← 返回 Skills 市场
markneville

Agent Passport

作者 Mark Neville · GitHub ↗ · v2.4.2
cross-platform ✓ 安全检测通过
1702
总下载
3
收藏
3
当前安装
17
版本数
在 OpenClaw 中安装
/install agent-passport
功能描述
OAuth for the agentic era. Consent-gating for ALL sensitive agent actions. 75+ data-driven threat definitions with auto-updates (like antivirus signatures)....
使用说明 (SKILL.md)

Agent Passport (OpenClaw)

30-Second Setup

# Initialize and register your agent
./mandate-ledger.sh init agent:my-assistant "Your Name" "personal assistant" "openclaw"

# Grant dev tool access (git, npm, docker, etc.)
./mandate-ledger.sh create-from-template dev-tools

# That's it! The agent will now check permissions before sensitive actions.

Templates available: dev-tools · email-team \x3Cdomain> · file-ops \x3Cpath> · web-research · safe-browsing · coding · email-assistant · read-only · full-auto Run ./mandate-ledger.sh templates to see all options.

⚡ Agent Behavioral Contract

If you are an agent reading this skill, these are your rules. Follow them.

When to Check

Before performing ANY of these actions, you MUST call check-action first:

Action Category Example target
Running a shell command system "git pull", "npm install"
Sending a message/email communication "[email protected]"
Writing/deleting a file data "/path/to/file.txt"
Making an API call with side effects external_api "api.github.com"
Spending money financial "merchant_amazon" with amount
Acting publicly as the user identity "twitter_post"

You do NOT need to check: reading files, web searches, internal reasoning, or anything with no side effects.

How to Check

SCRIPT_DIR="$HOME/.openclaw/skills/agent-passport/scripts"

result=$($SCRIPT_DIR/mandate-ledger.sh check-action "\x3Cyour_agent_id>" "\x3Ccategory>" "\x3Ctarget>" [amount])

Parse the result:

  • authorized: true → proceed, then log the action afterward
  • authorized: falseSTOP. Ask the user.
  • If response includes kill_switch: true or reason Kill switch engagedSTOP immediately and ask user to run mandate-ledger.sh unlock

The Flow

1. You want to do something sensitive
2. Call check-action
3. IF authorized:
   a. Do the thing
   b. Log it: mandate-ledger.sh log-action \x3Cmandate_id> \x3Camount> "\x3Cdescription>"
4. IF denied:
   a. Tell the user what you want to do and why
   b. Suggest a mandate (show scope, duration, constraints)
   c. Wait for approval
   d. If approved, create the mandate, then proceed

How to Ask for Permission

When denied, present it clearly and concisely:

I need to [ACTION] but don't have a mandate for it.

📋 [CATEGORY]: [what you want to do]
🎯 Target: [specific target]
⏰ Suggested duration: [reasonable TTL]

Want me to set this up? I can also create a broader mandate if you'd
prefer (e.g., all emails to @company.com for 30 days).

DO NOT:

  • Bypass the check and do it anyway
  • Ask repeatedly for the same thing if denied
  • Create mandates yourself without user approval
  • Pretend you checked when you didn't

DO:

  • Suggest templates when appropriate ("Want me to set up dev-tools?")
  • Batch similar requests ("I'll need to run several git commands — want a dev-tools mandate?")
  • Log every action after completion
  • Mention remaining limits when relevant ("3/20 daily emails used")

First-Time Setup

If check-action returns "hint": "templates", the ledger is empty. Guide the user:

Agent Passport isn't set up yet. It takes 30 seconds:

  mandate-ledger.sh init agent:me "Your Name" "assistant" "openclaw"
  mandate-ledger.sh create-from-template dev-tools

Want me to run this for you?

Logging Actions

After every authorized action, log it:

$SCRIPT_DIR/mandate-ledger.sh log-action "\x3Cmandate_id>" \x3Camount> "\x3Cdescription>"
  • For financial: amount = dollars spent
  • For everything else: amount = 1
  • Description should be human-readable: "Sent email to [email protected] re: Q1 report"

Kill Switch Behavior

If the user engages the kill switch, all operations are frozen until unlocked.

./mandate-ledger.sh kill "user requested freeze"
./mandate-ledger.sh unlock

Agent behavior when kill switch is active:

  • Do not attempt sensitive actions
  • Do not retry check-action in a loop
  • Tell user operations are blocked and request explicit unlock

Overview

Agent Passport provides a consent layer for agent autonomy. Instead of all-or-nothing permissions, users grant mandates with specific constraints:

"I authorize this agent to [ACTION] with [CONSTRAINTS] until [EXPIRY]"

This isn't just about purchases — it's consent-gating for all sensitive actions.

Action Categories

Category Examples Typical Constraints
financial Purchases, transfers, subscriptions Spending cap, merchant allowlist
communication Emails, messages, tweets, posts Recipient allowlist, rate limit
data Delete files, edit docs, DB writes Path allowlist, require backup
system Shell commands, installs, configs Command allowlist, no sudo
external_api Third-party API calls Service allowlist, rate limit
identity Public actions "as" the user Human review required

Wildcard Patterns

Allowlists and deny lists support three wildcard styles:

Pattern Matches Example
prefix * Anything starting with prefix git *git pull, git status
*.suffix Anything ending with suffix *.envconfig.env, .env
*middle* Anything containing middle */.git/*repo/.git/config
*@domain Email domain match *@company.com[email protected]
exact Exact match only api.github.com

Modes

  • Local mode (default): Mandates stored in ~/.openclaw/agent-passport/. Free tier is fully offline. Pro tier makes periodic API calls to api.agentpassportai.com for license validation and threat definition updates.
  • Preview mode: No storage, no network. Generates validated payloads and curl templates.
  • Live mode (roadmap): Future connection to Agent Bridge backend for multi-agent sync and compliance. Not yet implemented.

Quick Start Commands

# Initialize with identity
./mandate-ledger.sh init \x3Cagent_id> \x3Cprincipal> [scope] [provider]

# Templates (auto-detects agent if registered)
./mandate-ledger.sh templates
./mandate-ledger.sh create-from-template dev-tools
./mandate-ledger.sh create-from-template email-team \x3Cdomain>
./mandate-ledger.sh create-from-template file-ops \x3Cpath>
./mandate-ledger.sh create-from-template web-research
./mandate-ledger.sh create-from-template safe-browsing
./mandate-ledger.sh create-from-template coding
./mandate-ledger.sh create-from-template email-assistant
./mandate-ledger.sh create-from-template read-only
./mandate-ledger.sh create-from-template full-auto

# Quick create (human-friendly durations: 7d, 24h, 30m)
./mandate-ledger.sh create-quick \x3Ctype> \x3Cagent_id> \x3Callowlist_csv> \x3Cduration> [amount_cap]

# Check & log
./mandate-ledger.sh check-action \x3Cagent> \x3Ctype> \x3Ctarget> [amount]
./mandate-ledger.sh log-action \x3Cmandate_id> \x3Camount> "\x3Cdescription>"

# Audit
./mandate-ledger.sh audit [limit]
./mandate-ledger.sh summary

# Threat definitions
./mandate-ledger.sh init-definitions
./mandate-ledger.sh update-definitions
./mandate-ledger.sh definitions-status

Commands Reference

Quick Start

init [agent_id] [principal] [scope] [provider]
                           # Initialize ledger, optionally register agent
templates                  # List available templates
create-from-template \x3Ct>   # Create mandate from template
  [agent_id] [args...]
create-quick \x3Ctype>        # Create with positional args
  \x3Cagent_id> \x3Callowlist>
  \x3Cduration> [amount_cap]

Mandate Lifecycle

create \x3Cjson>              # Create mandate (include action_type)
create-with-kya \x3Cjson>     # Create with auto-attached agent KYA
get \x3Cmandate_id>           # Get mandate by ID
list [filter]              # List mandates (all|active|revoked|\x3Caction_type>)
revoke \x3Cmandate_id> [why]  # Revoke a mandate

Authorization

check-action \x3Cagent> \x3Ctype> \x3Ctarget> [amount]
                           # Check if action is authorized
log-action \x3Cmandate_id> \x3Camount> [description]
                           # Log action against mandate
kill \x3Creason>               # Engage kill switch and freeze execution
unlock                      # Disengage kill switch

Audit & Reporting

audit [limit]              # Show recent audit entries
audit-mandate \x3Cid>         # Show audit for specific mandate
audit-summary [since]      # Summary by action type
summary                    # Show overall ledger stats
export                     # Export full ledger as JSON

Threat Definitions

init-definitions           # Write bundled threat-definitions.json to LEDGER_DIR
update-definitions         # Refresh definitions (Pro: API pull, Free: bundled copy)
  [--force] [--offline]
definitions-status         # Show version, pattern counts, and last update

KYA (Know Your Agent)

kya-register \x3Cagent_id> \x3Cprincipal> \x3Cscope> [provider]
kya-get \x3Cagent_id>
kya-list
kya-revoke \x3Cagent_id> [why]

Mandate Structure

{
  "mandate_id": "mandate_1770412575_3039e369",
  "action_type": "communication",
  "agent_id": "agent:my-assistant",
  "scope": {
    "allowlist": ["*@mycompany.com", "[email protected]"],
    "deny": ["*@competitor.com"],
    "rate_limit": "20/day",
    "kya": { "status": "verified", "verified_principal": "Mark" }
  },
  "amount_cap": null,
  "ttl": "2026-02-13T00:00:00Z",
  "status": "active",
  "usage": { "count": 5, "total_amount": 0 },
  "created_at": "2026-02-06T22:00:00Z"
}

Agent Bridge (Future Roadmap)

Note: Free tier is fully local with no network calls. Pro tier (AGENT_PASSPORT_LICENSE_KEY set) makes periodic HTTPS calls to api.agentpassportai.com for license validation and threat definition updates. No usage data or scan results are transmitted. Agent Bridge is a planned future service.

