功能描述

Legal/compliance guardrails for outbound OpenClaw actions (anti-spam, defamation, privacy, financial claims).

使用说明 (SKILL.md)

Enterprise Legal Guardrails

Name: Enterprise Legal Guardrails Public
Author: lawyered0

Use this skill to preflight bot output before posting, messaging, or publishing anything that could create legal/compliance risk.

What it is

A generic outbound guardrail checker used by workflows before execute actions such as post/comment/message/chat/send in any app.

When to use

Before create_post, create_comment, send_message, or equivalent publish actions.
Before market-related commentary, strategy claims, or price/certainty statements.
Before HR-sensitive or workplace-adjacent messaging.
Before anti-spam or coordination-heavy communications.
Before handling or exposing personal identifiers.

Workflow

Draft text.
Run the checker with the matching action/profile.
If result is PASS/WATCH, proceed.
If REVIEW, rewrite or route for human/legal review.
If BLOCK, do not execute.

Use it as a shared OpenClaw outbound safety layer for any skill that publishes content. Babylon is only one current integration example, not the primary purpose of the skill.

Quick usage

python3 scripts/check_enterprise_guardrails.py \
  --action post \
  --app \x3Capp_name> \
  --policies social antispam hr \
  --text "Draft text here"

python3 scripts/check_enterprise_guardrails.py \
  --action comment \
  --scope include \
  --apps whatsapp,telegram \
  --text "Draft text here"

python3 scripts/check_enterprise_guardrails.py \
  --action market-analysis \
  --text "Market commentary..." \
  --json

App scope (global filtering)

Scope applies to any app-context passed with --app and these env vars (legacy names preserved for compatibility):

ENTERPRISE_LEGAL_GUARDRAILS_OUTBOUND_SCOPE (all|include|exclude)
ENTERPRISE_LEGAL_GUARDRAILS_OUTBOUND_APPS (comma-separated list)
BABYLON_GUARDRAILS_SCOPE
BABYLON_GUARDRAILS_OUTBOUND_SCOPE
BABYLON_GUARDRAILS_APPS

Examples:

all: check all outbound content.
include + whatsapp,email: only check those apps.
exclude + whatsapp,email,moltbook,babylon: everything except these apps.

If scope is omitted, default is all.

Profiles

social: public social text, comments, announcements.
antispam: unsolicited/pumping/coordinating messaging.
hr: workplace, hiring, performance, or employee conduct language.
privacy: personally identifying data and private information disclosures.
market: market/financial claims and outcome assertions.
legal: legal conclusions/implication language.

If no profile is provided, defaults are derived from --action:

post|comment|message → social,legal
trade|market-analysis → market,financial
generic → legal,social

Output

PASS: safe to execute
WATCH: low risk; optional rewrite
REVIEW: human/legal review recommended
BLOCK: do not execute

Tuning

You can tune decision sensitivity via environment variables (or CLI flags in direct runs):

ENTERPRISE_LEGAL_GUARDRAILS_REVIEW_THRESHOLD (default: 5)
ENTERPRISE_LEGAL_GUARDRAILS_BLOCK_THRESHOLD (default: 9)

CLI overrides:

--review-threshold
--block-threshold

Legacy aliases are supported in legacy env names: ELG_* and BABYLON_GUARDRAILS_*.

Universal outbound adapter (no-native integration path)

For skills/tools without native guardrail hooks (for example: Gmail, custom website publishing, custom message bots), run outbound operations through the wrapper:

python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py   --app \x3Capp_name>   --action \x3Cpost|comment|message|trade|market-analysis|generic> --execute --text "$DRAFT"   -- \x3Coutbound command...>

Examples:

# Gmail via gog
python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py   --app gmail --action message --execute --text "Hello, ..."   -- gog gmail send --to [email protected] --subject "Update" --body "Hello, ..."

# Website/publication publish flow
python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py   --app website --action post --execute --text "$POST_COPY"   -- npm run publish-post "$POST_COPY"

Use this wrapper to apply the same policy checks in non-Babylon outbound flows.

Compatibility

Legacy name legal-risk-checker is preserved in OpenClaw workspaces that still reference it.

References

See references/guardrail-policy-map.md for the full policy rule set and suggested rewrites.

