ClawHub

Wip File Guard

v1.9.68

Hook that blocks destructive edits to protected identity files. For Claude Code CLI and OpenClaw.

0· 1.1k·1 current·1 all-time
byParker Todd Brooks@parkertoddbrooks
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and install: a small Node CLI/hook that inspects incoming PreToolUse payloads and denies Write/Edit operations on a short, documented set of protected files. Required binary (node) and npm package (@wipcomputer/wip-file-guard) are expected for this functionality. Minor metadata inconsistencies: registry metadata lists no homepage/source while SKILL.md/README reference a GitHub repo and package.json version (1.9.68) differs from SKILL.md's listed version (1.0.1). These are bookkeeping issues, not functional mismatches.
Instruction Scope
SKILL.md instructs installing the hook and wiring guard.mjs into lifecycle hooks (Claude Code / OpenClaw) and provides CLI usage. The guard's runtime actions are limited to parsing stdin JSON from the tool event, checking file basenames/paths, testing filesystem existence (existsSync), and deciding allow/deny. It does not read arbitrary files' contents from disk, make network calls, or access environment variables beyond Node execution context.
Install Mechanism
Install is via an npm package (@wipcomputer/wip-file-guard) which is a standard distribution mechanism; package.json and a bin entry are present. This is a moderate-risk but expected mechanism for a Node-based CLI/hook; there are no downloads from arbitrary URLs or extract steps in the manifest.
Credentials
The skill requests no environment variables, no credentials, and no protected config paths. Its filesystem access is limited to checking whether a target file exists (existsSync) and it operates on data passed in via stdin, which is proportional to the stated purpose.
Persistence & Privilege
The skill is a lifecycle hook (openclaw.plugin.json) and is user-invocable; it can be placed into an agent's hook directory so it runs automatically before tool use. This autonomous hook behavior is expected for a guard but means the hook will actively block operations once installed — review and opt-in before adding to global/always-loaded hook directories.
Assessment
This package appears to do exactly what it says: a small Node hook that blocks destructive writes/edits to a short list of identity files. Before installing: 1) Verify the npm package and author (search npmjs and the referenced GitHub repo) and pin a trusted version; 2) Inspect guard.mjs yourself (it is short and readable) and run the included tests locally; 3) Install to a user-scoped extension directory (not system-wide) and back up protected files first; 4) If you don't trust an external npm package, copy guard.mjs into your repo/extensions and reference the local copy instead of installing from npm. Minor metadata mismatches (missing homepage in registry metadata, disparate version strings) are bookkeeping issues — they don't change functionality but are worth double-checking on the package registry.

Like a lobster shell, security has layers — review code before you run it.

latestvk975d0akhe2ps8va7ktg0fnpp98400gs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binsnode

Install

Install via npm
Bins: wip-file-guard
npm i -g @wipcomputer/wip-file-guard

Comments