AxonFlow Governance Policies

v1.0.0

Set up governance policies for OpenClaw — block dangerous commands, detect PII, prevent data exfiltration, protect agent config files. Use when hardening an...

⭐ 0· 11·0 current·0 all-time

bySaurabh Jain@saurabhjain1592

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

Name/description match the content: the SKILL.md provides AxonFlow policy SQL snippets, OpenClaw config examples, and deployment steps. Nothing requested (binaries, env vars, installs) appears unrelated to the stated goal of configuring governance policies.

ℹ

Instruction Scope

The runtime instructions include commands to clone the AxonFlow repo, start it with docker compose, and configure the OpenClaw plugin plus SQL INSERTs for policies. They do not instruct the agent to read unrelated host files or exfiltrate data. Two scope items to note: (1) the config example expects a clientId/clientSecret but the skill does not declare or manage credentials; (2) policy regexes block localhost/internal addresses and many common command patterns which could cause legitimate operations to be blocked if applied broadly.

✓

Install Mechanism

This is instruction-only with no install spec and no bundled code, so nothing is downloaded or written by the skill itself. The SKILL.md suggests manual commands (git clone, docker compose up) but the skill does not automate installs or fetch arbitrary binaries.

ℹ

Credentials

The skill declares no required environment variables or credentials, but the provided OpenClaw config contains placeholders for clientId/clientSecret. The skill neither requests nor documents secure handling of those secrets; operators must provide/administer them outside the skill. The number and type of policy rules are proportionate to governance purpose, though some regex patterns are broad (could match benign operations).

✓

Persistence & Privilege

The skill is not always-enabled and does not request elevated or persistent platform privileges. The SQL snippets imply making server-side policy changes in AxonFlow (which requires admin access), but the skill itself does not modify other skills or system-wide settings automatically.

Assessment

This skill appears to be what it says: a set of governance policies and examples for AxonFlow + OpenClaw. Before using it: 1) Verify the AxonFlow plugin source and integrity (the SKILL.md links a GitHub repo; confirm you trust that repo and release). 2) Test policies in a staging environment — several regexes block localhost/internal IPs and common shell patterns and could break legitimate workflows. 3) The OpenClaw config example expects a clientId/clientSecret; decide how you will provision and store those credentials securely (the skill does not manage them). 4) Be aware that applying the SQL INSERTs requires admin access to AxonFlow (they will change server-side policy state). 5) Consider starting with conservative rules and using audit-mode or logging before switching to block/onError:block in production (onError:block will stop tool calls if AxonFlow is unreachable). If you want higher assurance, request the exact AxonFlow plugin release/tag the SKILL.md references and a threat-model review of the provided regexes to reduce false positives.

Like a lobster shell, security has layers — review code before you run it.

compliancevk97e8b62acz02ayewspb2whrg58400tfgovernancevk97e8b62acz02ayewspb2whrg58400tflatestvk97e8b62acz02ayewspb2whrg58400tfopenclawvk97e8b62acz02ayewspb2whrg58400tfpiivk97e8b62acz02ayewspb2whrg58400tfsecurityvk97e8b62acz02ayewspb2whrg58400tf

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AxonFlow Governance Policies for OpenClaw

Use when setting up or hardening an OpenClaw deployment with AxonFlow governance. This skill covers policy configuration, risk mitigation, and recommended settings.

Prerequisites

AxonFlow must be running and the plugin installed:

git clone https://github.com/getaxonflow/axonflow.git
cd axonflow && docker compose up -d
openclaw plugins install @axonflow/openclaw

Configure in your OpenClaw config:

plugins:
  @axonflow/openclaw:
    endpoint: http://localhost:8080
    clientId: your-client-id
    clientSecret: your-secret
    highRiskTools:
      - exec
      - process
      - browser
      - web_fetch
      - message
    onError: block

onError: block means tool calls are blocked if AxonFlow is unreachable. Use allow only in development.

What's Protected Automatically

AxonFlow's built-in system policies apply with no additional setup:

PII: SSN, credit card, email, phone, Aadhaar, PAN
SQL injection: built-in detection patterns
Dangerous commands: destructive operations, privilege escalation
Secrets: API keys, connection strings, code secrets

OpenClaw-Specific Hardening Policies

Add these for protection against OpenClaw-specific attack vectors.

