← Back to Skills Marketplace
159
Downloads
0
Stars
0
Active Installs
6
Versions
Install in OpenClaw
/install jjy-agentguard
Description
AgentGuard security engine — intercept dangerous operations, audit all actions, protect sensitive data. All commands/file/network operations go through ag_*...
README (SKILL.md)
AgentGuard Security Engine
You now have the AgentGuard Security Engine integrated. All Agent operations must pass security review — use ag_* tools instead of native operations.
This is a general-purpose AI Agent security engine for intercepting and auditing command execution, file I/O, and network access. It does not handle any form of digital asset management or financial transactions.
Security Architecture
AgentGuard provides four layers of protection to ensure agents cannot bypass security controls:
- Gateway Tool Blocking (L1) — During setup,
setup.shinstalls the AgentGuard binary to a system path and starts the daemon. Users must manually addtools.denyentries toopenclaw.jsonto disable nativeexec/write/edit/apply_patch/processtools at the Gateway layer. Agents are physically unable to call blocked native tools. Rollback: manually delete thetools.denyentries inopenclaw.jsonto restore native tools. - Rule Engine (L2) — All
ag_*tool calls are reviewed against command blacklists/whitelists, file path controls, and domain whitelists. - Redaction Engine (L3) — Automatically filters API credentials, auth tokens, SSH keys, and 15 categories of sensitive information (bidirectional input+output redaction).
- Audit Log (L4) — All operations are logged to local SQLite, viewable in the Dashboard, tamper-proof.
⚠️ Native dangerous tools are blocked at the Gateway layer. You can only use the
ag_*tools listed below to perform operations.
Security Tools
Operation Tools (replace native tools)
| ag_* Tool | Replaces | Security |
|---|---|---|
ag_execute_command |
exec / process |
Command blacklist + dangerous command interception + output redaction |
ag_read_file |
read |
Sensitive path blocking (.ssh/, system credential store, browser data) + content redaction |
ag_write_file |
write / edit / apply_patch |
Path access control + write content redaction check |
ag_list_directory |
read (directory) |
Directory access control |
ag_http_request |
browser / network tools |
Domain whitelist + data exfiltration prevention |
Inspection Tools
| ag_* Tool | Purpose |
|---|---|
ag_skill_check |
Check if a skill/plugin is on the security whitelist |
ag_status |
View engine status: mode / audit stats / Panic state |
Control Tools
| ag_* Tool | Purpose |
|---|---|
ag_panic |
Emergency stop — immediately reject all subsequent operations |
ag_resume |
Resume normal operation |
Usage Rules
- Must use
ag_*tools for all command, file, and network operations. Do not use nativeexec,read,write,apply_patch,processto bypass security. - When
ag_*returnsIntercepted, do not attempt to bypass — inform the user the operation was blocked and why. - When returning
Awaiting Approval, tell the user to approve in the Dashboard. - If AgentGuard daemon is not running (connection failed), prompt the user:
- Install: run
setup.shin the skill directory (installs from local binary, no network download) - Start:
agentguard daemon start
- Install: run
- Use
ag_statusanytime to check current security state. - Use
ag_panicfor emergency stop when suspicious behavior is detected.
