Aport Agent Guardrail
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent guardrail setup skill, but users should notice that it installs unreviewed remote code and registers a persistent OpenClaw tool-call hook.
This skill appears purpose-aligned for installing local OpenClaw guardrails. Before installing, verify the GitHub or npm source, prefer a trusted release, let the wizard prompt you directly as instructed, and understand that it will add a persistent hook that can affect future tool calls.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing will run code fetched from GitHub or npm that was not included in this review.
The skill directs installation by cloning and running remote source or executing an npx package. That is aligned with setup, but the reviewed artifact does not include or pin the installer code.
git clone https://github.com/aporthq/aport-agent-guardrails cd aport-agent-guardrails ./bin/openclaw ... npx @aporthq/aport-agent-guardrails
Use the source option if you want to inspect the code first, verify the repository/package owner, and consider pinning to a trusted release or commit.
The installed guardrail can allow or deny future tool calls, which may change how OpenClaw behaves after setup.
The skill intentionally installs a persistent hook that evaluates future tool calls before execution. This is the core guardrail function, but it gives the installed component ongoing influence over agent actions.
Register the OpenClaw `before_tool_call` hook
Review the generated passport and hook configuration, and make sure you know how to disable or uninstall the hook if it blocks expected work.
If API mode is enabled, some information about tool usage may leave the local machine.
The default mode is described as local, but an optional centralized mode can send tool-call metadata to an API endpoint.
Optional: API mode Not enabled by default. For teams wanting centralized dashboards, the user sets `APORT_API_URL` and `APORT_AGENT_ID` environment variables. Only tool name and action type are sent
Only enable API mode for a trusted endpoint, and confirm that the metadata sent is acceptable for your privacy or compliance needs.