AgentGuard by Nano

v0.4.0

Agent Identity & Permission Guardian - Trust middleware for credential management, permission scopes, human approval workflows, and audit trails. Use when AI...

⭐ 0· 432·0 current·0 all-time

by@sendwealth

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for sendwealth/nano-agentguard.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "AgentGuard by Nano" (sendwealth/nano-agentguard) from ClawHub.
Skill page: https://clawhub.ai/sendwealth/nano-agentguard
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install nano-agentguard

ClawHub CLI

Package manager switcher

npx clawhub@latest install nano-agentguard

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill claims to be a credential/approval middleware and the code implements vaults, audit, human gate and 1Password integration — so the capability set aligns with the description. However the package and SKILL metadata declare no required environment variables or binaries while the code expects/processes many env vars (AGENTGUARD_PASSWORD, AGENTGUARD_USE_TMUX, OP_ACCOUNT, FEISHU_OPEN_ID, etc.) and shell tools (1Password 'op' CLI, tmux). That mismatch between declared requirements and actual dependencies is incoherent and risky.

Instruction Scope

SKILL.md and README describe local files (~/.agentguard/*) and an API/CLI usage that is consistent. But runtime instructions and the implementation invoke external CLIs (op), spawn tmux sessions, and execute shell commands via child_process. Those behaviors access system-level resources and can read/write files and invoke external channels (Feishu/other notifiers). The SKILL.md does not fully disclose these execution behaviors or the environment variables they rely on.

ℹ

Install Mechanism

The registry metadata said 'no install spec' but SKILL.md and package.json advertise npm install (package name 'agentguard') and there are full source files included. Installing via npm is a common mechanism and not inherently malicious, but the metadata inconsistency (instruction-only vs. packaged code) should be resolved. There are no arbitrary download URLs or extract steps in the files provided.

Credentials

The code uses multiple environment variables and system tools (AGENTGUARD_PASSWORD, AGENTGUARD_USE_TMUX, OP_ACCOUNT, OPENCLAW_TMUX_SOCKET_DIR, FEISHU_* etc.) but the skill registry declares no required env vars. It also defaults to a weak fallback master password ('default-password-change-me') if AGENTGUARD_PASSWORD is not set. Requesting access to 1Password CLI and external notification channels is plausible for the described feature set, but the missing declaration of these requirements and the default fallback behavior are disproportionate and should be explicit to users.

ℹ

Persistence & Privilege

The skill stores data under ~/.agentguard/, writes audit logs, and expects to be installed into the OpenClaw skills directory. It is not marked 'always: true' and does not appear to alter other skills' configurations. These file writes are consistent with its purpose, but the code also may create tmux sockets and sessions and will run shell commands — this level of system interaction is broader than a purely in-process library and should be considered when granting installation.

What to consider before installing

What to consider before installing: 1) Undeclared requirements: The package actually runs shell commands (1Password CLI 'op') and may spawn tmux sessions, and it reads env vars like AGENTGUARD_PASSWORD, AGENTGUARD_USE_TMUX, OP_ACCOUNT, FEISHU_OPEN_ID. The skill metadata did not declare these — verify and set them intentionally. 2) Review the code paths that execute shell commands: src/1password.js uses child_process.execSync and a tmux-based execution path that creates sockets and sessions. If you don't trust the package source, these execs could be abused to run arbitrary commands on your machine. 3) Secrets handling: CLI commands print credentials (vault get prints the value to stdout) and the tool writes audit logs under ~/.agentguard. Ensure you understand where master passwords and API keys are stored and whether you're comfortable with the local storage and stdout behaviors. 4) External notifications: The human-gate integrates with Feishu/other channels. Inspect src/feishu-notifier.js (and other notifiers) to confirm what is sent externally and whether any sensitive data could be exfiltrated in approval payloads. 5) Metadata inconsistency: The registry said 'instruction-only' while the repo contains code and package.json. Prefer to install from a known trustworthy source (official npm package or vetted repo) and verify package integrity (source repo, npm publisher, checksums) before running. 6) Safety steps: run the package in an isolated environment (sandbox/VM) first; search the repository for exec/child_process usages and all network endpoints; set a strong AGENTGUARD_PASSWORD rather than relying on the default; avoid exposing the master password in a shared environment variable; and consider disabling AGENTGUARD_USE_TMUX unless you need the tmux flow. Given the coherent functionality but the undeclared env/exec behavior and tmux usage, the package looks plausible for its stated purpose but has enough mismatches and risky operations to mark it suspicious until you confirm provenance and review the exec/network code paths.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis

latestvk973s6333xfxg0ndmct94n3add8229ya

432downloads

0stars

4versions

Updated 6h ago

v0.4.0

MIT-0

AgentGuard - Agent Identity & Permission Guardian

Overview

AgentGuard is a trust middleware for Phase 1 hybrid authentication:

