ClawHub

AxonFlow Governance Policies

v1.0.1

Set up governance policies for OpenClaw — block dangerous commands, detect PII, prevent data exfiltration, protect agent config files. Use when hardening an...

0· 30·0 current·0 all-time
byAxonFlow: Runtime control layer for production AI@axonflow
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (governance policies for OpenClaw) aligns with the runtime instructions: self-host AxonFlow, install the OpenClaw plugin, and apply policy templates. Requiring an AxonFlow endpoint and credentials is consistent with that purpose.
Instruction Scope
SKILL.md is instruction-only and stays on-topic (deployment, plugin config, policy templates, HITL gating). It does indicate server-side evaluation of all tool calls and LLM interactions — which is expected for a governance proxy but means AxonFlow will see agent inputs/outputs. It also documents a 'community mode' where client auth checks are skipped; that operational mode is explicitly risky and should not be used in production.
Install Mechanism
No install spec or code files are bundled with the skill (instruction-only). The recommended self-host steps point to the project's GitHub and Docker Compose — a standard pattern for a self-hosted governance service.
!
Credentials
Registry metadata declares no required env vars or credentials, but the SKILL.md repeatedly refers to configuring an AxonFlow endpoint and credentials and copying a .env for deployment. This mismatch is likely benign (credentials are configured in your OpenClaw/AxonFlow setup rather than as skill env vars) but it is a notable inconsistency. Also, the skill implies access to all tool/LLM traffic (necessary for policy enforcement) — verify you are comfortable with that level of visibility.
Persistence & Privilege
The skill is not always-enabled and does not request system-level persistence. It describes installing a plugin into OpenClaw and AxonFlow running as a separate service; that service will have elevated visibility into agent interactions by design. Autonomous invocation of this instruction-only skill is normal for platform skills, but be cautious combining that with running AxonFlow in an unauthenticated community mode.
Assessment
This skill appears to be what it says — a governance plugin you self-host via Docker and wire into OpenClaw. Before installing: 1) Verify the AxonFlow project/repo and maintainers (review code/policy templates) so you trust the service that will see all agent inputs/outputs. 2) Do not run in 'community' mode in production — it explicitly skips client auth. 3) Expect to provide and store AxonFlow endpoint credentials in your OpenClaw/AxonFlow config (metadata not listing env vars is a minor inconsistency). 4) Restrict network exposure (bind to localhost or internal network, secure ports) and review the policy templates before enabling automated blocking/redaction. 5) If you require higher assurance, test in an isolated environment and audit the traffic/audit logs produced by AxonFlow first.

Like a lobster shell, security has layers — review code before you run it.

auditvk9798nekj7epa2vmyan2x5fev9845bxmcompliancevk9798nekj7epa2vmyan2x5fev9845bxmgovernancevk9798nekj7epa2vmyan2x5fev9845bxmlatestvk9798nekj7epa2vmyan2x5fev9845bxmopenclawvk9798nekj7epa2vmyan2x5fev9845bxmpiivk9798nekj7epa2vmyan2x5fev9845bxmsecurityvk9798nekj7epa2vmyan2x5fev9845bxm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

AxonFlow Governance Policies for OpenClaw

Use when setting up or hardening an OpenClaw deployment with AxonFlow governance. This skill covers self-hosting AxonFlow, plugin installation, policy configuration, and risk mitigation.

Self-Host AxonFlow

AxonFlow runs locally via Docker Compose. No LLM provider keys required — OpenClaw handles all LLM calls, AxonFlow only enforces policies and records audit trails.

Prerequisites: Docker Engine or Desktop, Docker Compose v2, 4 GB RAM, 10 GB disk.

Quick start: Clone the AxonFlow community repo, copy .env.example to .env, and run docker compose up -d. The Agent starts on port 8080 — all SDK and plugin traffic goes through this port.

Full setup instructions: Self-Hosted Deployment Guide

Install the Plugin

Install via OpenClaw's plugin manager and configure in your OpenClaw config with your AxonFlow endpoint, credentials, and high-risk tool list. Set onError: block for production (fail-closed) or allow for development (fail-open).

In community mode (DEPLOYMENT_MODE=community), client auth checks are skipped for the local developer flow.

Full configuration reference: OpenClaw Integration Guide

What's Protected Automatically

AxonFlow's 83 built-in system policies apply with no additional setup:

  • PII detection and redaction: SSN, credit card, email, phone, Aadhaar, PAN
  • SQL injection: 37+ detection patterns
  • Dangerous commands: destructive operations, privilege escalation
  • Secrets: API keys, connection strings, code secrets

OpenClaw-Specific Hardening

For additional protection against OpenClaw-specific attack vectors, the plugin repository includes ready-to-use policy templates covering:

  • Command execution blocking: Reverse shells, destructive filesystem operations, credential file access
  • SSRF prevention: Cloud metadata endpoints, internal network addresses
  • Agent config protection: Block writes to SOUL.md, MEMORY.md, and other identity files
  • Path traversal detection: Workspace escape patterns

Full policy templates with SQL examples: Starter Policies

Top 10 Risks

RankRiskHook
1Arbitrary command executionbefore_tool_call
2Data exfiltration via HTTPbefore_tool_call
3PII leakage in messagesmessage_sending
4Indirect prompt injectionbefore_tool_call
5Outbound secret exfiltrationmessage_sending
6Malicious skill supply chainafter_tool_call (audit)
7Memory/context poisoningbefore_tool_call
8Credential exposuremessage_sending
9Cross-tenant leakageTenant-scoped policies
10Workspace boundary bypassbefore_tool_call

Guardrails

  • All policies are evaluated server-side by AxonFlow, not locally.
  • High-risk tools require human approval only after AxonFlow allows the tool call. If AxonFlow blocks the tool, it stays blocked.
  • The plugin verifies AxonFlow connectivity on startup.

Learn More

Get Started

Policies & Security

Governance & Compliance

Platform & Examples

Source Code

Licensing

  • AxonFlow platform (getaxonflow/axonflow): BSL 1.1 (Business Source License). Source-available, not open source.
  • @axonflow/openclaw plugin (getaxonflow/axonflow-openclaw-plugin): MIT. Free to use, modify, and redistribute.
  • This skill: MIT-0 per ClawHub terms.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…