-auto

# Quick create (human-friendly durations: 7d, 24h, 30m)
./mandate-ledger.sh create-quick \x3Ctype> \x3Cagent_id> \x3Callowlist_csv> \x3Cduration> [amount_cap]

# Check & log
./mandate-ledger.sh check-action \x3Cagent> \x3Ctype> \x3Ctarget> [amount]
./mandate-ledger.sh log-action \x3Cmandate_id> \x3Camount> "\x3Cdescription>"

# Audit
./mandate-ledger.sh audit [limit]
./mandate-ledger.sh summary

# Threat definitions
./mandate-ledger.sh init-definitions
./mandate-ledger.sh update-definitions
./mandate-ledger.sh definitions-status

Commands Reference

Quick Start

init [agent_id] [principal] [scope] [provider]
                           # Initialize ledger, optionally register agent
templates                  # List available templates
create-from-template \x3Ct>   # Create mandate from template
  [agent_id] [args...]
create-quick \x3Ctype>        # Create with positional args
  \x3Cagent_id> \x3Callowlist>
  \x3Cduration> [amount_cap]

Mandate Lifecycle

create \x3Cjson>              # Create mandate (include action_type)
create-with-kya \x3Cjson>     # Create with auto-attached agent KYA
get \x3Cmandate_id>           # Get mandate by ID
list [filter]              # List mandates (all|active|revoked|\x3Caction_type>)
revoke \x3Cmandate_id> [why]  # Revoke a mandate

Authorization

check-action \x3Cagent> \x3Ctype> \x3Ctarget> [amount]
                           # Check if action is authorized
log-action \x3Cmandate_id> \x3Camount> [description]
                           # Log action against mandate
kill \x3Creason>               # Engage kill switch and freeze execution
unlock                      # Disengage kill switch

Audit & Reporting

audit [limit]              # Show recent audit entries
audit-mandate \x3Cid>         # Show audit for specific mandate
audit-summary [since]      # Summary by action type
summary                    # Show overall ledger stats
export                     # Export full ledger as JSON

Threat Definitions

init-definitions           # Write bundled threat-definitions.json to LEDGER_DIR
update-definitions         # Refresh definitions (Pro: API pull, Free: bundled copy)
  [--force] [--offline]
definitions-status         # Show version, pattern counts, and last update

KYA (Know Your Agent)

kya-register \x3Cagent_id> \x3Cprincipal> \x3Cscope> [provider]
kya-get \x3Cagent_id>
kya-list
kya-revoke \x3Cagent_id> [why]

Mandate Structure

{
  "mandate_id": "mandate_1770412575_3039e369",
  "action_type": "communication",
  "agent_id": "agent:my-assistant",
  "scope": {
    "allowlist": ["*@mycompany.com", "[email protected]"],
    "deny": ["*@competitor.com"],
    "rate_limit": "20/day",
    "kya": { "status": "verified", "verified_principal": "Mark" }
  },
  "amount_cap": null,
  "ttl": "2026-02-13T00:00:00Z",
  "status": "active",
  "usage": { "count": 5, "total_amount": 0 },
  "created_at": "2026-02-06T22:00:00Z"
}

Agent Bridge (Future Roadmap)

Note: Free tier is fully local with no network calls. Pro tier (AGENT_PASSPORT_LICENSE_KEY set) makes periodic HTTPS calls to api.agentpassportai.com for license validation and threat definition updates. No usage data or scan results are transmitted. Agent Bridge is a planned future service.

