Language-boundary safety policy plugin for OpenClaw
Install
openclaw plugins install clawhub:openclaw-language-boundaryOpenClaw Language Boundary
Language Boundary is a safety policy plugin for OpenClaw. It turns agent actions into a structured Action IR, classifies risk, writes redacted audits, and blocks or requests approval for high-risk behavior when enforcement is enabled.
中文说明见 README.zh-CN.md.
What it is for
Use this plugin when you want OpenClaw to have a clear action boundary instead of relying only on model self-discipline.
It helps answer these questions before a tool call runs:
- Is this action read-only, workspace-mutating, system-mutating, external, or destructive?
- Does it target config, credentials, memory, local files, production data, or an external service?
- Should it be allowed, logged, require approval, require strong approval, or be denied?
- Can the audit trail be useful without leaking private local details?
Philosophy
Language Boundary is based on a simple idea:
Agents should not get safer by becoming more timid. They should get safer by having explicit, inspectable boundaries.
The plugin separates three layers:
- Understanding — build a conservative Action IR from the tool name and parameters.
- Policy — apply config-driven rules to risk, target, and effect.
- Rollout — move from observation to enforcement only when audit data is clean.
It is not a replacement for user judgment. It is a runtime guardrail that makes risky actions visible and enforceable.
What it can do
- Classify tool calls by effect, target, and risk.
- Detect unknown tools.
- Detect dangerous shell commands and local destructive actions.
- Protect config and credential paths with strong approval.
- Treat external writes, outbound messages, installs, subagent spawning, and cron changes as policy-controlled events.
- Redact sensitive-looking audit fields.
- Track tool failure state and summarize noisy tools.
- Show an operator-facing status card.
- Support progressive hardening phases:
observeguidedstrictforce
What it does not do
- It does not make unsafe commands magically safe.
- It does not replace OS permissions, sandboxing, backups, or human approval.
- It does not upload audit logs.
- It does not require this maintainer's local paths, accounts, cron jobs, or machine layout.
Install
openclaw plugins install clawhub:openclaw-language-boundary@0.1.7
openclaw gateway restart
For the latest ClawHub release:
openclaw plugins install clawhub:openclaw-language-boundary
openclaw gateway restart
Recommended first configuration
Start in observe unless you already know your environment and want enforcement immediately.
{
"plugins": {
"entries": {
"language-boundary": {
"enabled": true,
"config": {
"enabled": true,
"mode": "observe",
"hardening": {
"enabled": true,
"phase": "observe",
"autoAdvance": "off"
},
"audit": {
"enabled": true,
"redact": true
}
}
}
}
}
}
After installation, check status:
cd ~/.openclaw/extensions/language-boundary
npm run status-card
Progressive hardening
| Phase | Policy mode | Use when |
|---|---|---|
observe | observe | First install, calibration, false-positive review |
guided | enforce | First enforcement phase for vetted high-risk actions |
strict | enforce | Sensitive environments that accept more approval friction |
force | enforce | Production/compliance mode; explicit admin decision only |
Recommended path:
- Start with
observe. - Review status card and audit samples.
- Move to
guidedafter a clean window. - Move to
strictorforceonly deliberately.
The plugin supports autoAdvance: "guided-only", but it never auto-enters strict or force.
Force-mode coverage
The release gate includes E2E-style coverage for:
- high-risk shell approval
- external writes
- config protection
- outbound secret redaction
- cron-change auditing
Useful commands from source or installed package
npm run status-card
npm run status-card -- --json
npm run init-config -- --mode=observe
npm run init-config -- --mode=guided
npm run init-config -- --mode=strict
npm run init-config -- --mode=force
npm run release:check
Reusability rules
This plugin is meant for other OpenClaw users, not one private machine.
- Use placeholders such as
<USER_HOME>,<WORKSPACE>, and<PROJECT_ROOT>in docs and tests. - Do not hard-code personal home directories, usernames, machine names, channel IDs, provider accounts, credentials, or local cron jobs.
- Keep path classification config-driven.
- Keep audit and state paths configurable or derived from the user's OpenClaw/home directory.
Current release
- Latest verified release:
openclaw-language-boundary@0.1.7 - ClawHub release ID:
rd76343ffq102yy5zk7kh6ybzn888aym - Status at final verification: published, scanned clean, isolated install verified.
