ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agentguard

v1.8.1

AgentGuard security engine — intercept dangerous operations, audit all actions, protect sensitive data. All commands/file/network operations go through ag_*...

0· 101·0 current·0 all-time
by@zxz333zxz
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (AgentGuard: intercept/audit operations) match the included files and runtime behavior: the plugin proxies tool calls to a local daemon and provides ag_* replacements for native exec/read/write/network tools. Asking for a local 'agentguard' binary and a daemon is coherent for this purpose.
!
Instruction Scope
SKILL.md instructs the agent and user to (a) install a system binary and start a local daemon, and (b) manually add tools.deny entries to openclaw.json to disable native exec/read/write/apply_patch/process. That is scope-expanding: it changes the agent platform's behavior for all skills (not just this one) and demands manual, global configuration changes. This broad, persistent control is high-impact and should be explicitly consented to by an operator who understands the consequences.
Install Mechanism
No remote download is performed by setup.sh (it installs a bundled binary from ./bin), and the script verifies a checksum before copying to /usr/local/bin and starting the daemon. This avoids network fetch risk, but installation writes to a system path and starts a daemon (requires elevated permissions). There is an inconsistency: bin/checksums.txt and the bin directory include only an arm64 name but setup.sh also branches for x86_64 — that may cause installation failure on x86_64. package.json version (1.8.0) vs registry metadata (1.8.1) is a minor mismatch.
Credentials
The skill declares no required environment variables or external credentials, which is proportionate. However, it requests modifications to OpenClaw's gateway config (tools.deny) and installs a persistent local daemon — those are effectively privilege escalations relative to a normal skill and should be treated like credentialing/config changes because they alter what tools the agent can run.
!
Persistence & Privilege
The plugin runs a persistent background health-check service and communicates with a long-lived daemon on localhost. More importantly, SKILL.md instructs operators to add tools.deny entries to openclaw.json, which would permanently disable native agent capabilities system-wide until reversed. That persistent, cross-skill effect is high-privilege and increases blast radius if the daemon or skill is compromised.
What to consider before installing
Before installing: (1) Understand that setup.sh copies a bundled binary into /usr/local/bin and starts a daemon — this requires admin rights and creates a persistent service bound to localhost:19821. (2) The skill asks you to edit openclaw.json to disable native exec/read/write/process tools system-wide; that change affects all skills and can prevent rollback unless you know how to restore the file. (3) Verify the bundled binary's provenance (e.g., confirm vendor/site, GPG/alternate checksum) and inspect the binary if you cannot fully trust the publisher. (4) Note the packaging inconsistencies (package version mismatch and only an arm64 checksum present) — test in an isolated VM or container first rather than on production hosts. (5) If you proceed, back up openclaw.json before editing, and consider running the daemon with least privilege (non-root) and monitoring network/process activity. (6) If you need help assessing trustworthiness of the binary or the publisher, do not install until you can validate the upstream source.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis
OSmacOS · Linux
Binsagentguard
latestvk972zn4v0kwm00nsy0xwenm975856at4
101downloads
0stars
5versions
Updated 4h ago
v1.8.1
MIT-0
macOS, Linux
@zxz333zxz
latest
Download

AgentGuard Security Engine

You now have the AgentGuard Security Engine integrated. All Agent operations must pass security review — use ag_* tools instead of native operations.

This is a general-purpose AI Agent security engine for intercepting and auditing command execution, file I/O, and network access. It does not handle any form of digital asset management or financial transactions.

Security Architecture

AgentGuard provides four layers of protection to ensure agents cannot bypass security controls:

  1. Gateway Tool Blocking (L1) — During setup, setup.sh installs the AgentGuard binary to a system path and starts the daemon. Users must manually add tools.deny entries to openclaw.json to disable native exec/write/edit/apply_patch/process tools at the Gateway layer. Agents are physically unable to call blocked native tools. Rollback: manually delete the tools.deny entries in openclaw.json to restore native tools.
  2. Rule Engine (L2) — All ag_* tool calls are reviewed against command blacklists/whitelists, file path controls, and domain whitelists.
  3. Redaction Engine (L3) — Automatically filters API credentials, auth tokens, SSH keys, and 15 categories of sensitive information (bidirectional input+output redaction).
  4. Audit Log (L4) — All operations are logged to local SQLite, viewable in the Dashboard, tamper-proof.

⚠️ Native dangerous tools are blocked at the Gateway layer. You can only use the ag_* tools listed below to perform operations.

