功能描述

Legal/compliance guardrails for outbound OpenClaw actions (anti-spam, defamation, privacy, financial claims).

使用说明 (SKILL.md)

Enterprise Legal Guardrails

Name: Enterprise Legal Guardrails Public
Author: lawyered0

Use this skill to preflight bot output before posting, messaging, or publishing anything that could create legal/compliance risk.

What it is

A generic outbound guardrail checker used by workflows before execute actions such as post/comment/message/chat/send in any app.

When to use

Before create_post, create_comment, send_message, or equivalent publish actions.
Before market-related commentary, strategy claims, or price/certainty statements.
Before HR-sensitive or workplace-adjacent messaging.
Before anti-spam or coordination-heavy communications.
Before handling or exposing personal identifiers.

Workflow

Draft text.
Run the checker with the matching action/profile.
If result is PASS/WATCH, proceed.
If REVIEW, rewrite or route for human/legal review.
If BLOCK, do not execute.

Use it as a shared OpenClaw outbound safety layer for any skill that publishes content. Babylon is only one current integration example, not the primary purpose of the skill.

Quick usage

python3 scripts/check_enterprise_guardrails.py \
  --action post \
  --app \x3Capp_name> \
  --policies social antispam hr \
  --text "Draft text here"

python3 scripts/check_enterprise_guardrails.py \
  --action comment \
  --scope include \
  --apps whatsapp,telegram \
  --text "Draft text here"

python3 scripts/check_enterprise_guardrails.py \
  --action market-analysis \
  --text "Market commentary..." \
  --json

App scope (global filtering)

Scope applies to any app-context passed with --app and these env vars (legacy names preserved for compatibility):

ENTERPRISE_LEGAL_GUARDRAILS_OUTBOUND_SCOPE (all|include|exclude)
ENTERPRISE_LEGAL_GUARDRAILS_OUTBOUND_APPS (comma-separated list)
BABYLON_GUARDRAILS_SCOPE
BABYLON_GUARDRAILS_OUTBOUND_SCOPE
BABYLON_GUARDRAILS_APPS

Examples:

all: check all outbound content.
include + whatsapp,email: only check those apps.
exclude + whatsapp,email,moltbook,babylon: everything except these apps.

If scope is omitted, default is all.

Profiles

social: public social text, comments, announcements.
antispam: unsolicited/pumping/coordinating messaging.
hr: workplace, hiring, performance, or employee conduct language.
privacy: personally identifying data and private information disclosures.
market: market/financial claims and outcome assertions.
legal: legal conclusions/implication language.

If no profile is provided, defaults are derived from --action:

post|comment|message → social,legal
trade|market-analysis → market,financial
generic → legal,social

Output

PASS: safe to execute
WATCH: low risk; optional rewrite
REVIEW: human/legal review recommended
BLOCK: do not execute

Tuning

You can tune decision sensitivity via environment variables (or CLI flags in direct runs):

ENTERPRISE_LEGAL_GUARDRAILS_REVIEW_THRESHOLD (default: 5)
ENTERPRISE_LEGAL_GUARDRAILS_BLOCK_THRESHOLD (default: 9)

CLI overrides:

--review-threshold
--block-threshold

Legacy aliases are supported in legacy env names: ELG_* and BABYLON_GUARDRAILS_*.

Universal outbound adapter (no-native integration path)

For skills/tools without native guardrail hooks (for example: Gmail, custom website publishing, custom message bots), run outbound operations through the wrapper:

python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py   --app \x3Capp_name>   --action \x3Cpost|comment|message|trade|market-analysis|generic>   --text "$DRAFT"   -- \x3Coutbound command...>

Examples:

# Gmail via gog
python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py   --app gmail --action message   --text "Hello, ..."   -- gog gmail send --to [email protected] --subject "Update" --body "Hello, ..."

# Website/publication publish flow
python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py   --app website --action post   --text "$POST_COPY"   -- npm run publish-post "$POST_COPY"

Use this wrapper to apply the same policy checks in non-Babylon outbound flows.

Compatibility

Legacy name legal-risk-checker is preserved in OpenClaw workspaces that still reference it.

References

See references/guardrail-policy-map.md for the full policy rule set and suggested rewrites.

Packaging

A distributable bundle is available at:

dist/enterprise-legal-guardrails.skill

Hardening controls for `guard_and_run.py`

For non-native outbound integrations, treat guard_and_run as an execution boundary. Recommended flags/env:

Execution safety is allowlist-first by default. Wrapper requires explicit --allowed-command (or env alias) unless --allow-any-command is explicitly enabled.

--allow-any-command / ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND
- Explicitly bypass allowlist enforcement (unsafe; audit-first use only).
--suppress-allow-any-warning / ENTERPRISE_LEGAL_GUARDRAILS_SUPPRESS_ALLOW_ANY_WARNING
- Suppresses the runtime safety warning when --allow-any-command is intentionally enabled.
--allow-any-command-reason / ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND_REASON
- Mandatory rationale for any allow-any bypass invocation. Suggested format: SEC-1234: emergency fix.
--allow-any-command-approval-token / ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND_APPROVAL_TOKEN
- Mandatory approval token for any allow-any bypass invocation; stored as a short token fingerprint in audit logs.
--allowed-command \x3Cexe...> / ENTERPRISE_LEGAL_GUARDRAILS_ALLOWED_COMMANDS
- Allow-list executables (supports comma/space lists and wildcards).
--strict / ENTERPRISE_LEGAL_GUARDRAILS_STRICT
- Escalate REVIEW to hard block.
--sanitize-env
--keep-env \x3CVAR...> / --keep-env-prefix \x3CPREFIX...>
--command-timeout, --checker-timeout, --max-text-bytes
--audit-log \x3Cfile> / ENTERPRISE_LEGAL_GUARDRAILS_AUDIT_LOG

These flags provide execution safety, command scoping, and immutable trail for post-incident review without changing checker logic.

安全使用建议

This package appears to be what it says: a local, deterministic guardrail checker plus a wrapper that will run allowed outbound commands. Before installing or enabling it in production: 1) Verify the repository/source and review the Python files yourself (they run locally and spawn subprocesses). 2) Configure an explicit allowlist (ENTERPRISE_LEGAL_GUARDRAILS_ALLOWED_COMMANDS or --allowed-command); do not enable --allow-any-command in production. 3) Enable sanitize-env and configure keep-env/keep-prefix conservatively so sensitive credentials are not leaked to spawned commands. 4) Configure audit logging (ENTERPRISE_LEGAL_GUARDRAILS_AUDIT_LOG) and review logs regularly. 5) If you permit autonomous agent invocation of this skill, ensure the allowlist and strict mode are appropriate for your threat model. If you want to be extra cautious, run the checker-only (no guard_and_run) or require human review for REVIEW outcomes.

功能分析

Type: OpenClaw Skill Name: enterprise-legal-guardrails-public Version: 1.0.13 The skill provides a guardrail checker (`check_enterprise_guardrails.py`) which is benign, but also includes a wrapper script (`guard_and_run.py`) that executes arbitrary commands after performing checks. While `guard_and_run.py` implements extensive hardening controls such as command allowlisting, environment sanitization, timeouts, and audit logging, the capability to execute arbitrary commands (via `subprocess.run` in `scripts/guard_and_run.py`) presents a significant vulnerability surface. The `--allow-any-command` flag, though heavily guarded with mandatory reasons, approval tokens, and warnings, explicitly bypasses the command allowlist, creating a potential for remote code execution if misconfigured or misused. This high-risk capability, even with defensive intent and robust controls, warrants a 'suspicious' classification due to the inherent RCE risk.

能力评估

✓ Purpose & Capability

Name/description align with code and SKILL.md: deterministic text rules, profiles, thresholds, and a wrapper to gate execution of outbound commands. Nothing in the package requests unrelated credentials, binaries, or platform access.

ℹ Instruction Scope

Runtime instructions are focused on preflight checks for outbound text and providing a guard_and_run wrapper to execute allowed commands after checks. The wrapper will run subprocesses and can sanitize the environment and write audit logs; this is expected for a universal outbound adapter but is an area to review in deployment (see guidance).

✓ Install Mechanism

No install spec (instruction-only packaging) and the code is dependency-free Python scripts. Nothing is downloaded from an external URL during install.

✓ Credentials

The skill declares no required environment variables or credentials. The SKILL.md and scripts reference multiple optional tuning env vars (scopes, thresholds, allowlist, audit-log, approval token) that are proportionate to a guardrail wrapper's configuration—no unrelated secret exfiltration variables are requested.

ℹ Persistence & Privilege

always:false and model invocation is allowed (platform default). The only elevated capability is the guard_and_run wrapper's ability to execute configured subprocesses; this is intentionally the skill's purpose and the code enforces allowlist checks, sanitize-env, and audit logging. Ensure these controls are configured before enabling autonomous invocation in production.

版本历史

v1.0.13

enterprise-legal-guardrails-public 1.0.13 - Added comprehensive SKILL.md documentation explaining usage, workflow, configuration, and security guidelines. - Clarified app scope options, profiles, sensitivity tuning, and output meanings. - Documented universal outbound adapter for non-native integration use cases. - Listed recommended hardening controls for outbound wrapper execution. - Provided guidance for legacy compatibility and references.

元数据

Slug enterprise-legal-guardrails-public

版本 1.0.13

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题