ClawHub

OC Guard

v1.0.2

Safe OpenClaw config planning/apply workflow with bilingual execution receipts.

0· 257·0 current·0 all-time
byedmond@edmond-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (OpenClaw config guard) align with the actual behavior: the CLI calls openclaw/opencode, validates proposals, creates plan/apply flows, backups, receipts and canary checks. Required binaries (python3, openclaw, opencode) are appropriate.
Instruction Scope
SKILL.md instructs agents to invoke the bundled script and enforce receipts/gates. The runtime script implements receipt generation, masking logic, path allowlists, backups, and uses /tmp for diagnostics. Instructions and implementation do not attempt to read unrelated system secrets, but they do write/ read local files (backup dir, receipt secret file, /tmp debug/log files) as part of normal operation — this is expected but worth noting.
Install Mechanism
This is an instruction-only skill with an included Python CLI script; there is no automated install that downloads external code. No obscure URLs or archive extraction are used.
Credentials
The skill does not require external credentials. It optionally consumes environment overrides (OPENCLAW_HOME, OCGUARD_* vars) and creates/stores a local receipt secret file under the OpenClaw home directory. These environment variables and local secret storage are proportional to generating signed receipts and configuring backup paths, but you should be aware the skill persists a secret file and writes backups/logs locally.
Persistence & Privilege
always:false (no forced global inclusion). The script writes to user/home paths and /tmp (logs, backups, a receipt-secret file, diagnostics). This is reasonable for a config-guard tool, but installing it will give the skill the ability to create/read those files in the user's OpenClaw home directory.
Assessment
This skill appears to do what it claims: validate and apply OpenClaw config changes while producing signed receipts. Before installing or running it, verify you trust the included scripts (scripts/oc-guard.py) because it will: 1) execute the system openclaw and opencode CLIs, 2) write backups and logs under your OpenClaw home and /tmp, and 3) create a local receipt secret file (OCGUARD_RECEIPT_SECRET_FILE) to sign receipts. Make sure the openclaw/opencode binaries it will invoke are the intended ones on PATH (or set OCGUARD_OPENCLAW_BIN/OCGUARD_OPENCODE_BIN), review the script source if you are not trusting the publisher, and ensure backups and the receipt secret are stored where you expect before using apply operations (especially --confirm).

Like a lobster shell, security has layers — review code before you run it.

latestvk97c1seppfzcjfsnmr4d37tqb982d5nf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3, openclaw, opencode

Comments