Local mode handles single-user, single-agent scenarios. A future Agent Bridge service would add:

Multi-agent coordination — prevent overlapping mandates
Cross-device sync — same mandates everywhere
Organization policies — IT guardrails, user customization within
Compliance reporting — audit exports for regulatory needs
Merchant/service registry — verified vendors, trust scores

Export local ledger anytime: ./mandate-ledger.sh export > backup.json

Configuration (OpenClaw)

{
  "skills": {
    "entries": {
      "agent-passport": {
        "env": {
          "AGENT_PASSPORT_LOCAL_LEDGER": "true"
        },
        "config": {
          "default_currency": "USD",
          "default_ttl_minutes": 60,
          "confirm_threshold_amount": 50
        }
      }
    }
  }
}

Storage

All data stored locally in ~/.openclaw/agent-passport/:

mandates.json — mandate ledger
agents.json — KYA registry
audit.json — action audit trail
threat-definitions.json — active threat pattern definitions
threat-definitions.bak — previous definitions backup
.threat-meta.json — last update/version/source metadata

Safety

Never leak secrets into prompts, logs, or outputs
Mandates constrain actions, but don't prevent all misuse
Audit trail provides accountability, not prevention
Use KYA to verify agent identity before granting broad mandates

Usage Guidance

What to consider before installing: - This skill runs a local shell script (mandate-ledger.sh) to authorize and log sensitive actions; review that script before allowing the agent to execute it. It will create files under the ledger directory (defaults to ~/.openclaw/agent-passport or whatever you set in AGENT_PASSPORT_LEDGER_DIR). - The package contains test vectors that deliberately include prompt-injection phrases; those are used to validate the shield functionality — their presence in the repo is intentional, not evidence of compromise. - The default/local mode is offline and does not require extra credentials. If you enable Pro/Live features (auto-updates, Agent Bridge), the skill will contact external services and you will need to provide API keys (AGENT_PASSPORT_API_KEY, etc.). Only enable those modes if you trust the remote service and are comfortable supplying credentials. - If you plan to allow the agent to autonomously run commands, restrict autonomous privileges until you inspect the scripts and consider enabling local-only mode (export AGENT_PASSPORT_LOCAL_LEDGER=true) and avoid enabling auto-update/live features until vetted. - If you are unsure, run the scripts in an isolated test environment (non-production account or container) first and inspect the ledger contents and audit logs the skill will create.

Capability Analysis

Type: OpenClaw Skill Name: agent-passport Version: 2.4.2 This skill bundle, 'Agent Passport', is designed to enhance agent security by providing consent-gating, audit trails, and various security shields (SSRF, Path Traversal, Skill Scanner, Injection Shield). The `SKILL.md` explicitly instructs the AI agent on security protocols and anti-prompt injection rules, and the `mandate-ledger.sh` script implements robust checks and scanning capabilities. While the script makes external `curl` calls to `api.agentpassportai.com` for license validation and threat definition updates (Pro tier), the code and documentation explicitly state that no usage data or scan results are transmitted, and the calls are limited to fetching definitions or validating licenses. There is no evidence of intentional harmful behavior, data exfiltration, persistence, or unauthorized remote control. The script uses `set -euo pipefail` and `jq` for JSON parsing, which are good practices for shell script security, and the included test script confirms the developers' intent to prevent common malicious patterns.

Capability Assessment

✓ Purpose & Capability

Name/description (consent-gating, mandate ledger, injection/SSRF/path guards) match the provided scripts and docs. Required binaries (jq, bc, xxd, head, date, mkdir) are reasonable for a shell-based ledger and scanner. The single required env var (AGENT_PASSPORT_LEDGER_DIR) is appropriate for storing the local ledger. The README/docs describe optional Pro/Live features (auto-updates, Agent Bridge) that would use network APIs, but those are not required by default and are documented separately.

ℹ Instruction Scope

Runtime instructions tell the agent to call the shipped CLI script (mandate-ledger.sh) to check and log sensitive actions — this is exactly the core purpose. The SKILL.md and tests include explicit prompt-injection examples (e.g., 'ignore previous instructions') used as detection test vectors; the scanner flagged that phrase. The instructions do allow an agent to run local shell commands (init, create-from-template) if the agent chooses to act, which is expected for this skill but means users should review scripts before allowing autonomous execution.

✓ Install Mechanism

No install spec is provided (instruction-only from the platform perspective). The repository includes shell scripts that the agent will invoke locally; there is no automatic remote download or extract specified in the manifest. This is lower risk than an install that fetches arbitrary code from an external URL.