Local mode handles single-user, single-agent scenarios. A future Agent Bridge service would add:

  • Multi-agent coordination — prevent overlapping mandates
  • Cross-device sync — same mandates everywhere
  • Organization policies — IT guardrails, user customization within
  • Compliance reporting — audit exports for regulatory needs
  • Merchant/service registry — verified vendors, trust scores

Export local ledger anytime: ./mandate-ledger.sh export > backup.json

Configuration (OpenClaw)

{
  "skills": {
    "entries": {
      "agent-passport": {
        "env": {
          "AGENT_PASSPORT_LOCAL_LEDGER": "true"
        },
        "config": {
          "default_currency": "USD",
          "default_ttl_minutes": 60,
          "confirm_threshold_amount": 50
        }
      }
    }
  }
}

Storage

All data stored locally in ~/.openclaw/agent-passport/:

  • mandates.json — mandate ledger
  • agents.json — KYA registry
  • audit.json — action audit trail
  • threat-definitions.json — active threat pattern definitions
  • threat-definitions.bak — previous definitions backup
  • .threat-meta.json — last update/version/source metadata

Safety

  • Never leak secrets into prompts, logs, or outputs
  • Mandates constrain actions, but don't prevent all misuse
  • Audit trail provides accountability, not prevention
  • Use KYA to verify agent identity before granting broad mandates
安全使用建议
What to consider before installing: - This skill runs a local shell script (mandate-ledger.sh) to authorize and log sensitive actions; review that script before allowing the agent to execute it. It will create files under the ledger directory (defaults to ~/.openclaw/agent-passport or whatever you set in AGENT_PASSPORT_LEDGER_DIR). - The package contains test vectors that deliberately include prompt-injection phrases; those are used to validate the shield functionality — their presence in the repo is intentional, not evidence of compromise. - The default/local mode is offline and does not require extra credentials. If you enable Pro/Live features (auto-updates, Agent Bridge), the skill will contact external services and you will need to provide API keys (AGENT_PASSPORT_API_KEY, etc.). Only enable those modes if you trust the remote service and are comfortable supplying credentials. - If you plan to allow the agent to autonomously run commands, restrict autonomous privileges until you inspect the scripts and consider enabling local-only mode (export AGENT_PASSPORT_LOCAL_LEDGER=true) and avoid enabling auto-update/live features until vetted. - If you are unsure, run the scripts in an isolated test environment (non-production account or container) first and inspect the ledger contents and audit logs the skill will create.
功能分析
Type: OpenClaw Skill Name: agent-passport Version: 2.4.2 This skill bundle, 'Agent Passport', is designed to enhance agent security by providing consent-gating, audit trails, and various security shields (SSRF, Path Traversal, Skill Scanner, Injection Shield). The `SKILL.md` explicitly instructs the AI agent on security protocols and anti-prompt injection rules, and the `mandate-ledger.sh` script implements robust checks and scanning capabilities. While the script makes external `curl` calls to `api.agentpassportai.com` for license validation and threat definition updates (Pro tier), the code and documentation explicitly state that no usage data or scan results are transmitted, and the calls are limited to fetching definitions or validating licenses. There is no evidence of intentional harmful behavior, data exfiltration, persistence, or unauthorized remote control. The script uses `set -euo pipefail` and `jq` for JSON parsing, which are good practices for shell script security, and the included test script confirms the developers' intent to prevent common malicious patterns.
能力评估
Purpose & Capability
Name/description (consent-gating, mandate ledger, injection/SSRF/path guards) match the provided scripts and docs. Required binaries (jq, bc, xxd, head, date, mkdir) are reasonable for a shell-based ledger and scanner. The single required env var (AGENT_PASSPORT_LEDGER_DIR) is appropriate for storing the local ledger. The README/docs describe optional Pro/Live features (auto-updates, Agent Bridge) that would use network APIs, but those are not required by default and are documented separately.
Instruction Scope
Runtime instructions tell the agent to call the shipped CLI script (mandate-ledger.sh) to check and log sensitive actions — this is exactly the core purpose. The SKILL.md and tests include explicit prompt-injection examples (e.g., 'ignore previous instructions') used as detection test vectors; the scanner flagged that phrase. The instructions do allow an agent to run local shell commands (init, create-from-template) if the agent chooses to act, which is expected for this skill but means users should review scripts before allowing autonomous execution.
