ClawHub

Agent Passport

v2.4.2

OAuth for the agentic era. Consent-gating for ALL sensitive agent actions. 75+ data-driven threat definitions with auto-updates (like antivirus signatures)....

3· 1.6k·3 current·3 all-time
byMark Neville@markneville
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (consent-gating, mandate ledger, injection/SSRF/path guards) match the provided scripts and docs. Required binaries (jq, bc, xxd, head, date, mkdir) are reasonable for a shell-based ledger and scanner. The single required env var (AGENT_PASSPORT_LEDGER_DIR) is appropriate for storing the local ledger. The README/docs describe optional Pro/Live features (auto-updates, Agent Bridge) that would use network APIs, but those are not required by default and are documented separately.
Instruction Scope
Runtime instructions tell the agent to call the shipped CLI script (mandate-ledger.sh) to check and log sensitive actions — this is exactly the core purpose. The SKILL.md and tests include explicit prompt-injection examples (e.g., 'ignore previous instructions') used as detection test vectors; the scanner flagged that phrase. The instructions do allow an agent to run local shell commands (init, create-from-template) if the agent chooses to act, which is expected for this skill but means users should review scripts before allowing autonomous execution.
Install Mechanism
No install spec is provided (instruction-only from the platform perspective). The repository includes shell scripts that the agent will invoke locally; there is no automatic remote download or extract specified in the manifest. This is lower risk than an install that fetches arbitrary code from an external URL.
Credentials
Only AGENT_PASSPORT_LEDGER_DIR is declared as required. Documentation mentions optional environment variables and API keys for Live/Pro modes (AGENT_PASSPORT_API_KEY, AGENT_PASSPORT_BASE_URL, AGENT_PASSPORT_LOCAL_LEDGER) but they are not required to run the local mode. No unrelated cloud credentials or high-privilege secrets are demanded by default.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It stores state under a user-controlled ledger directory (defaults to ~/.openclaw/agent-passport or AGENT_PASSPORT_LEDGER_DIR). There are no built-in system-wide or privileged changes in the provided scripts; the code includes scan patterns to detect persistence but does not itself create daemons or cron entries.
Scan Findings in Context
[scan-med-injection-ignore-previous] expected: The scanner flagged prompt-injection strings (e.g., 'ignore previous instructions') inside the repo. These appear to be deliberate test vectors and examples used by the skill's own injection-shield tests (scripts/test-v2.3.sh and example SKILL.md/test files). Presence is expected for a scanner-quality suite, but treat any such text seriously if you plan to let an autonomous agent consume untrusted external content.
Assessment
What to consider before installing: - This skill runs a local shell script (mandate-ledger.sh) to authorize and log sensitive actions; review that script before allowing the agent to execute it. It will create files under the ledger directory (defaults to ~/.openclaw/agent-passport or whatever you set in AGENT_PASSPORT_LEDGER_DIR). - The package contains test vectors that deliberately include prompt-injection phrases; those are used to validate the shield functionality — their presence in the repo is intentional, not evidence of compromise. - The default/local mode is offline and does not require extra credentials. If you enable Pro/Live features (auto-updates, Agent Bridge), the skill will contact external services and you will need to provide API keys (AGENT_PASSPORT_API_KEY, etc.). Only enable those modes if you trust the remote service and are comfortable supplying credentials. - If you plan to allow the agent to autonomously run commands, restrict autonomous privileges until you inspect the scripts and consider enabling local-only mode (export AGENT_PASSPORT_LOCAL_LEDGER=true) and avoid enabling auto-update/live features until vetted. - If you are unsure, run the scripts in an isolated test environment (non-production account or container) first and inspect the ledger contents and audit logs the skill will create.

Like a lobster shell, security has layers — review code before you run it.

agentsvk9786wkf0hjf70av8p5y9zvpq581qm4aconsentvk9786wkf0hjf70av8p5y9zvpq581qm4ainjectionvk9786wkf0hjf70av8p5y9zvpq581qm4alatestvk97d45827y0tddhrsywxpsmvyx81xvn4oauthvk9786wkf0hjf70av8p5y9zvpq581qm4apermissionsvk9786wkf0hjf70av8p5y9zvpq581qm4ascannervk9786wkf0hjf70av8p5y9zvpq581qm4asecurityvk9786wkf0hjf70av8p5y9zvpq581qm4asupply-chainvk9786wkf0hjf70av8p5y9zvpq581qm4a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsjq, bc, xxd, head, date, mkdir
EnvAGENT_PASSPORT_LEDGER_DIR

Comments