Security Tools

Operation Tools (replace native tools)

ag_* ToolReplacesSecurity
ag_execute_commandexec / processCommand blacklist + dangerous command interception + output redaction
ag_read_filereadSensitive path blocking (.ssh/, system credential store, browser data) + content redaction
ag_write_filewrite / edit / apply_patchPath access control + write content redaction check
ag_list_directoryread (directory)Directory access control
ag_http_requestbrowser / network toolsDomain whitelist + data exfiltration prevention

Inspection Tools

ag_* ToolPurpose
ag_skill_checkCheck if a skill/plugin is on the security whitelist
ag_statusView engine status: mode / audit stats / Panic state

Control Tools

ag_* ToolPurpose
ag_panicEmergency stop — immediately reject all subsequent operations
ag_resumeResume normal operation

Usage Rules

  1. Must use ag_* tools for all command, file, and network operations. Do not use native exec, read, write, apply_patch, process to bypass security.
  2. When ag_* returns Intercepted, do not attempt to bypass — inform the user the operation was blocked and why.
  3. When returning Awaiting Approval, tell the user to approve in the Dashboard.
  4. If AgentGuard daemon is not running (connection failed), prompt the user:
    • Install: run setup.sh in the skill directory (installs from local binary, no network download)
    • Start: agentguard daemon start
  5. Use ag_status anytime to check current security state.
  6. Use ag_panic for emergency stop when suspicious behavior is detected.

Security Modes

  • enforce — Violations are rejected immediately
  • supervised — Suspicious operations pause for user approval
  • permissive — Audit logging only, no blocking

Dashboard

Audit logs viewable at: http://127.0.0.1:19821

Features: real-time operation timeline / audit statistics / rule configuration / one-click Panic

Uninstall & Rollback

  1. agentguard daemon stop — stop the daemon
  2. Delete the tools.deny entries in openclaw.json
  3. rm /usr/local/bin/agentguard — remove the binary

AgentGuard 安全引擎

你现在集成了 AgentGuard 安全引擎。所有 Agent 操作必须经过安全审核,你需要使用 ag_* 系列工具替代原生操作。

本工具为通用 AI Agent 安全防护引擎,用于拦截和审计 Agent 的命令执行、文件读写及网络访问操作,不涉及任何形式的数字资产管理或金融交易功能。

安全架构

AgentGuard 通过 四层防护 确保 Agent 无法绕过安全监管:

  1. Gateway 工具封锁 (L1) — 安装时 setup.sh 将 AgentGuard 二进制文件安装到系统路径并启动守护进程。用户需在 openclaw.json 中手动添加 tools.deny 条目以在 Gateway 层禁用原生 exec/write/edit/apply_patch/process 工具。Agent 物理上无法调用被封锁的原生工具。回滚方式:手动删除 openclaw.json 中的 tools.deny 条目即可恢复原生工具。
  2. 规则引擎 (L2) — 所有 ag_* 工具调用经命令黑白名单、文件路径控制、域名白名单审核
  3. 脱敏引擎 (L3) — 自动过滤 API 凭证、认证令牌、SSH 密钥等 15 类敏感信息(输入+输出双向脱敏)
  4. 审计日志 (L4) — 所有操作记录到本地 SQLite,可在 Dashboard 查看,不可篡改

⚠️ 原生危险工具已在 Gateway 层被封锁,你只能使用下方 ag_* 工具执行操作。

安全工具

操作类 (替代原生工具)

ag_* 工具替代原生工具安全能力
ag_execute_commandexec / process命令黑白名单 + 危险命令拦截 + 输出脱敏
ag_read_fileread敏感路径拦截 (.ssh/, 系统凭证存储, 浏览器数据) + 内容脱敏
ag_write_filewrite / edit / apply_patch路径访问控制 + 写入内容脱敏检查
ag_list_directoryread (目录)目录访问控制
ag_http_requestbrowser / 网络工具域名白名单 + 数据外泄防护

检查类

ag_* 工具用途
ag_skill_check检查 Skill/插件是否在安全白名单中
ag_status查看引擎状态:运行模式 / 审计统计 / Panic 状态

控制类

ag_* 工具用途
ag_panic紧急暂停 — 立即拒绝所有后续操作
ag_resume恢复正常运行

使用规则

  1. 必须使用 ag_* 工具执行所有命令、文件和网络操作。不得使用 execreadwriteapply_patchprocess 等原生工具绕过安全检查。
  2. ag_* 工具返回 拦截 信息时,不要尝试绕过,向用户说明操作被安全策略拦截及原因。
  3. 当返回 等待审批 时,告知用户正在等待审批,请在 Dashboard 中操作。
  4. 如果 AgentGuard daemon 未运行(连接失败),提示用户:
    • 安装: 运行 skill 目录下的 setup.sh(从本地 binary 安装,无需网络下载)
    • 启动: agentguard daemon start
  5. 可以随时使用 ag_status 查看当前安全状态。
  6. 发现可疑行为或用户要求时,使用 ag_panic 紧急暂停。

安全模式

  • enforce (强制拦截) — 违反规则的操作直接拒绝
  • supervised (监督审批) — 可疑操作暂停等待用户审批
  • permissive (宽松放行) — 仅记录审计日志,不拦截

Dashboard

所有操作的审计日志可在本地 Dashboard 查看:http://127.0.0.1:19821

Dashboard 提供:实时操作时间线 / 审计统计图表 / 规则配置 / 一键 Panic

卸载与回滚

  1. agentguard daemon stop 停止守护进程
  2. 删除 openclaw.json 中的 tools.deny 条目
  3. rm /usr/local/bin/agentguard 移除 binary

Comments

Loading comments...