Install Mechanism
No install spec is provided (instruction-only from the platform perspective). The repository includes shell scripts that the agent will invoke locally; there is no automatic remote download or extract specified in the manifest. This is lower risk than an install that fetches arbitrary code from an external URL.
Credentials
Only AGENT_PASSPORT_LEDGER_DIR is declared as required. Documentation mentions optional environment variables and API keys for Live/Pro modes (AGENT_PASSPORT_API_KEY, AGENT_PASSPORT_BASE_URL, AGENT_PASSPORT_LOCAL_LEDGER) but they are not required to run the local mode. No unrelated cloud credentials or high-privilege secrets are demanded by default.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It stores state under a user-controlled ledger directory (defaults to ~/.openclaw/agent-passport or AGENT_PASSPORT_LEDGER_DIR). There are no built-in system-wide or privileged changes in the provided scripts; the code includes scan patterns to detect persistence but does not itself create daemons or cron entries.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install agent-passport
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /agent-passport 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.4.2
Remove internal spec from published package.
v2.4.1
Security fix: license key moved from URL query param to Authorization header. Removed false offline claims from docs.
v2.4.0
v2.4.0: Data-driven threat definitions system. 75+ security patterns in versioned JSON, auto-updated every 6 hours for Pro users. Like antivirus signature updates for AI agents. New commands: init-definitions, update-definitions, definitions-status. All scan and injection output now includes definitions_version for traceability.
v2.3.2
fix: add set -euo pipefail shell hardening required by CODEX.md and CONTRIBUTING.md; fixes security scanner false positive
v2.3.1
v2.3.1: README now leads with scan-skill and check-injection. Tags updated to v2.3.1 across all categories.
v2.3.0
v2.3.0 — ToxicSkills Defense Pack: adds Skill Scanner (pre-install static analysis, detects curl-pipe-bash, base64 eval, hardcoded keys, prompt injection) and Injection Shield (runtime inbound content scanning for prompt injection attempts). 22/22 tests passing. Fully offline, no new dependencies.
v2.2.1
Security hardening: fixed JSON injection and bc injection vulnerabilities.
v2.2.0
v2.2.0: SSRF Shield, Path Traversal Guard, Webhook Origin Verification — direct response to 9 recent OpenClaw CVEs. SSRF Shield auto-blocks private IPs, loopback, cloud metadata, and unsafe URL schemes on all external_api actions. Path Traversal Guard canonicalizes and validates file paths on all data actions. Webhook Origin Verification adds origin allowlisting and HMAC-SHA256 signature verification. All three fire before mandate lookup for defense-in-depth. 19/19 tests passing.
v2.1.5
Export: add kya_present/audit_present metadata flags. Input validation improvements for get, kill, and legacy check commands.
v2.1.4
test publish
v2.1.3
Fix: get returns error on missing mandate, export includes agents+audit, legacy check arg order, kill requires reason. 40/40 regression tests.
v2.1.2
Security hardening
v2.1.1
Security hardening: input validation, rate limit format checks, path traversal prevention
v2.1.0
Kill switch (kill/unlock), 5 new templates (safe-browsing, coding, email-assistant, read-only, full-auto), removed Lite branding
v2.0.2
Fix env var declaration: AGENT_PASSPORT_LEDGER_DIR (actual) instead of AGENT_PASSPORT_LOCAL_LEDGER
v2.0.1
Fix skill scanner findings: remove unused API key dep, declare binary deps (jq, bc, xxd, etc), clarify skill is 100% local with no network calls
v2.0.0
v2.0: Expanded to 6 action categories, agent behavioral contract, templates, quick-create, KYA integration, glob pattern matching, deny lists, audit trail
元数据
Slug agent-passport
版本 2.4.2
许可证
累计安装 3
当前安装数 3
历史版本数 17
常见问题

Agent Passport 是什么?

OAuth for the agentic era. Consent-gating for ALL sensitive agent actions. 75+ data-driven threat definitions with auto-updates (like antivirus signatures).... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1702 次。

如何安装 Agent Passport?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install agent-passport」即可一键安装,无需额外配置。

Agent Passport 是免费的吗?

是的,Agent Passport 完全免费(开源免费),可自由下载、安装和使用。

Agent Passport 支持哪些平台?

Agent Passport 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Agent Passport?

由 Mark Neville(@markneville)开发并维护,当前版本 v2.4.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论