Credential Vault: Encrypted storage for API keys and OAuth tokens
Permission Scopes: Define what operations need human approval
Human Gate: Push confirmation requests for high-risk operations
Audit Trail: Cryptographically signed operation logs
Agent Registry: Track agents with credentials and permissions

Installation

# Install globally
npm install -g agentguard

# Or use as OpenClaw skill
cp -r . ~/.openclaw/skills/agentguard

Quick Start

# Initialize vault
agentguard init

# Register an agent
agentguard register my-agent --owner "user@example.com"

# Store a credential
agentguard vault store my-agent OPENAI_API_KEY sk-xxx

# Define permission scope
agentguard scope set my-agent --level read --dangerous require-approval

# List agents
agentguard list

# Audit log
agentguard audit my-agent --last 24h

Permission Levels

Level	Auto-approve	Requires Human
`read`	✅ Read operations	❌
`write`	✅ Read/Write	❌
`admin`	✅ Most operations	⚠️ Dangerous only
`dangerous`	❌ All operations	✅ Always

Dangerous Operations (Require Human Approval)

Send messages/emails
Financial transactions
Delete data
Modify system config
Access sensitive credentials
External API calls (configurable)

Human Gate Integration

When an agent attempts a dangerous operation:

AgentGuard blocks the operation
Pushes notification to owner (Feishu/Telegram/Email)
Owner approves/denies with biometric confirmation
If approved, operation proceeds with short-lived token
All logged with cryptographic signature

Configuration

~/.agentguard/config.json:

{
  "vault": {
    "encryption": "aes-256-gcm",
    "keyDerivation": "pbkdf2"
  },
  "humanGate": {
    "timeout": 300,
    "channels": ["feishu", "telegram"],
    "biometric": true
  },
  "audit": {
    "retention": "30d",
    "signLogs": true
  }
}

API Usage (for skills)

const agentguard = require('agentguard');

// Check permission
const allowed = await agentguard.check('my-agent', 'send_email');
if (!allowed) {
  // Request human approval
  const approval = await agentguard.requestApproval({
    agent: 'my-agent',
    action: 'send_email',
    details: { to: 'user@example.com', subject: 'Test' }
  });
}

// Get credential
const apiKey = await agentguard.getCredential('my-agent', 'OPENAI_API_KEY');

// Log action
await agentguard.audit('my-agent', 'api_call', { endpoint: '/completions' });

Security Model

Vault Encryption: AES-256-GCM with key derived from master password
Credential Isolation: Each agent has separate encrypted container
Audit Integrity: SHA-256 hash chain for tamper detection
Human Gate: Out-of-band confirmation via trusted channel
Token Expiry: Short-lived tokens (default 5 min)

Files

~/.agentguard/ - Data directory
~/.agentguard/vault/ - Encrypted credentials
~/.agentguard/registry.json - Agent registry
~/.agentguard/audit/ - Audit logs
~/.agentguard/config.json - Configuration

OpenClaw Integration

AgentGuard integrates with OpenClaw as a skill:

Add to ~/.openclaw/skills/agentguard/

Configure in workspace AGENTS.md:

## AgentGuard
All external API calls require AgentGuard permission check.
Dangerous operations require human approval.

Use in other skills:

const guard = require('agentguard');
await guard.checkOrApprove(agentId, operation, details);

Roadmap

Phase 1: CLI + Vault + Permission Scopes
Phase 2: Human Gate (Feishu/Telegram integration)
Phase 3: Audit Trail + Export
Phase 4: OAuth2 Token Auto-refresh
Phase 5: Multi-tenant Support
Phase 6: DID Preparation (future Phase 2)

Building trust infrastructure for the Agentic Era.

Comments

Loading comments...