ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GovernClaw Policy Enforcer

v1.0.0

Governance middleware for OpenClaw agents. Wraps HTTP, shell, file, and browser actions with policy checks via GovernClaw before execution. Required tools -...

0· 86·0 current·0 all-time
by@aakash2289
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The code and SKILL.md implement a governed HTTP wrapper (governedHttp) that asks a GovernClaw endpoint for allow/block decisions before executing HTTP requests via the runtime's http tool. There are no unrelated binaries, credentials, or install steps requested. The implementation matches the stated purpose.
Instruction Scope
The instructions and code forward request metadata (url, method, headers, body) plus runtime context fields (session/agent/source/channel/node ids) to the GovernClaw endpoint. This is consistent with a governance proxy, but it means sensitive headers and bodies (Authorization tokens, API keys, private data) will be transmitted to the GovernClaw service. SKILL.md does not specify any redaction or sanitization policy.
Install Mechanism
No install spec is present (instruction-only skill with a single index.ts file). No downloads or archive extraction occur. This is low risk from an installation perspective.
Credentials
The registry metadata lists no required env vars, but both SKILL.md and the code reference GOVERNCLAW_URL (default http://127.0.0.1:8000). This is reasonable and proportional for a governance proxy, but the skill will send full request payloads and context fields to that endpoint, so the environment-configured URL must be trusted. The mismatch between registry metadata (no required env) and SKILL.md (mentions GOVERNCLAW_URL) is a minor inconsistency.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges or modify other skills' configs. It does not write files or install background services. Autonomous invocation is allowed (platform default) but not an additional privilege granted by this skill.
Assessment
This skill is coherent for enforcing policies, but you must trust the GovernClaw endpoint you configure. Before installing or enabling it: 1) Ensure GOVERNCLAW_URL points to a trusted, secure policy server (default is localhost for local testing). 2) Confirm the policy server's privacy/security practices — the skill will forward full request bodies and headers (including Authorization tokens and any sensitive data) along with session/agent identifiers. 3) If you require redaction of secrets, implement or request a GovernClaw policy or wrapper that strips/sanitizes headers and sensitive fields. 4) Note the small metadata inconsistency: the registry metadata doesn't mark GOVERNCLAW_URL as required although SKILL.md and the code use it (with a default). 5) Test in a safe environment (playground mode or local GovernClaw) before enabling for agents that handle sensitive data.
index.ts:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767wed6x97nqeevncpffcf25838dfx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments