ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GovernClaw Policy Enforcer

v1.0.0

Governance middleware for OpenClaw agents. Wraps HTTP, shell, file, and browser actions with policy checks via GovernClaw before execution. Required tools -...

0· 108·0 current·0 all-time
by@aakash2289

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for aakash2289/governclaw-middleware.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "GovernClaw Policy Enforcer" (aakash2289/governclaw-middleware) from ClawHub.
Skill page: https://clawhub.ai/aakash2289/governclaw-middleware
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install governclaw-middleware

ClawHub CLI

Package manager switcher

npx clawhub@latest install governclaw-middleware
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The code and SKILL.md implement a governed HTTP wrapper (governedHttp) that asks a GovernClaw endpoint for allow/block decisions before executing HTTP requests via the runtime's http tool. There are no unrelated binaries, credentials, or install steps requested. The implementation matches the stated purpose.
Instruction Scope
The instructions and code forward request metadata (url, method, headers, body) plus runtime context fields (session/agent/source/channel/node ids) to the GovernClaw endpoint. This is consistent with a governance proxy, but it means sensitive headers and bodies (Authorization tokens, API keys, private data) will be transmitted to the GovernClaw service. SKILL.md does not specify any redaction or sanitization policy.
Install Mechanism
No install spec is present (instruction-only skill with a single index.ts file). No downloads or archive extraction occur. This is low risk from an installation perspective.
Credentials
The registry metadata lists no required env vars, but both SKILL.md and the code reference GOVERNCLAW_URL (default http://127.0.0.1:8000). This is reasonable and proportional for a governance proxy, but the skill will send full request payloads and context fields to that endpoint, so the environment-configured URL must be trusted. The mismatch between registry metadata (no required env) and SKILL.md (mentions GOVERNCLAW_URL) is a minor inconsistency.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges or modify other skills' configs. It does not write files or install background services. Autonomous invocation is allowed (platform default) but not an additional privilege granted by this skill.
Assessment
This skill is coherent for enforcing policies, but you must trust the GovernClaw endpoint you configure. Before installing or enabling it: 1) Ensure GOVERNCLAW_URL points to a trusted, secure policy server (default is localhost for local testing). 2) Confirm the policy server's privacy/security practices — the skill will forward full request bodies and headers (including Authorization tokens and any sensitive data) along with session/agent identifiers. 3) If you require redaction of secrets, implement or request a GovernClaw policy or wrapper that strips/sanitizes headers and sensitive fields. 4) Note the small metadata inconsistency: the registry metadata doesn't mark GOVERNCLAW_URL as required although SKILL.md and the code use it (with a default). 5) Test in a safe environment (playground mode or local GovernClaw) before enabling for agents that handle sensitive data.
index.ts:11
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9767wed6x97nqeevncpffcf25838dfx
108downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@aakash2289
latest
Download

GovernClaw Middleware

This skill provides governed wrappers for sensitive operations. It acts as a policy enforcement layer between agents and external systems.

When to Use This Skill

You MUST use governed tools from this skill instead of raw tools when:

  • Calling external HTTP APIs (governedHttp instead of http)
  • Running shell commands (governedShell - future)
  • Reading/writing files (governedFile - future)
  • Controlling a browser (governedBrowser - future)

How It Works

  1. You call a governed tool (e.g., governedHttp)
  2. The skill sends your request metadata to GovernClaw for policy evaluation
  3. GovernClaw returns allow or block with a reason
  4. If allowed: the underlying operation executes and returns results
  5. If blocked: the operation is cancelled and you receive a block reason

Available Tools

governedHttp

Makes HTTP requests through the GovernClaw policy engine.

Parameters:

  • method (string): HTTP method - "GET", "POST", "PUT", "DELETE"
  • url (string): Target URL
  • body (object, optional): Request body for POST/PUT
  • headers (object, optional): Custom headers

Returns:

  • On success: The HTTP response from the target
  • On block: { ok: false, blocked: true, reason: "..." }

Example:

const result = await context.tools.governclawMiddleware.governedHttp({
  method: "GET",
  url: "https://api.example.com/data"
});

if (result.blocked) {
  // Handle policy block
  console.log("Blocked:", result.reason);
}

Configuration

Set the GovernClaw service URL in your environment:

export GOVERNCLAW_URL="http://127.0.0.1:8000"

Or in openclaw.json:

{
  "skills": {
    "governclaw-middleware": {
      "env": {
        "GOVERNCLAW_URL": "http://127.0.0.1:8000"
      }
    }
  }
}

Governance Context

The skill automatically forwards these context fields to GovernClaw:

  • parent_id: The session ID (who owns the request)
  • child_id: The agent ID (who is making the request)
  • source: Where the request originated (agent, control, cron, etc.)
  • channel: The channel ID (if applicable)
  • node_id: The node ID (if applicable)
  • skill: Always "governclaw-middleware"

Error Handling

Always check for blocked in responses:

const response = await context.tools.governclawMiddleware.governedHttp({...});

if (!response.ok && response.blocked) {
  // Policy violation - do not retry
  return { error: response.reason };
}

if (!response.ok) {
  // Network or other error - may retry
  return { error: "Request failed" };
}

// Success
return response.data;

Policy Modes

GovernClaw supports three governance modes:

  • playground: Log-only, actions always allowed
  • governed: Default mode, enforce policies
  • strict: Block on any uncertainty

The skill defaults to governed mode. Future versions may allow per-request mode overrides.

Comments

Loading comments...