ClawHub

Openclaw Pii Anonymizer

v2.0.0

Privacy pipeline for OpenClaw - Hybrid regex + Qwen2.5 LLM to scrub PII (names/emails/SSNs/phones/wallets/IPs/paths) before external AI processing. Script wo...

0· 472·0 current·0 all-time
bySeth Blakely@solmas
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (PII anonymizer) match the included scripts and declared requirements (jq, curl, bash, sed, OLLAMA_URL). The scripts implement a hybrid regex + local LLM approach described in SKILL.md; required binaries and the local Ollama endpoint are appropriate for this purpose.
Instruction Scope
Runtime instructions and scripts are limited to local operations: regex substitution, conditional calls to the Ollama HTTP API, and returning anonymized text. The SKILL.md does reference hooks and workspace paths but explicitly notes the hook currently doesn't fire. The scripts do not attempt to read unrelated system secrets or network endpoints beyond the configured OLLAMA_URL.
Install Mechanism
This is instruction-only with no automated install spec; SKILL.md suggests installing system packages (apt jq/curl) and manually pulling an Ollama model. No remote code download or arbitrary archive extraction is specified by the skill itself.
Credentials
The only required env var is OLLAMA_URL, which is appropriate. Two small inconsistencies to note: SKILL.md suggests exporting OLLAMA_MODEL but privacy-anonymize-v2.sh reads MODEL (and defaults to qwen2.5:3b); v1 uses MODEL default phi3:mini. Also, if a user points OLLAMA_URL to a remote service (not localhost), PII would be sent to that endpoint — ensure the endpoint is local/trusted.
Persistence & Privilege
The skill does not request always:true or other high privileges. It is user-invocable and does not modify other skills or system-wide settings. The hook installation is described but nonfunctional; nothing indicates the skill will persistently enable itself or alter unrelated configurations.
Assessment
This package appears to do what it says, but review these points before installing or using on real PII: - Ensure OLLAMA_URL points to a trusted, local Ollama instance (http://localhost:11434). If you set OLLAMA_URL to a remote server, sensitive text will be sent there. - Fix the small env-var mismatch: the v2 script reads MODEL (default qwen2.5:3b) while SKILL.md mentions OLLAMA_MODEL — set MODEL or adjust the script accordingly. - Test thoroughly with non-sensitive data first. Confirm the model output contains only anonymized tokens and no unintended content. - Consider improving JSON construction to avoid input injection issues (use jq or a safer encoding method rather than simple quote-escaping), and validate long inputs before sending to the LLM. - The hook system is noted as broken; do not rely on automatic interception until the hook is fixed and audited. - Be aware of model licensing and storage: pulling qwen2.5:3b downloads a ~1.9GB model; ensure you have the resources and that model logs/storage are controlled. If you want higher assurance, ask the author for a short review or run the script in an isolated environment and verify network traffic (e.g., confirm curl only calls the configured OLLAMA_URL and nothing else).

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsjq, curl, bash, sed
EnvOLLAMA_URL
latestvk97a6xkh0jkv1xa8wh087ah0j98353t8
472downloads
0stars
3versions
Updated 1mo ago
v2.0.0
MIT-0
Seth Blakely@solmas
latest
Download

OpenClaw PII Anonymizer v2.0

Status: ⚠️ Partially Working

  • ✅ Script works perfectly (manual invocation)
  • ❌ Auto-hook interception needs debugging

Hybrid regex + Qwen2.5:3b LLM to scrub PII before external AI calls.

Quick Start

# 1. Install Ollama model
ollama pull qwen2.5:3b

# 2. Test the script
cd ~/.openclaw/workspace/skills/openclaw-pii-anonymizer
bash privacy-anonymize-v2.sh "My name is John Doe, SSN 123-45-6789"
# Output: My name is [NAME], SSN [SSN]

What It Does

Replaces PII with tokens:

  • Names → [NAME]
  • SSNs → [SSN]
  • Emails → [EMAIL]
  • Phones → [PHONE]
  • Wallets → [WALLET]
  • IPs → [IP]
  • Paths → [PATH]

Two-layer approach:

  1. Regex (fast, <1ms) - Structured PII (SSN, email, phone, etc.)
  2. Qwen2.5:3b (2-3s) - Contextual names (zero hallucination)

Usage

Manual (Working Now)

# In scripts/workflows
ANONYMIZED=$(bash privacy-anonymize-v2.sh "$USER_INPUT")
echo "$ANONYMIZED" | external-api-call

Automatic Hook (TODO)

Hook installed at ~/.openclaw/workspace/hooks/pii-shield/ but doesn't fire on messages yet. Debugging needed.

Requirements

  • Ollama running at http://localhost:11434
  • Model: qwen2.5:3b (1.9GB) - Better instruction-following than phi3:mini
  • RAM: 16GB recommended (6GB minimum but tight)
  • Dependencies: bash, curl, jq, sed

Why Qwen2.5:3b?

Tested alternatives:

  • phi3:mini - Hallucinates extra content, too chatty
  • qwen2.5:3b - Zero hallucination, task-focused, smaller (1.9GB vs 2.2GB)
  • Alternative: llama3.2:3b (similar performance)

Performance

  • Regex layer: <1ms
  • LLM layer: 2-3s (only runs if names detected)
  • Optimization: Skips LLM for short messages or already-anonymized text

Known Issues

  1. Hook system - message:preprocessed event doesn't fire (needs investigation)
  2. Auto-interception - Messages not automatically scrubbed yet
  3. Re-contextualization - Not implemented (responses stay anonymized)

For Production

Consider NemoClaw for production deployments:

  • Built-in PII handling at architecture level
  • Enterprise-grade from Nvidia
  • No hook debugging needed

This skill: Development/testing, manual workflows
NemoClaw: Production with real customer PII

Testing

# Test 1: Structured PII
bash privacy-anonymize-v2.sh "SSN 123-45-6789, email test@example.com"
# Expected: SSN [SSN], email [EMAIL]

# Test 2: Names
bash privacy-anonymize-v2.sh "Hi, I'm Alice Johnson"
# Expected: Hi, I'm [NAME]

# Test 3: Complex
bash privacy-anonymize-v2.sh "John Smith (john@test.com), SSN 987-65-4321, wallet 0x1234567890abcdef1234567890abcdef12345678"
# Expected: [NAME] ([EMAIL]), SSN [SSN], wallet [WALLET]

Files

  • privacy-anonymize-v2.sh - Main script (hybrid approach)
  • privacy-anonymize.sh - Old v1 (phi3:mini, deprecated)
  • hooks/pii-shield/ - Auto-interception hook (needs debugging)
  • README.md - Full documentation

Configuration

export OLLAMA_URL=http://localhost:11434
export OLLAMA_MODEL=qwen2.5:3b

Roadmap

  • Fix hook system for auto-interception
  • Re-contextualization (restore real names in responses)
  • Expanded regex patterns (international formats)
  • Async LLM (non-blocking)
  • Caching for repeated phrases

Version

v2.0 (March 17, 2026)

  • Hybrid regex + Qwen2.5:3b
  • Script works perfectly
  • Hook needs debugging

v1.0.2 (March 1, 2026)

  • phi3:mini based
  • Hallucination issues

License: MIT
Author: Solmas (Seth Blakely)
Homepage: https://github.com/solmas/openclaw-pii-anonymizer

Comments

Loading comments...