ClawHub

Claw Permission Firewall

v1.0.0

Evaluates agent actions for security risks, enforcing least-privilege policies with allow, deny, or confirmation decisions and secret redaction.

1· 1.6k·3 current·3 all-time
by@bharathjanumpally
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/behavior align: the package implements HTTP/file/exec gating, redaction, risk scoring, and auditing as described in SKILL.md and policy.yaml. All required files and dependencies (js-yaml, minimatch) are consistent with parsing policy and matching globs/domains.
Instruction Scope
SKILL.md directs callers to build an action object and call evaluate; the code implements only action evaluation/redaction/audit. It does not instruct reading unrelated system secrets or sending telemetry. The skill does read policy.yaml (local) and uses context.workspaceRoot and process.env.HOME to expand deny prefixes — these are reasonable for enforcing file path rules.
Install Mechanism
No install spec is declared (instruction-only at runtime). Source files and package.json are present but there is no remote download or extract step; dependencies are standard npm libs. No high-risk install URLs or arbitrary remote code fetches are used.
Credentials
The skill requests no environment variables or credentials. It does read process.env.HOME (to expand ~ in deny prefixes) and uses caller-provided context.workspaceRoot; this is proportional to its file-path enforcement role. Confirm your runtime supplies a correct workspaceRoot and that HOME access is acceptable in your environment.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system-wide privileges. It only reads local policy.yaml and uses in-memory evaluation/audit; it does not modify other skills or global agent configuration.
Assessment
This skill appears to do what it says: evaluate actions, redact secrets, and produce an audit record. Before installing or enabling it: 1) Review and edit policy.yaml to ensure allow/deny lists and thresholds match your security posture (especially allowDomains and denyPathPrefixes). 2) Note it reads the local policy.yaml and process.env.HOME to expand ~ prefixes — ensure the policy file and HOME are trustworthy. 3) Exec is disabled by default; if you enable exec in policy, treat the skill as high-risk and review denyPatterns carefully. 4) Test in a safe environment to validate redaction and false-positive behavior (JWT/AWS regexes can produce false matches). 5) Keep the policy file under your control (do not let untrusted skills/users modify it), since policy changes change the skill's decisions.

Like a lobster shell, security has layers — review code before you run it.

firewallvk97am4ma4699n2pxgfcrkjrhh980k1j7latestvk97am4ma4699n2pxgfcrkjrhh980k1j7policyvk97am4ma4699n2pxgfcrkjrhh980k1j7redactionvk97am4ma4699n2pxgfcrkjrhh980k1j7securityvk97am4ma4699n2pxgfcrkjrhh980k1j7
1.6kdownloads
1stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@bharathjanumpally
firewalllatestpolicyredactionsecurity
Download

Claw Permission Firewall

Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:

  • ALLOW (safe to execute)
  • DENY (blocked by policy)
  • NEED_CONFIRMATION (risky; require explicit confirmation)

It also returns a sanitizedAction with secrets redacted, plus a structured audit record.

This is not a gateway hardening tool. It complements gateway security scanners by enforcing per-action policy at runtime.

What it protects against

  • Exfiltration to unknown domains
  • Prompt-injection “send secrets” attempts (secret detection + redaction)
  • Reading sensitive local files (~/.ssh, ~/.aws, .env, etc.)
  • Unsafe execution patterns (rm -rf, curl | sh, etc.)

Inputs

Provide an action object to evaluate:

{
  "traceId": "optional-uuid",
  "caller": { "skillName": "SomeSkill", "skillVersion": "1.2.0" },
  "action": {
    "type": "http_request | file_read | file_write | exec",
    "method": "GET|POST|PUT|DELETE",
    "url": "https://api.github.com/...",
    "headers": { "authorization": "Bearer ..." },
    "body": "...",
    "path": "./reports/out.json",
    "command": "rm -rf /"
  },
  "context": {
    "workspaceRoot": "/workspace",
    "mode": "strict | balanced | permissive",
    "confirmed": false
  }
}

Outputs

{
  "decision": "ALLOW | DENY | NEED_CONFIRMATION",
  "riskScore": 0.42,
  "reasons": [{"ruleId":"...","message":"..."}],
  "sanitizedAction": { "...": "..." },
  "confirmation": { "required": true, "prompt": "..." },
  "audit": { "traceId":"...", "policyVersion":"...", "actionFingerprint":"..." }
}

Default policy behavior (v1)

  • Exec disabled by default
  • HTTP requires TLS
  • Denylist blocks common exfil hosts (pastebins, raw script hosts)
  • File access is jailed to workspaceRoot
  • Always redacts Authorization, Cookie, X-API-Key, and common token patterns

Recommended usage pattern

  1. Your skill creates an action object.
  2. Call this skill to evaluate it.
  3. If ALLOW → execute sanitizedAction.
  4. If NEED_CONFIRMATION → ask user and re-run with context.confirmed=true.
  5. If DENY → stop and show the reasons.

Files

  • policy.yaml contains the policy (edit for your environment).

Comments

Loading comments...