ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aport Agent Guardrail

v1.1.20

Set up APort guardrails for OpenClaw. Local-first policy enforcement that checks tool calls against your passport before execution. Zero network calls by def...

0· 840·1 current·1 all-time
byAPort@aporthq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (APort guardrails for OpenClaw, local-first enforcement) match the SKILL.md actions (create passport, register before_tool_call hook, enforce decisions). However the package metadata claims no required config paths or env vars while the instructions explicitly read/write ~/.openclaw and create ~/.openclaw/aport/* files. That mismatch between declared requirements and the actual instructions is unexplained.
!
Instruction Scope
SKILL.md tells the agent/user to clone or npx-install remote code, run an interactive wizard which registers a before_tool_call hook, and read/write files under ~/.openclaw (passport.json, decision.json, audit.log). It also references DEBUG_APORT and optional APORT_API_URL/APORT_AGENT_ID env vars. The instructions therefore require access to user home config and will modify OpenClaw hooks/config — sensible for a guardrail but broader than the metadata claims. The doc's claim of "zero network calls by default" is true for runtime enforcement but misleading for the install steps (git clone / npx require network).
Install Mechanism
There is no formal install spec in the registry entry; SKILL.md directs either a git clone from GitHub (a well-known host — lower risk) or npx @aporthq/aport-agent-guardrails (which will run package installation scripts from the npm registry — moderate risk). Both approaches execute remote code locally; the instructions rely on the user interacting with the wizard rather than the agent auto-answering, which reduces automation risk but still means arbitrary code will be fetched and executed during install.
!
Credentials
The registry metadata lists no required env vars or config paths, yet the runtime instructions reference and create configuration under ~/.openclaw and mention env vars DEBUG_APORT (for debugging) and optional APORT_API_URL and APORT_AGENT_ID (for centralized API mode). That is an inconsistency: optional networked behavior exists but is not reflected in declared requirements. The optional API mode claims it only sends tool name and action type, but enabling it would allow outbound network calls and should be treated as a separate privilege with clear justification.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable. It does instruct the installer to register an OpenClaw hook (before_tool_call) and create files under ~/.openclaw, which is expected for a local guardrail but means it will persist in the user's OpenClaw configuration. This modification is within the skill's stated purpose but is privileged (it intercepts tool calls) and should be approved by the user.
What to consider before installing
This skill looks like it really intends to install a local guardrail for OpenClaw, but the SKILL.md and the registry metadata disagree on what it needs and will do. Before installing: (1) Verify the upstream repository and package (review the GitHub repo and npm package, check commit history and publishers). (2) Inspect the install scripts or ./bin/openclaw in the cloned repo before executing them. (3) Back up your ~/.openclaw configuration because the installer will register a before_tool_call hook and write files under ~/.openclaw. (4) Treat the npx option as higher-risk because it runs remote package code — prefer cloning and inspecting if you can. (5) If you plan to enable API mode (APORT_API_URL/APORT_AGENT_ID), confirm what is sent and that your endpoint is trusted; otherwise keep API mode disabled to remain local-only. (6) Ask the publisher to update registry metadata to declare the config paths and optional env vars explicitly and to document install verification steps (signatures/checksums). If you cannot verify the source code and install scripts, consider avoiding installation or using an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fm3jyascr1n3neq96y1gcxd84r582

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments