← 返回 Skills 市场
bharathjanumpally

Claw Permission Firewall

作者 bharathjanumpally · GitHub ↗ · v1.0.0
cross-platform ✓ 安全检测通过
1614
总下载
1
收藏
3
当前安装
1
版本数
在 OpenClaw 中安装
/install claw-permission-firewall
功能描述
Evaluates agent actions for security risks, enforcing least-privilege policies with allow, deny, or confirmation decisions and secret redaction.
使用说明 (SKILL.md)

Claw Permission Firewall

Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:

  • ALLOW (safe to execute)
  • DENY (blocked by policy)
  • NEED_CONFIRMATION (risky; require explicit confirmation)

It also returns a sanitizedAction with secrets redacted, plus a structured audit record.

This is not a gateway hardening tool. It complements gateway security scanners by enforcing per-action policy at runtime.

What it protects against

  • Exfiltration to unknown domains
  • Prompt-injection “send secrets” attempts (secret detection + redaction)
  • Reading sensitive local files (~/.ssh, ~/.aws, .env, etc.)
  • Unsafe execution patterns (rm -rf, curl | sh, etc.)

Inputs

Provide an action object to evaluate:

{
  "traceId": "optional-uuid",
  "caller": { "skillName": "SomeSkill", "skillVersion": "1.2.0" },
  "action": {
    "type": "http_request | file_read | file_write | exec",
    "method": "GET|POST|PUT|DELETE",
    "url": "https://api.github.com/...",
    "headers": { "authorization": "Bearer ..." },
    "body": "...",
    "path": "./reports/out.json",
    "command": "rm -rf /"
  },
  "context": {
    "workspaceRoot": "/workspace",
    "mode": "strict | balanced | permissive",
    "confirmed": false
  }
}

Outputs

{
  "decision": "ALLOW | DENY | NEED_CONFIRMATION",
  "riskScore": 0.42,
  "reasons": [{"ruleId":"...","message":"..."}],
  "sanitizedAction": { "...": "..." },
  "confirmation": { "required": true, "prompt": "..." },
  "audit": { "traceId":"...", "policyVersion":"...", "actionFingerprint":"..." }
}

Default policy behavior (v1)

  • Exec disabled by default
  • HTTP requires TLS
  • Denylist blocks common exfil hosts (pastebins, raw script hosts)
  • File access is jailed to workspaceRoot
  • Always redacts Authorization, Cookie, X-API-Key, and common token patterns

Recommended usage pattern

  1. Your skill creates an action object.
  2. Call this skill to evaluate it.
  3. If ALLOW → execute sanitizedAction.
  4. If NEED_CONFIRMATION → ask user and re-run with context.confirmed=true.
  5. If DENY → stop and show the reasons.

Files

  • policy.yaml contains the policy (edit for your environment).
安全使用建议
This skill appears to do what it says: evaluate actions, redact secrets, and produce an audit record. Before installing or enabling it: 1) Review and edit policy.yaml to ensure allow/deny lists and thresholds match your security posture (especially allowDomains and denyPathPrefixes). 2) Note it reads the local policy.yaml and process.env.HOME to expand ~ prefixes — ensure the policy file and HOME are trustworthy. 3) Exec is disabled by default; if you enable exec in policy, treat the skill as high-risk and review denyPatterns carefully. 4) Test in a safe environment to validate redaction and false-positive behavior (JWT/AWS regexes can produce false matches). 5) Keep the policy file under your control (do not let untrusted skills/users modify it), since policy changes change the skill's decisions.
功能分析
Type: OpenClaw Skill Name: claw-permission-firewall Version: 1.0.0 The OpenClaw AgentSkills skill bundle 'claw-permission-firewall' is a security tool designed to enforce least-privilege policies for agent actions. It explicitly aims to prevent data exfiltration, block access to sensitive files (e.g., `~/.ssh`, `~/.aws`, `.env`), deny dangerous command execution (`rm -rf`, `curl | sh`), and redact secrets. The `policy.yaml` file contains rules to deny common exfiltration domains like `pastebin.com` and `raw.githubusercontent.com`. The `SKILL.md` and `README.md` clearly describe its protective functions and do not contain any prompt injection attempts. All code and configuration files align with the stated purpose of a security firewall.
能力评估
Purpose & Capability
Name/behavior align: the package implements HTTP/file/exec gating, redaction, risk scoring, and auditing as described in SKILL.md and policy.yaml. All required files and dependencies (js-yaml, minimatch) are consistent with parsing policy and matching globs/domains.
Instruction Scope
SKILL.md directs callers to build an action object and call evaluate; the code implements only action evaluation/redaction/audit. It does not instruct reading unrelated system secrets or sending telemetry. The skill does read policy.yaml (local) and uses context.workspaceRoot and process.env.HOME to expand deny prefixes — these are reasonable for enforcing file path rules.
Install Mechanism
No install spec is declared (instruction-only at runtime). Source files and package.json are present but there is no remote download or extract step; dependencies are standard npm libs. No high-risk install URLs or arbitrary remote code fetches are used.
Credentials
The skill requests no environment variables or credentials. It does read process.env.HOME (to expand ~ in deny prefixes) and uses caller-provided context.workspaceRoot; this is proportional to its file-path enforcement role. Confirm your runtime supplies a correct workspaceRoot and that HOME access is acceptable in your environment.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It only reads local policy.yaml and uses in-memory evaluation/audit; it does not modify other skills or global agent configuration.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install claw-permission-firewall
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /claw-permission-firewall 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
## 1.0.0 - Initial release. - Policy-driven ALLOW / DENY / NEED_CONFIRMATION decisions. - Default strict mode, TLS required for HTTP. - Workspace-root file jail + denylist for sensitive locations. - Header + regex secret redaction. - Outbound secret detection and blocking. - Structured audit record per decision (traceId, policyVersion, fingerprint).
元数据
Slug claw-permission-firewall
版本 1.0.0
许可证
累计安装 3
当前安装数 3
历史版本数 1
常见问题

Claw Permission Firewall 是什么?

Evaluates agent actions for security risks, enforcing least-privilege policies with allow, deny, or confirmation decisions and secret redaction. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1614 次。

如何安装 Claw Permission Firewall?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install claw-permission-firewall」即可一键安装,无需额外配置。

Claw Permission Firewall 是免费的吗?

是的,Claw Permission Firewall 完全免费(开源免费),可自由下载、安装和使用。

Claw Permission Firewall 支持哪些平台?

Claw Permission Firewall 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Claw Permission Firewall?

由 bharathjanumpally(@bharathjanumpally)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论