← Back to Skills Marketplace

Audit Log Hook

Name: Audit Log Hook
Author: hanxiao-bot

by hanxiao-bot · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install audit-log-hook

Description

Logs all tool calls before and after execution with parameters, results, errors, and session info for auditing and debugging.

README (SKILL.md)

Audit Log Hook - Tool Call Audit

Purpose

Record all tool calls via before_tool_call and after_tool_call hooks for:

Security auditing
Debugging issues
Usage statistics
Error tracking

Implementation

// Audit log file path
const AUDIT_LOG = path.join(process.env.OPENCLAW_STATE_DIR || '~/.openclaw', 'audit.log');

api.registerHook("before_tool_call", async ({ event, ctx }) => {
  const entry = {
    ts: new Date().toISOString(),
    event: "before_tool_call",
    tool: event.tool.name,
    params: JSON.stringify(event.tool.params).slice(0, 500),
    session: ctx.sessionKey,
    user: ctx.session?.senderId || 'unknown'
  };
  console.log("[AUDIT]", JSON.stringify(entry));
  return {};
});

api.registerHook("after_tool_call", async ({ event, ctx }) => {
  const entry = {
    ts: new Date().toISOString(),
    event: "after_tool_call",
    tool: event.tool.name,
    result: String(event.result).slice(0, 200),
    error: event.error?.message || null,
    duration: event.durationMs,
    session: ctx.sessionKey
  };
  console.log("[AUDIT]", JSON.stringify(entry));
  return {};
});

Log Format

{"ts":"2026-04-01T23:00:00.000Z","event":"before_tool_call","tool":"exec","params":"{\"command\":\"ls -la\"}","session":"agent:main:feishu:direct:ou_xxx","user":"ou_xxx"}
{"ts":"2026-04-01T23:00:00.050Z","event":"after_tool_call","tool":"exec","result":"total 8\
drwxr-xr-x  12 dc  staff   384 Apr  1 23:00","error":null,"duration":50,"session":"agent:main:feishu:direct:ou_xxx"}

Sensitive Data Handling

Auto-redact sensitive fields:

function redactSensitive(obj) {
  const sensitive = ['apiKey', 'token', 'password', 'secret'];
  for (const key of Object.keys(obj)) {
    if (sensitive.some(s => key.toLowerCase().includes(s))) {
      obj[key] = '[REDACTED]';
    }
  }
  return obj;
}

Statistics Analysis

Periodically analyze audit.log:

# Count tool usage
grep "before_tool_call" audit.log | jq -r .tool | sort | uniq -c | sort -rn

# Count errors
grep "after_tool_call" audit.log | jq -r '.error' | grep -v null | wc -l

# Count sessions
grep "before_tool_call" audit.log | jq -r .session | sort -u | wc -l

Usage Guidance

This skill appears intended to audit tool calls, but the example implementation is inconsistent and can leak secrets if used as-is. Before installing: (1) require a clear, consistent implementation that actually writes to a secured audit log (or explicitly documents relying on console logs); (2) implement robust redaction (recursive traversal, header keys like Authorization, nested fields, and pattern matching) and call it before logging; (3) avoid logging full param/result payloads — log hashes or truncated metadata where possible; (4) ensure logs are stored with access controls, rotation, and encryption; (5) review retention and privacy/compliance requirements for session and user identifiers. If you cannot verify these changes, treat the skill as unsafe for production/real-user data.

Capability Analysis

Type: OpenClaw Skill Name: audit-log-hook Version: 1.0.0 The skill provides a standard implementation for auditing tool calls within the OpenClaw environment, as described in SKILL.md. It defines hooks to log tool parameters, execution results, and session metadata for security monitoring and debugging. The implementation includes a helper function for redacting sensitive information (API keys, tokens), and the behavior is entirely consistent with its stated purpose without any indicators of data exfiltration or unauthorized execution.

Capability Assessment

ℹ Purpose & Capability

The skill's name and description match the provided hook code (before_tool_call / after_tool_call). However the SKILL.md declares an audit log file path (AUDIT_LOG) but the example hooks only console.log entries (they do not write to the audit.log). The code references process.env.OPENCLAW_STATE_DIR even though no environment variables are declared; this is plausible as an optional override but should be documented.

⚠ Instruction Scope

The instructions capture tool params, results, session keys, and user IDs which is consistent with auditing, but the provided redaction function is never invoked in the hook examples and is naive (only top-level key checks for tokens/passwords). Logging uses JSON.stringify and simple slicing of values which can still expose secrets in values or nested objects. The SKILL.md also shows shell grep/jq commands against audit.log even though the example hook does not write that file—this is an internal inconsistency. There is no guidance on log retention, access controls, or encryption.

✓ Install Mechanism

Instruction-only skill with no install spec or code files; nothing is written to disk by an installer. This minimizes install-time risk but also means runtime behavior depends entirely on the agent’s execution of the provided hook code.

ℹ Credentials

No required environment variables or credentials are declared, which fits a local audit hook. The example references OPENCLAW_STATE_DIR (optional) and uses session/user identifiers; these are reasonable but should be declared if relied upon. No credentials are requested, which is proportionate.

✓ Persistence & Privilege

The skill does not request always:true and is user-invocable with normal model invocation enabled. It does not request elevated system-wide privileges or modify other skills' configurations in the provided instructions.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install audit-log-hook
After installation, invoke the skill by name or use /audit-log-hook
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Initial release of Audit Log Hook for tool call auditing. - Records all tool calls using `before_tool_call` and `after_tool_call` hooks with detailed event context. - Automatically redacts sensitive parameters (such as apiKey, token, password, secret) in log entries. - Provides log format examples and analysis tips for usage stats, errors, and session counts. - Assists with security auditing, debugging, and monitoring tool usage.

Metadata

Slug audit-log-hook

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Audit Log Hook?

Logs all tool calls before and after execution with parameters, results, errors, and session info for auditing and debugging. It is an AI Agent Skill for Claude Code / OpenClaw, with 95 downloads so far.

How do I install Audit Log Hook?

Run "/install audit-log-hook" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Audit Log Hook free?

Yes, Audit Log Hook is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Audit Log Hook support?

Audit Log Hook is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Audit Log Hook?

It is built and maintained by hanxiao-bot (@hanxiao-bot); the current version is v1.0.0.

More Skills