Packaging

A distributable bundle is available at:

dist/enterprise-legal-guardrails.skill

Hardening controls for `guard_and_run.py`

For non-native outbound integrations, treat guard_and_run as an execution boundary. Recommended flags/env:

Execution safety is allowlist-first by default. Wrapper requires explicit --allowed-command (or env alias) unless --allow-any-command is explicitly enabled.

--allow-any-command / ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND
- Explicitly bypass allowlist enforcement (unsafe; audit-first use only).
--suppress-allow-any-warning / ENTERPRISE_LEGAL_GUARDRAILS_SUPPRESS_ALLOW_ANY_WARNING
- Suppresses the runtime safety warning when --allow-any-command is intentionally enabled.
--allow-any-command-reason / ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND_REASON
- Mandatory rationale for any allow-any bypass invocation. Suggested format: SEC-1234: emergency fix.
--allow-any-command-approval-token / ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND_APPROVAL_TOKEN
- Mandatory approval token for any allow-any bypass invocation; stored as a short token fingerprint in audit logs.
--allowed-command \x3Cexe...> / ENTERPRISE_LEGAL_GUARDRAILS_ALLOWED_COMMANDS
- Allow-list executables (supports comma/space lists and wildcards).
--execute / ENTERPRISE_LEGAL_GUARDRAILS_EXECUTE
- Enables execution after guard checks. Without this flag, runs are validation-only.
--strict / ENTERPRISE_LEGAL_GUARDRAILS_STRICT
- Escalate REVIEW to hard block.
--sanitize-env
--keep-env \x3CVAR...> / --keep-env-prefix \x3CPREFIX...>
--command-timeout, --checker-timeout, --max-text-bytes
--audit-log \x3Cfile> / ENTERPRISE_LEGAL_GUARDRAILS_AUDIT_LOG

These flags provide execution safety, command scoping, and immutable trail for post-incident review without changing checker logic.

安全使用建议

This skill appears to do what it claims: a local, rule-based preflight checker plus a guarded 'guard_and_run' adapter to execute outbound commands under allowlist and audit controls. Before installing: 1) Confirm you will not enable the '--allow-any-command' escape hatch in production; it bypasses the allowlist and should only be used with explicit approval tokens and auditing. 2) Configure allowed commands and sanitize environment (ENTERPRISE_LEGAL_GUARDRAILS_ALLOWED_COMMANDS, --sanitize-env / --keep-env) so secrets or unrelated env vars are not passed to executed binaries. 3) Place audit logs on a secure path and verify they don't inadvertently store raw sensitive drafts in your environment. 4) Review the allowlist and approval-token practices to ensure tokens are appropriately managed. If you follow those precautions, the skill is coherent and appropriate for outbound guardrail use.

功能分析

Type: OpenClaw Skill Name: enterprise-legal-guardrails Version: 1.0.20 The OpenClaw AgentSkills skill bundle 'enterprise-legal-guardrails' is designed as a security-enhancing tool to prevent harmful outbound communications. The `check_enterprise_guardrails.py` script performs local, dependency-free content analysis using regex rules to detect legal, financial, privacy, and harassment risks. The `guard_and_run.py` wrapper script acts as a secure execution gate, implementing robust controls such as command allowlisting, environment sanitization, explicit execution flags, and comprehensive audit logging. While it includes a powerful `--allow-any-command` bypass, this feature is heavily hardened with mandatory rationale, approval tokens, and detailed logging, indicating a deliberate security design for an override rather than malicious intent. The `SKILL.md` and `README.md` documentation clearly outline these security features and their usage, and extensive tests confirm their functionality.

能力评估

✓ Purpose & Capability

Name/description match the code and SKILL.md: the repository contains a local rule-based checker and a wrapper for executing outbound commands under guardrail controls. There are no unrelated credentials, networks, or cloud SDKs requested.

✓ Instruction Scope

Runtime instructions tell the agent to run the included checker and/or wrapper on draft text before publishing; the scripts only read provided text, optional files/stdin, env config, and run subprocesses. There are no instructions to collect or transmit unrelated system secrets or call external services.

✓ Install Mechanism

Instruction-only skill with no install spec. Code files are included but there is no remote download/installation during install time. Low install risk.

ℹ Credentials

No required env vars declared in registry. The SKILL.md and scripts support many optional env flags for tuning and an approval/allowlist model (e.g., ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND and approval token). These are reasonable for an execution wrapper but should be managed carefully — enabling allow-any-command and permissive keep-env settings could expose downstream commands to sensitive env vars.

