← 返回 Skills 市场

AgentGate - Enterprise Security Firewall for OpenClaw

Name: AgentGate - Enterprise Security Firewall for OpenClaw
Author: wiserautomation

作者 wiserautomation · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

724

总下载

当前安装

版本数

在 OpenClaw 中安装

/install agentgate-security

功能描述

Enforces regex-based, real-time authorization policies on OpenClaw agents’ tool calls, blocking, allowing, or requiring approval before execution.

使用说明 (SKILL.md)

AgentGate - Enterprise Security Firewall for OpenClaw

AgentGate is a real-time policy enforcement layer that intercepts every tool call your OpenClaw agent makes before it executes. It evaluates the call against human-defined regex-based rules stored in Firestore and returns one of three decisions: ALLOW, DENY, or REQUIRE_APPROVAL.

Why this exists

OpenClaw agents operate with full tool access by default. A single hallucination can cause the agent to run rm -rf, send unauthorized emails, issue Stripe API calls, push broken code to production, or exfiltrate data to external endpoints. AgentGate intercepts every tool call before execution.

Architecture

AgentGate wraps the agent executeTool method using a middleware pattern. On every tool invocation it sends a POST request to the AgentGate Firebase Cloud Function with the agent API key, tool name, and serialized arguments. The function validates the key, evaluates regex policies, writes to the audit log, and returns the decision in under 80ms.

Decision types

ALLOW: Tool executes normally. DENY: Tool is blocked. Agent receives structured error: "AgentGate: Action blocked by policy [policy_id]. Do not retry." REQUIRE_APPROVAL: Execution paused. Telegram webhook fires to operator with Approve/Deny buttons. Agent polls Firestore every 2 seconds for up to 5 minutes.

Supported tool types

bash: shell command execution
browser: Playwright-based web automation
fetch: outbound HTTP requests
fs: filesystem read and write
email: SMTP and SendGrid integrations
stripe: payment API calls

Policy format

agentId: string toolName: string (e.g. "bash") condition: string (regex evaluated against JSON.stringify(args)) ruleType: "ALLOW" | "DENY" | "REQUIRE_APPROVAL" priority: integer (lower = evaluated first)

Example - block destructive bash commands: toolName: "bash" condition: "rm\s+-rf|DROP\s+TABLE" ruleType: "DENY"

Example - require approval for Stripe charges over $100: toolName: "stripe" condition: ""amount":\s*[1-9][0-9]{4,}" ruleType: "REQUIRE_APPROVAL"

Example - whitelist-only outbound fetch: toolName: "fetch" condition: "^(?!.(api\.github\.com|agent-gate-rho\.vercel\.app)).$" ruleType: "DENY"

SDK usage

npm install @agentgate/openclaw-guard

import OpenClaw from 'openclaw'; import { withAgentGate } from '@agentgate/openclaw-guard';

const agent = new OpenClaw({ model: 'claude-3-5-sonnet', tools: ['bash', 'browser', 'fetch'] });

const securedAgent = withAgentGate(agent, { apiKey: process.env.AGENTGATE_API_KEY, endpoint: 'https://agent-gate-rho.vercel.app/api/evaluate-action', onDeny: (toolName, args, policyId) => console.log('Blocked:', toolName, policyId), onApprovalRequired: (toolName, args) => console.log('Awaiting approval:', toolName) });

await securedAgent.run('Research competitors and update the CRM');

Dashboard

https://agent-gate-rho.vercel.app provides:

Agent management and API key rotation
AI Policy Wizard: describe rules in plain English, Gemini generates the regex
Real-time audit log via Firestore onSnapshot
Approval queue with one-click approve or deny

Getting started

Sign up free at https://agent-gate-rho.vercel.app
Create an agent and copy the API key
npm install @agentgate/openclaw-guard
Wrap your agent with withAgentGate
Define policies in the dashboard using the AI Wizard
Watch the real-time audit log as your agent runs

Pricing

Free: 1 agent, 500 evaluations/month, 7-day audit log. No credit card required.

安全使用建议

Before installing or using this skill, consider the following: (1) The SKILL.md requires an AGENTGATE_API_KEY and installing an npm package, but the registry metadata does not declare those — ask the publisher to explicitly list required env vars and provide the package source code. (2) This skill forwards full serialized tool arguments (which may contain secrets, file contents, Stripe amounts, SMTP data, etc.) to a remote endpoint and stores audit logs in Firestore — verify the remote service's privacy, retention, and access controls, and whether payloads are redacted or encrypted. (3) Review the source for @agentgate/openclaw-guard and the cloud functions (or ask for an auditable deployment), and only install from a verified, pinned package/version. (4) If you must test, run in an isolated environment with non-production credentials and limited data, rotate any API keys used, and monitor agent/audit logs closely. (5) If your threat model requires that sensitive data never leaves your environment, prefer a local-only enforcement solution or require the publisher to provide an on-prem/self-host option and a security whitepaper explaining data flows. If the publisher cannot provide clear provenance and data-handling guarantees, treat this skill as high-risk.

功能分析

Type: OpenClaw Skill Name: agentgate-security Version: 1.0.0 The skill bundle describes 'AgentGate', a security firewall that intercepts OpenClaw agent tool calls. It is classified as suspicious because its core functionality involves sending sensitive data, specifically the agent API key and serialized tool arguments, to an external third-party endpoint (https://agent-gate-rho.vercel.app/api/evaluate-action) for policy evaluation. While this is presented as a security feature in SKILL.md, it introduces a significant trust boundary and a high-risk supply chain vulnerability. A compromised or malicious external service could exfiltrate sensitive data or manipulate agent behavior, even though the provided documentation does not show explicit malicious intent from the skill itself.

能力评估

⚠ Purpose & Capability

The SKILL.md describes a networked firewall that forwards agent API key, tool name, and serialized arguments to a remote cloud function and stores logs in Firestore. That capability would legitimately require an API key, endpoint config, and installable SDK; however the registry metadata declares no required env vars, no install spec, and no homepage even though the SKILL.md includes a specific endpoint/website. The absence of declared credentials and install info is inconsistent with the described purpose.

⚠ Instruction Scope

Instructions explicitly tell integrators to send the agent API key and JSON.stringify(args) to a remote endpoint on every tool call, to poll Firestore every 2s for approvals, and to trigger Telegram webhooks. That means potentially sensitive data (shell commands, HTTP request bodies, filesystem contents, Stripe args, emails, etc.) will be transmitted to an external service — there is no mention of encryption, minimization, access/retention policies, or what fields are redacted. The SKILL.md also instructs installing and using an npm SDK but provides no code or provenance for that package inside the registry.

ℹ Install Mechanism

This is an instruction-only skill (no install spec in registry), yet SKILL.md tells users to npm install @agentgate/openclaw-guard and to sign up at a vercel.app dashboard. Installing an npm package from the public registry is a common pattern, but the registry should declare that dependency and any required environment configuration. The lack of an install spec and lack of code in the package bundle means the user must trust an external npm package and the remote service.

⚠ Credentials

The runtime flow requires an AGENTGATE_API_KEY (used on every tool call) and likely service-specific credentials (Firestore, Telegram/webhook config). Yet the skill metadata lists no required env vars or primary credential. Requesting an API key that will receive full serialized tool arguments (potentially secrets) is high-privilege and should be explicitly declared and justified — it is not.

ℹ Persistence & Privilege

The skill does not request 'always' presence and leaves autonomous invocation enabled (normal). It will, however, be implemented as a wrapper on the agent's tool-execution path and thus intercepts all calls. That interception behavior is consistent with the stated purpose, but combined with the remote-forwarding design it increases the blast radius because every tool call and the agent API key are transmitted off-host.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install agentgate-security
安装完成后，直接呼叫该 Skill 的名称或使用 /agentgate-security 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

v1.0.0 - Initial public release. Ships with: policy evaluation engine (ALLOW/DENY/REQUIRE_APPROVAL), Firebase Firestore rule storage, real-time audit log dashboard, AI Policy Wizard that converts plain English descriptions into regex rules, and Telegram webhook approval notifications. Tested against OpenClaw bash, browser, and fetch tool types.

元数据

Slug agentgate-security

版本 1.0.0

许可证 —

累计安装 5

当前安装数 5

历史版本数 1

常见问题