ClawHub

AxonFlow Governance Policies

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This instruction-only skill is coherent AxonFlow governance setup guidance, but users should verify the external plugin, protect the configured secret, and review any governance policy or approval changes carefully.

This skill appears benign as setup guidance. Before using it in production, verify the AxonFlow plugin package and version, protect the client secret, use a secure endpoint, and review policy or approval changes because they can affect how OpenClaw actions are governed.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing a moving latest version may pull code that was not reviewed with this skill.

Why it was flagged

The setup installs an external plugin using the moving '@latest' version, while the reviewed skill itself contains no plugin code.

Skill content
openclaw plugins install @axonflow/openclaw@latest
Recommendation

Verify the plugin source, review release notes or code as appropriate, and prefer pinning a known-good version for production.

#
ASI03: Identity and Privilege Abuse
Low
What this means

A leaked or over-scoped client secret could allow unauthorized access to the AxonFlow governance service.

Why it was flagged

The integration expects an AxonFlow client secret and user identity in configuration; this is purpose-aligned but sensitive.

Skill content
clientId: your-client-id
    clientSecret: your-secret
    userEmail: you@example.com
Recommendation

Store the secret securely, scope it to the minimum required permissions, rotate it if exposed, and use TLS or another protected channel for production endpoints.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

Incorrect policies or overrides could approve unsafe actions, block legitimate work, or change governance behavior across an OpenClaw deployment.

Why it was flagged

The skill is intended to help configure governance policies and approval workflows, which can materially affect what OpenClaw actions are permitted.

Skill content
authoring policies, or wiring up decision explainability and approval workflows
Recommendation

Review policy changes before applying them, version-control governance configuration, keep overrides time-bounded, and monitor audit logs.