Policy Layer (CBS) + Security Layers
WarnAudited by ClawScan on May 16, 2026.
Overview
This is a disclosed security plugin, but it can take over command approval and auto-fast-track previously approved risky command patterns, so it deserves careful review before use.
Install only if you are comfortable letting this plugin control gateway command approval. Before enabling it, review the deploy script and configuration, consider disabling fast-lane approvals for risky commands, keep human approval for destructive operations, and periodically inspect or clear the logs under ~/.openclaw/logs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misclassified command could be allowed without normal user review, especially after the fast-lane threshold is reached.
The artifacts show the plugin can become the main authority for command approval, use a local LLM to decide flagged commands, and later skip review after repeated approvals. The exact safety bounds for fast-laning risky command patterns are not clearly defined.
“HIGH/MEDIUM 命令通过 Ollama 本地模型二次复核”; “同一无害命令连续 5 次审批通过 → 跳过 LLM 复核,直接放行”; “ask: "off" + security: "full",完全委托给 Policy Layer 插件处理。”
Keep independent exec approval enabled for destructive commands, disable or tightly scope fast-lane behavior, and require explicit user confirmation for deletes, force pushes, shell pipelines, database mutations, and gateway-control commands.
The agent may slow down, pause, or change its execution strategy based on plugin-provided state.
The plugin intentionally injects policy state into the model context to influence behavior. This is purpose-aligned, but it is still a control path that changes how the agent acts.
“before_prompt_build (inject cognitive state score)” and “Injects <openclaw_state> XML into LLM context … Agent reads it and adjusts behavior according to D' score.”
Ensure only trusted plugin code can write this state, and treat the injected state as security-critical configuration.
Local logs may retain sensitive command history, project names, paths, or policy decisions, and blacklist entries can influence future agent behavior.
The plugin persistently stores command decisions and user-generated blacklist entries, then reuses that state across sessions.
“全部决策写入 `~/.openclaw/logs/approval.jsonl`” and “持久化到 `~/.openclaw/logs/blacklist.jsonl`,下次启动时自动加载.”
Protect, review, and rotate these logs; avoid placing secrets in shell commands; and provide a clear way to inspect and reset persisted policy state.
The local Ollama service can see the commands being reviewed, which may include sensitive paths or operational details.
Flagged command text is sent to a local model service for smart review. The artifacts describe this as local and expected.
“请求 Ollama(`llama3.3` 默认,本地推理,无需网络).”
Use a trusted local Ollama instance, verify it is not proxied to a remote provider, and avoid sending commands containing secrets.
Running the deploy script can change how the gateway enforces command approvals and security checks.
The deployment flow asks the user to run a local shell script that modifies OpenClaw gateway configuration. This is user-directed and aligned with the plugin purpose, but it is still code execution during setup.
“# 正式部署\n./scripts/deploy.sh” and “`config/openclaw.json` | Gateway 配置(部署到 `~/.openclaw/`).”
Inspect `scripts/deploy.sh` and the generated OpenClaw config before running it, and prefer a dry run first.