Security Modes
- enforce — Violations are rejected immediately
- supervised — Suspicious operations pause for user approval
- permissive — Audit logging only, no blocking
Dashboard
Audit logs viewable at: http://127.0.0.1:19821
Features: real-time operation timeline / audit statistics / rule configuration / one-click Panic
Uninstall & Rollback
agentguard daemon stop— stop the daemon- Delete the
tools.denyentries inopenclaw.json rm /usr/local/bin/agentguard— remove the binary
AgentGuard 安全引擎
你现在集成了 AgentGuard 安全引擎。所有 Agent 操作必须经过安全审核,你需要使用 ag_* 系列工具替代原生操作。
本工具为通用 AI Agent 安全防护引擎,用于拦截和审计 Agent 的命令执行、文件读写及网络访问操作,不涉及任何形式的数字资产管理或金融交易功能。
安全架构
AgentGuard 通过 四层防护 确保 Agent 无法绕过安全监管:
- Gateway 工具封锁 (L1) — 安装时
setup.sh将 AgentGuard 二进制文件安装到系统路径并启动守护进程。用户需在openclaw.json中手动添加tools.deny条目以在 Gateway 层禁用原生exec/write/edit/apply_patch/process工具。Agent 物理上无法调用被封锁的原生工具。回滚方式:手动删除openclaw.json中的tools.deny条目即可恢复原生工具。 - 规则引擎 (L2) — 所有
ag_*工具调用经命令黑白名单、文件路径控制、域名白名单审核 - 脱敏引擎 (L3) — 自动过滤 API 凭证、认证令牌、SSH 密钥等 15 类敏感信息(输入+输出双向脱敏)
- 审计日志 (L4) — 所有操作记录到本地 SQLite,可在 Dashboard 查看,不可篡改
⚠️ 原生危险工具已在 Gateway 层被封锁,你只能使用下方
ag_*工具执行操作。
安全工具
操作类 (替代原生工具)
| ag_* 工具 | 替代原生工具 | 安全能力 |
|---|---|---|
ag_execute_command |
exec / process |
命令黑白名单 + 危险命令拦截 + 输出脱敏 |
ag_read_file |
read |
敏感路径拦截 (.ssh/, 系统凭证存储, 浏览器数据) + 内容脱敏 |
ag_write_file |
write / edit / apply_patch |
路径访问控制 + 写入内容脱敏检查 |
ag_list_directory |
read (目录) |
目录访问控制 |
ag_http_request |
browser / 网络工具 |
域名白名单 + 数据外泄防护 |
检查类
| ag_* 工具 | 用途 |
|---|---|
ag_skill_check |
检查 Skill/插件是否在安全白名单中 |
ag_status |
查看引擎状态:运行模式 / 审计统计 / Panic 状态 |
控制类
| ag_* 工具 | 用途 |
|---|---|
ag_panic |
紧急暂停 — 立即拒绝所有后续操作 |
ag_resume |
恢复正常运行 |
使用规则
- 必须使用
ag_*工具执行所有命令、文件和网络操作。不得使用exec、read、write、apply_patch、process等原生工具绕过安全检查。 - 当
ag_*工具返回拦截信息时,不要尝试绕过,向用户说明操作被安全策略拦截及原因。 - 当返回
等待审批时,告知用户正在等待审批,请在 Dashboard 中操作。 - 如果 AgentGuard daemon 未运行(连接失败),提示用户:
- 安装: 运行 skill 目录下的
setup.sh(从本地 binary 安装,无需网络下载) - 启动:
agentguard daemon start
- 安装: 运行 skill 目录下的
- 可以随时使用
ag_status查看当前安全状态。 - 发现可疑行为或用户要求时,使用
ag_panic紧急暂停。
安全模式
- enforce (强制拦截) — 违反规则的操作直接拒绝
- supervised (监督审批) — 可疑操作暂停等待用户审批
- permissive (宽松放行) — 仅记录审计日志,不拦截
Dashboard
所有操作的审计日志可在本地 Dashboard 查看:http://127.0.0.1:19821
Dashboard 提供:实时操作时间线 / 审计统计图表 / 规则配置 / 一键 Panic
卸载与回滚
agentguard daemon stop停止守护进程- 删除
openclaw.json中的tools.deny条目 rm /usr/local/bin/agentguard移除 binary
Usage Guidance
This package is coherent with its stated purpose (a local security gate), but it installs and runs an opaque native binary that will intercept and control all agent operations if you add the recommended openclaw.json tools.deny entries. Before installing: 1) verify the publisher and the binary source (request source code or reproducible build); 2) validate checksums from an independent channel (not just the shipped checksums.txt); 3) run the daemon in a sandbox/VM or container first rather than on your main host; 4) carefully review and back up openclaw.json before editing so you can restore native tools; 5) avoid running the installer with sudo until you trust the binary; and 6) consider asking the maintainer for a build reproducibility guide or for audited source. If you cannot verify the binary or trust the homepage/maintainer, treat this as high risk and do not install on production or privileged hosts.
Capability Assessment
Purpose & Capability
Name/description, the JS plugin, SKILL.md instructions, and required binary (agentguard) are coherent: the skill is a local 'security engine' that proxies operations via ag_* tools. Minor inconsistency: registry metadata lists agentguard as a required binary (must exist) even though the package includes setup.sh and a local binary to install; that may confuse install expectations but does not break the core purpose.
Instruction Scope
SKILL.md explicitly instructs the user to install a daemon and to add tools.deny entries to openclaw.json to disable native exec/read/write/process tools. That gives the skill (once installed) control over all agent command/file/network operations. The JS plugin sends every tool call to the local daemon and surfaces approval flows; no direct external network endpoints are called by the plugin. The scope of instructions is consistent with the stated purpose, but the instruction to alter openclaw.json is high‑impact and could 'lock' agents into using this engine.
Install Mechanism
There is no remote installer; setup.sh installs a prebuilt native binary bundled in the package's bin/ directory and starts a daemon locally. While the script verifies a checksum file shipped alongside the binary, the binary itself is closed/compiled (no source provided). Bundling and installing an opaque native executable to /usr/local/bin is a higher‑risk install pattern and requires trust in the publisher. On the positive side, setup.sh does not download remote code during install.
Credentials
The skill does not request environment variables, API keys, or external credentials. The SKILL.md exposes an optional daemon port setting (AGENTGUARD_DAEMON_PORT default 19821) but nothing sensitive is required by the plugin itself.
Persistence & Privilege
The skill registers background health checks and gateway methods and instructs the user to modify openclaw.json to deny native tools — effectively making this engine the enforced gatekeeper for agent actions. always:false (not force-installed) but if a user follows the manual instructions this plugin gains broad persistent control over agent I/O. Installing the binary to /usr/local/bin and starting a daemon also means the native executable will run system‑wide (and may be started with elevated privileges if the user runs the installer with sudo).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install jjy-agentguard - After installation, invoke the skill by name or use
/jjy-agentguard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.8.2
Fix: update package.json version to 1.8.2, restrict setup.sh to arm64-only (no x86_64 binary yet), fix repository URL
v1.8.1
Add bilingual README (English first, then Chinese)
v1.8.0
Fix: remove false crypto tags, correct documentation, fix version mismatch
v1.7.1
Update description: English first, then Chinese
v1.7.0
安全修复: 移除 curl|sh 安装方式,改用本地 binary + SHA256 校验;修复 metadata 不一致;添加卸载回滚说明
v1.0.0
- Initial release of the AgentGuard security engine for securing agent operations.
- Intercepts all command, file, and network operations via secure ag_* tools instead of native methods.
- Multi-layered protection: gateway tool blocking, rule engine, redaction engine, and full audit logs.
- Sensitive data and dangerous actions are automatically detected, blocked, or redacted.
- Includes emergency stop (panic), audit dashboard, and requires explicit manual approval for suspicious actions.
- Supports macOS and Linux with an easy install script and local dashboard for monitoring and control.
Metadata
Frequently Asked Questions
What is Agentguard?
AgentGuard security engine — intercept dangerous operations, audit all actions, protect sensitive data. All commands/file/network operations go through ag_*... It is an AI Agent Skill for Claude Code / OpenClaw, with 159 downloads so far.
How do I install Agentguard?
Run "/install jjy-agentguard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Agentguard free?
Yes, Agentguard is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Agentguard support?
Agentguard is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).
Who created Agentguard?
It is built and maintained by zxz333zxz (@zxz333zxz); the current version is v1.8.2.
More Skills