← 返回 Skills 市场

GovernClaw Policy Enforcer

Name: GovernClaw Policy Enforcer
Author: aakash2289

作者 aakash2289 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

112

总下载

当前安装

版本数

在 OpenClaw 中安装

/install governclaw-middleware

功能描述

Governance middleware for OpenClaw agents. Wraps HTTP, shell, file, and browser actions with policy checks via GovernClaw before execution. Required tools -...

使用说明 (SKILL.md)

GovernClaw Middleware

This skill provides governed wrappers for sensitive operations. It acts as a policy enforcement layer between agents and external systems.

When to Use This Skill

You MUST use governed tools from this skill instead of raw tools when:

Calling external HTTP APIs (governedHttp instead of http)
Running shell commands (governedShell - future)
Reading/writing files (governedFile - future)
Controlling a browser (governedBrowser - future)

How It Works

You call a governed tool (e.g., governedHttp)
The skill sends your request metadata to GovernClaw for policy evaluation
GovernClaw returns allow or block with a reason
If allowed: the underlying operation executes and returns results
If blocked: the operation is cancelled and you receive a block reason

Available Tools

governedHttp

Makes HTTP requests through the GovernClaw policy engine.

Parameters:

method (string): HTTP method - "GET", "POST", "PUT", "DELETE"
url (string): Target URL
body (object, optional): Request body for POST/PUT
headers (object, optional): Custom headers

Returns:

On success: The HTTP response from the target
On block: { ok: false, blocked: true, reason: "..." }

Example:

const result = await context.tools.governclawMiddleware.governedHttp({
  method: "GET",
  url: "https://api.example.com/data"
});

if (result.blocked) {
  // Handle policy block
  console.log("Blocked:", result.reason);
}

Configuration

Set the GovernClaw service URL in your environment:

export GOVERNCLAW_URL="http://127.0.0.1:8000"

Or in openclaw.json:

{
  "skills": {
    "governclaw-middleware": {
      "env": {
        "GOVERNCLAW_URL": "http://127.0.0.1:8000"
      }
    }
  }
}

Governance Context

The skill automatically forwards these context fields to GovernClaw:

parent_id: The session ID (who owns the request)
child_id: The agent ID (who is making the request)
source: Where the request originated (agent, control, cron, etc.)
channel: The channel ID (if applicable)
node_id: The node ID (if applicable)
skill: Always "governclaw-middleware"

Error Handling

Always check for blocked in responses:

const response = await context.tools.governclawMiddleware.governedHttp({...});

if (!response.ok && response.blocked) {
  // Policy violation - do not retry
  return { error: response.reason };
}

if (!response.ok) {
  // Network or other error - may retry
  return { error: "Request failed" };
}

// Success
return response.data;

Policy Modes

GovernClaw supports three governance modes:

playground: Log-only, actions always allowed
governed: Default mode, enforce policies
strict: Block on any uncertainty

The skill defaults to governed mode. Future versions may allow per-request mode overrides.

安全使用建议

This skill is coherent for enforcing policies, but you must trust the GovernClaw endpoint you configure. Before installing or enabling it: 1) Ensure GOVERNCLAW_URL points to a trusted, secure policy server (default is localhost for local testing). 2) Confirm the policy server's privacy/security practices — the skill will forward full request bodies and headers (including Authorization tokens and any sensitive data) along with session/agent identifiers. 3) If you require redaction of secrets, implement or request a GovernClaw policy or wrapper that strips/sanitizes headers and sensitive fields. 4) Note the small metadata inconsistency: the registry metadata doesn't mark GOVERNCLAW_URL as required although SKILL.md and the code use it (with a default). 5) Test in a safe environment (playground mode or local GovernClaw) before enabling for agents that handle sensitive data.

功能分析

Type: OpenClaw Skill Name: governclaw-middleware Version: 1.0.0 The skill implements a governance middleware that intercepts HTTP requests to validate them against a policy engine. It sends full request metadata, including potentially sensitive headers and bodies, to a configurable endpoint (defaulting to http://127.0.0.1:8000/govern_action). While this aligns with the stated purpose, the implementation in index.ts uses the 'axios' library for its own network calls instead of the standard OpenClaw 'http' tool, which bypasses the agent's internal logging and control mechanisms. Additionally, the 'effective_payload' feature allows the remote governance server to silently modify the agent's outgoing requests, posing a risk of unauthorized redirection or data manipulation.

能力评估

✓ Purpose & Capability

The code and SKILL.md implement a governed HTTP wrapper (governedHttp) that asks a GovernClaw endpoint for allow/block decisions before executing HTTP requests via the runtime's http tool. There are no unrelated binaries, credentials, or install steps requested. The implementation matches the stated purpose.

ℹ Instruction Scope

The instructions and code forward request metadata (url, method, headers, body) plus runtime context fields (session/agent/source/channel/node ids) to the GovernClaw endpoint. This is consistent with a governance proxy, but it means sensitive headers and bodies (Authorization tokens, API keys, private data) will be transmitted to the GovernClaw service. SKILL.md does not specify any redaction or sanitization policy.

✓ Install Mechanism

No install spec is present (instruction-only skill with a single index.ts file). No downloads or archive extraction occur. This is low risk from an installation perspective.

ℹ Credentials

The registry metadata lists no required env vars, but both SKILL.md and the code reference GOVERNCLAW_URL (default http://127.0.0.1:8000). This is reasonable and proportional for a governance proxy, but the skill will send full request payloads and context fields to that endpoint, so the environment-configured URL must be trusted. The mismatch between registry metadata (no required env) and SKILL.md (mentions GOVERNCLAW_URL) is a minor inconsistency.

✓ Persistence & Privilege

always is false and the skill does not request persistent system-level privileges or modify other skills' configs. It does not write files or install background services. Autonomous invocation is allowed (platform default) but not an additional privilege granted by this skill.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install governclaw-middleware
安装完成后，直接呼叫该 Skill 的名称或使用 /governclaw-middleware 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

GovernClaw Middleware 1.0.0 – initial release - Introduces governed wrappers for sensitive operations, starting with governedHttp (HTTP requests with policy checks). - Mediates HTTP requests through the GovernClaw policy engine, blocking or allowing each request. - Provides clear error signaling and standardized block reasons in responses. - Configuration via GOVERNCLAW_URL environment variable or openclaw.json. - Automatically forwards session context and agent identification with each request for governance.

元数据

Slug governclaw-middleware

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题