v0.1.2

clawgate

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:38 AM.

Analysis

This instruction-only skill is a disclosed approval-policy guide that can let the agent perform some medium-risk actions without asking again, while blocking higher-risk actions.

GuidanceInstall this only if you want the agent to use clawgate’s approval policy. In particular, review which actions are treated as MEDIUM and may run without another confirmation, and use runtime policy for any privileged, destructive, costly, or outbound action you need to hard-block regardless of prompt-layer guidance.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

references/checklist.md

Direct-execute as `MEDIUM` if any are true: ... internal send or limited-side-effect API call ... install dependency ... restart isolated development service ... Execution rule: - do not ask for confirmation ... - execute directly

The skill intentionally permits some mutating or externally visible medium-risk actions to proceed without an extra confirmation. This is central to the skill’s purpose, but users should understand that the approval boundary changes.

User impactIf activated, the agent may edit multiple files, install an ordinary local dependency, restart an isolated service, send to an internal channel, or make a limited API call without asking again when it classifies the task as MEDIUM.

RecommendationReview the MEDIUM examples before activation and add stricter runtime or standing-order rules for any action you always want confirmed.

Rogue Agents

SeverityInfoConfidenceHighStatusNote

references/agents-snippet.md

Paste this snippet into the always-injected OpenClaw entry point you actually use, such as `AGENTS.md` or a standing-order equivalent. Do not treat this file as already active policy. Installation alone does not activate `clawgate`.

Activation is designed to persist as an always-injected governance instruction, but the artifact makes activation manual and explicitly says it should not be treated as already active.

User impactIf you paste the snippet into AGENTS.md or an equivalent standing order, it can persistently change future agent confirmation behavior.

RecommendationOnly add the activation snippet if you want this policy to govern future sessions, and keep a copy of the prior AGENTS.md content so the change is easy to reverse.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

references/risk-matrix.md

Treat the following surfaces as OpenClaw-specific escalation points: - `~/.openclaw/openclaw.json` ... approval policy, delivery, channel, router, or gateway configuration ... Classification rules: - reading these surfaces without mutation stays `LOW`

The policy allows direct read-only inspection of local OpenClaw configuration and control-plane surfaces, while escalating mutations. This is disclosed and relevant to governance, but config files can contain sensitive operational details.

User impactOn user-requested read-only tasks, the agent may inspect OpenClaw configuration without an extra confirmation, potentially bringing configuration details into the conversation context.

RecommendationAvoid requesting broad config reads when secrets may be present; prefer targeted summaries, redaction, and runtime controls for credential-bearing files.