Block Reverse Shells and Destructive Commands

INSERT INTO static_policies (name, category, pattern, severity, action_request, action_response, description)
VALUES
  ('openclaw_block_reverse_shells', 'security_dangerous', '(nc\s+-e|bash\s+-i|/dev/tcp/|python\s+-c.*socket|curl\s+.*\|\s*sh|wget\s+.*\|\s*sh|base64\s+.*-d\s+.*\|\s*sh)', 'critical', 'block', 'allow', 'Block reverse shell and remote code execution patterns'),
  ('openclaw_block_destructive_fs', 'security_dangerous', '(rm\s+-rf\s+/|rm\s+-rf\s+~|dd\s+if=|mkfs\b|>\s*/dev/sd|chmod\s+-R\s+777\s+/)', 'critical', 'block', 'allow', 'Block destructive filesystem operations'),
  ('openclaw_block_credential_access', 'security_dangerous', '(cat\s+.*\.ssh/|cat\s+.*\.aws/|cat\s+.*\.env\b|cat\s+.*\.netrc|cat\s+.*\.gnupg/|printenv\s+.*KEY|printenv\s+.*SECRET|printenv\s+.*TOKEN)', 'high', 'block', 'allow', 'Block credential file and environment variable access');

Block Data Exfiltration (SSRF)

INSERT INTO static_policies (name, category, pattern, severity, action_request, action_response, description)
VALUES
  ('openclaw_block_metadata_endpoints', 'security_dangerous', '(169\.254\.169\.254|metadata\.google|metadata\.aws)', 'critical', 'block', 'allow', 'Block cloud metadata endpoint access'),
  ('openclaw_block_internal_networks', 'security_dangerous', '(localhost|127\.0\.0\.1|10\.\d+\.\d+\.\d+|172\.(1[6-9]|2\d|3[01])\.\d+\.\d+|192\.168\.)', 'high', 'block', 'allow', 'Block requests to internal/private network addresses');

Protect Agent Config Files

Block writes to OpenClaw's persistent context files to prevent memory poisoning:

INSERT INTO static_policies (name, category, pattern, severity, action_request, action_response, description)
VALUES
  ('openclaw_protect_agent_config', 'security_dangerous', '(SOUL\.md|MEMORY\.md|IDENTITY\.md|AGENTS\.md|openclaw\.json|auth-profiles\.json)', 'high', 'block', 'allow', 'Block modification of OpenClaw agent identity and memory files');

Block Path Traversal

Prevent workspace escape (CVE-2026-33573 pattern):

INSERT INTO static_policies (name, category, pattern, severity, action_request, action_response, description)
VALUES
  ('openclaw_block_path_traversal', 'security_dangerous', '(\.\./|/etc/passwd|/etc/shadow|/proc/self)', 'high', 'block', 'allow', 'Block path traversal and sensitive system file access');

Top 10 Risks

Rank	Risk	Hook
1	Arbitrary command execution	before_tool_call
2	Data exfiltration via HTTP	before_tool_call
3	PII leakage in messages	message_sending
4	Indirect prompt injection	before_tool_call
5	Outbound secret exfiltration	message_sending
6	Malicious skill supply chain	after_tool_call (audit)
7	Memory/context poisoning	before_tool_call
8	Credential exposure	message_sending
9	Cross-tenant leakage	Tenant-scoped policies
10	Workspace boundary bypass	before_tool_call

Guardrails

All policies are evaluated server-side by AxonFlow, not locally.
highRiskTools require human approval only after AxonFlow allows the tool call. If AxonFlow blocks the tool, it stays blocked.
The plugin verifies AxonFlow connectivity on startup.
Tool result transcript scanning is pending async hook support in OpenClaw (openclaw/openclaw#58558).

Licensing

AxonFlow platform (getaxonflow/axonflow): BSL 1.1 (Business Source License). Source-available, not open source.
@axonflow/openclaw plugin (getaxonflow/axonflow-openclaw-plugin): MIT. Free to use, modify, and redistribute.
This uploaded ClawHub skill bundle: MIT-0 per ClawHub terms.

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…