✓ Credentials

Only AGENT_PASSPORT_LEDGER_DIR is declared as required. Documentation mentions optional environment variables and API keys for Live/Pro modes (AGENT_PASSPORT_API_KEY, AGENT_PASSPORT_BASE_URL, AGENT_PASSPORT_LOCAL_LEDGER) but they are not required to run the local mode. No unrelated cloud credentials or high-privilege secrets are demanded by default.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills. It stores state under a user-controlled ledger directory (defaults to ~/.openclaw/agent-passport or AGENT_PASSPORT_LEDGER_DIR). There are no built-in system-wide or privileged changes in the provided scripts; the code includes scan patterns to detect persistence but does not itself create daemons or cron entries.

Version History

v2.4.2

Remove internal spec from published package.

v2.4.1

Security fix: license key moved from URL query param to Authorization header. Removed false offline claims from docs.

v2.4.0

v2.4.0: Data-driven threat definitions system. 75+ security patterns in versioned JSON, auto-updated every 6 hours for Pro users. Like antivirus signature updates for AI agents. New commands: init-definitions, update-definitions, definitions-status. All scan and injection output now includes definitions_version for traceability.

v2.3.2

fix: add set -euo pipefail shell hardening required by CODEX.md and CONTRIBUTING.md; fixes security scanner false positive

v2.3.1

v2.3.1: README now leads with scan-skill and check-injection. Tags updated to v2.3.1 across all categories.

v2.3.0

v2.3.0 — ToxicSkills Defense Pack: adds Skill Scanner (pre-install static analysis, detects curl-pipe-bash, base64 eval, hardcoded keys, prompt injection) and Injection Shield (runtime inbound content scanning for prompt injection attempts). 22/22 tests passing. Fully offline, no new dependencies.

v2.2.1

Security hardening: fixed JSON injection and bc injection vulnerabilities.

v2.2.0

v2.2.0: SSRF Shield, Path Traversal Guard, Webhook Origin Verification — direct response to 9 recent OpenClaw CVEs. SSRF Shield auto-blocks private IPs, loopback, cloud metadata, and unsafe URL schemes on all external_api actions. Path Traversal Guard canonicalizes and validates file paths on all data actions. Webhook Origin Verification adds origin allowlisting and HMAC-SHA256 signature verification. All three fire before mandate lookup for defense-in-depth. 19/19 tests passing.

v2.1.5

Export: add kya_present/audit_present metadata flags. Input validation improvements for get, kill, and legacy check commands.

v2.1.4

test publish

v2.1.3

Fix: get returns error on missing mandate, export includes agents+audit, legacy check arg order, kill requires reason. 40/40 regression tests.

v2.1.2

Security hardening

v2.1.1

Security hardening: input validation, rate limit format checks, path traversal prevention

v2.1.0

Kill switch (kill/unlock), 5 new templates (safe-browsing, coding, email-assistant, read-only, full-auto), removed Lite branding

v2.0.2

Fix env var declaration: AGENT_PASSPORT_LEDGER_DIR (actual) instead of AGENT_PASSPORT_LOCAL_LEDGER

v2.0.1

Fix skill scanner findings: remove unused API key dep, declare binary deps (jq, bc, xxd, etc), clarify skill is 100% local with no network calls

v2.0.0

v2.0: Expanded to 6 action categories, agent behavioral contract, templates, quick-create, KYA integration, glob pattern matching, deny lists, audit trail

Metadata

Slug agent-passport

Version 2.4.2

License —

All-time Installs 3

Active Installs 3

Total Versions 17

Frequently Asked Questions

What is Agent Passport?

OAuth for the agentic era. Consent-gating for ALL sensitive agent actions. 75+ data-driven threat definitions with auto-updates (like antivirus signatures).... It is an AI Agent Skill for Claude Code / OpenClaw, with 1702 downloads so far.

How do I install Agent Passport?

Run "/install agent-passport" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Agent Passport free?

Yes, Agent Passport is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Agent Passport support?

Agent Passport is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Agent Passport?

It is built and maintained by Mark Neville (@markneville); the current version is v2.4.2.

More Skills

Agent Passport