Gatewaystack Governance
Security checks across malware telemetry and agentic risk
Overview
The skill mostly matches its stated governance purpose, but users should review it because the included default identity policy appears to give an “unknown” identity default access despite claims that unknown agents are denied.
This looks like a legitimate governance plugin, but do not rely on the zero-config defaults without review. Check the `identityMap`, especially any `unknown` fallback, confirm which tools the `default` and `admin` roles can use, and protect the audit/state files it creates.
VirusTotal
1/65 vendors flagged this skill as malicious, and 64/65 flagged it as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe unrecognized agents are fully denied when the default policy could allow them to read files, use memory tools, or access web tools under the default role.
The stated skill behavior says unknown agents are denied, but the bundled example policy gives an "unknown" identity the default role, and that role can use tools such as read, web, and memory tools. If this is used as a fallback identity, unrecognized agents may get meaningful access instead of being blocked.
"read": { "roles": ["default", "admin"] ... }, ... "memory_add": { "roles": ["default", "admin"] ... }, ... "unknown": { "userId": "unknown-agent", "roles": ["default"] }Before enabling the plugin, review `policy.json` and remove or tightly restrict the `unknown` identity; ensure unrecognized agents fail closed unless you explicitly want a fallback role.
The plugin can block tools or change the agent’s workflow if its policy is too strict or misconfigured.
The plugin is designed to intercept every tool call and allow or deny it. This is powerful control over agent behavior, but it is clearly disclosed and central to the governance purpose.
The plugin hooks into `before_tool_call` at the process level — the agent can't bypass it, skip it, or talk its way around it.
Review the allowlist, roles, and rate limits after installation, and test normal workflows before relying on it for critical tasks.
Local audit and state files may contain operational details or sensitive indicators that should not be exposed to other users or projects.
The skill persists audit, DLP, anomaly, and review-related context. This is expected for a governance/audit plugin, but the stored data may reveal tool usage patterns or sensitive detections.
The `dlpMatches` and `anomalies` fields are only present when the corresponding features are enabled and detect something. The `checks` map includes `behavioral`, `escalation`, and `firstUse` entries when those features are active.
Store audit logs in a protected location, rotate them as needed, and avoid enabling DLP logging unless you are comfortable retaining sensitive-match metadata.
Installing the package gives plugin code ongoing control over tool-call governance in the local OpenClaw environment.
The skill is installed as an OpenClaw plugin from an npm package, with optional GatewayStack packages for additional features. This is normal for the stated purpose, but it means users must trust the package provenance.
openclaw plugins install @gatewaystack/gatewaystack-governance
Install only from the expected npm package/source, pin versions where possible, and review updates before enabling them in sensitive environments.