ℹ Persistence & Privilege

always:false (normal). The wrapper can execute arbitrary subprocesses when explicitly configured (allowlist controls and approval-token requirements are present). Autonomous invocation of the skill is allowed by default on the platform, which is expected — but if integrated without strict allowlists or with allow-any-command enabled, the blast radius increases.

版本历史

v1.0.20

**Added explicit --execute flag requirement for guard_and_run.py wrapper commands** - The guard_and_run.py script now requires the explicit --execute flag to actually run outbound commands; without it, runs are validation-only. - Documentation and usage examples in SKILL.md updated to include the new --execute requirement. - Clarified help text and usage guidance to reduce the risk of accidental command execution. - Tests updated to cover --execute flag enforcement.

v1.0.19

No file or documentation changes detected in this release. - No changes from the previous version; this is a maintenance release. - Behavior and documentation remain unchanged from version 1.0.18.

v1.0.18

## enterprise-legal-guardrails 1.0.18 - Added new test script: `scripts/tests_guard_and_run.py`. - No breaking changes to core guardrail logic or command-line interface. - Documentation and hardening controls unchanged.

v1.0.17

- Improved execution boundary handling and safety checks in guard_and_run.py. - Updated and enhanced tests for guard_and_run.py to ensure stricter policy enforcement. - No changes to user-facing policy logic or guardrail checking workflow.

v1.0.16

- Improved test coverage and robustness for the guard_and_run.py execution wrapper. - Minor code and logic updates in guard_and_run.py to support stricter and more predictable integration boundary checks. - Updated and refactored associated test cases in scripts/tests_guard_and_run.py.

v1.0.15

**Summary:** Improved hardening for command execution in universal outbound guardrail wrapper. - Added strict enforcement for mandatory flags when using `--allow-any-command` in `guard_and_run.py`. - Now requires both `--allow-any-command-reason` and `--allow-any-command-approval-token` for any allow-any bypass. - Improved warnings and error messaging for unsafe flag usage. - Updated tests in `tests_guard_and_run.py` to cover new enforcement scenarios. - No changes to checker policy logic or default outbound flows.

v1.0.14

- Improved error and exit handling in guard_and_run.py for more reliable shell execution and clearer CLI outcomes. - Enhanced test coverage in scripts/tests_guard_and_run.py to validate exit codes and subprocess failures. - No breaking changes to guardrail logic or CLI flags; compatibility with existing integrations is preserved.

v1.0.12

Visibility refresh republish to refresh ClawHub index

v1.0.11

Fix allow-any bypass semantics in guard_and_run: allowlist checks are skipped only when allow-any is explicitly enabled. Add regression test coverage (12f) to confirm bypass behavior while preserving normal allowlist enforcement.

v1.0.10

Require explicit approval token for allow-any command bypass and enforce ticket-like rationale format. Persist only token fingerprint in audit logs for compliance traceability.

v1.0.9

Require explicit rationale for allow-any bypass via --allow-any-command-reason/env alias, log bypass reason in audit trail, and add regression coverage for reason enforcement/suppression. No guardrail logic changes.

v1.0.8

Add explicit suppress flag for allow-any runtime warning and document/validate warning control path. No guardrail logic changes; no additional escape hatches added beyond explicit opt-in behavior.

v1.0.7

Hardened guard_and_run default posture: require explicit command allowlist unless explicitly allow-any; added allow-any escape hatch and audit trace fields, plus docs/examples and regression updates.

v1.0.6

Expanded guard_and_run regression tests and edge-case assertions for command gate, allowlists, timeouts, strict mode, and audit logging behavior. No runtime logic changes beyond test coverage.

v1.0.5

Harden guard_and_run: allowlists, timeouts, sanitized env, audit logging, and tests.

v1.0.4

Add native wrapper coverage for broader outbound non-native flows; document and test the adapter.

v1.0.3

Add command-adapter wrapper (guard_and_run) for non-native outbound integrations + regression tests.

v1.0.2

Shorten SKILL.md description to avoid catalog truncation

v1.0.1

Republish to refresh public index visibility

v1.0.0

Initial public OpenClaw skill for outbound legal/compliance guardrails

元数据

Slug enterprise-legal-guardrails

版本 1.0.20

许可证 —

累计安装 3

当前安装数 3

历史版本数 20

常见问题