AgentKit
ReviewAudited by ClawScan on May 16, 2026.
Overview
AgentKit appears to be a disclosed beta approval plugin, but it can control protected-tool approvals and store temporary trust grants, so it should be configured carefully.
This looks consistent with a World/AgentKit human-approval plugin rather than malicious behavior. Before installing, confirm you are using a compatible OpenClaw build, configure only the protected tools you intend, prefer allow-once or short session-scoped grants for sensitive actions, keep signing keys and private keys out of repositories, and verify any broker or gateway URLs you configure.
Publisher note
World AgentKit integration: contacts World/AgentKit APIs, can open a local verifier callback, and uses OpenClaw operator approval APIs to resolve protected-tool HITL approvals after proof verification.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled for powerful tools such as exec, the plugin becomes part of the decision path for whether those tools can run.
The plugin installs a before_tool_call hook that can block configured tools until AgentKit/World approval is completed. This is the core advertised function, but it affects protected tool execution.
if (!isProtectedTool(ctx.toolName, pluginConfig.hitl.protectedTools)) { return undefined; } ... return { requireApproval: { pluginId: "agentkit", ... title: `World proof required for ${ctx.toolName}`, ... keepPendingWithoutRoute: true } };Enable it only for the tools you intend to protect, and review protectedTools, severity, timeout, grantScope, and grantTtlMs before use.
A single trust-for-session or trust-for-agent action may approve additional matching blocked actions rather than only the one visible request.
When an allow-always decision is used, the CLI can resolve matching pending approvals in the same configured scope. The matching logic is bounded, but one approval can affect multiple pending tool calls.
await Promise.all(matching.map(async (approval) => { ... await resolvePendingAgentkitApproval({ ... approvalId: approval.id, decision: "allow-always", ... }); }))Prefer allow-once for sensitive actions, and use allow-always only when you are comfortable approving repeated matching tool calls for the configured scope.
Incorrect storage or sharing of these keys could compromise the associated World/AgentKit or wallet-related authority.
The documented flows can use World signing keys, wallet information, and private key files. These credentials are expected for AgentKit/World delegation, and the artifacts warn not to commit secrets.
"signingKeyEnvVar": "WORLD_ID_SIGNING_KEY" ... "Resolve the pending request with `openclaw agentkit approve --approval-id <id> --private-key-file <path>`" ... "Do not commit World signing keys, wallet secrets, or real user identifiers."
Use environment variables or secure local files for secrets, avoid command-line exposure where possible, and do not commit real keys or identifiers to repositories.
Local approval state may reveal approval metadata and can permit repeated matching tool calls until it expires or is consumed.
The plugin persists local approval grants and proof-related metadata so future matching tool calls can be allowed within scope and TTL.
const DEFAULT_GRANTS_FILE = path.join(os.homedir(), ".openclaw", "agentkit-hitl-grants.json"); ... proofNullifier: typeof record.proofNullifier === "string" ? record.proofNullifier : null
Keep grant TTLs short, prefer session scope for sensitive tools, protect your home directory, and remove the grants file if you want to clear stored approvals.
Compatibility and provenance depend on the exact OpenClaw build or local checkout used.
The package is explicitly a community beta that depends on unreleased or beta OpenClaw APIs, and its development flow can replace a dependency with a local checkout.
Channel: community beta ... Required OpenClaw API PRs: `openclaw/openclaw#82431`, `openclaw/openclaw#82434`, and `openclaw/openclaw#82471` ... `dev:link-openclaw` replaces `node_modules/openclaw` with a symlink
Install only from the intended ClawHub package, use a compatible OpenClaw beta/build, and avoid local symlink development workflows unless you trust the checkout.
Approval prompts and status updates can be injected into the chat session by the plugin while a verification flow is in progress.
The plugin sends approval-status messages through the OpenClaw gateway into a session. This is purpose-aligned for HITL prompts, but it is a cross-component communication path.
injectChatMessageOverGateway({ config: params.appConfig, gatewayUrl: params.gatewayUrl, clientDisplayName: "AgentKit approval update", sessionKey: params.sessionKey, message: params.message, command: params.command, interactive: params.interactive, ... })Verify that the configured gateway and broker URLs are trusted, and treat approval prompts as security-sensitive UI.