ScopeBlind Passport

v0.4.1

Signed access control for your OpenClaw agent. Wraps MCP tool calls through protect-mcp to add per-tool policies, signed receipts, and trust tiers. Every act...

⭐ 0· 90·0 current·0 all-time

byTJF@tomjwxf

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description claim to wrap MCP calls with protect-mcp. The SKILL.md instructs exactly how to wrap OpenClaw MCP servers, generate signing keys, and use protect-mcp commands. Required binaries (npx, curl) and the suggested npm packages align with these goals.

✓

Instruction Scope

Instructions are narrowly scoped to installing protect-mcp/@scopeblind/passport, initializing keys/policies in the current directory, modifying the agent's mcpServers entries, and calling local protect-mcp endpoints (port 9876) for approvals/receipts. The skill does not instruct reading or exfiltrating unrelated system files or contacting remote endpoints as part of normal operation.

ℹ

Install Mechanism

The SKILL.md recommends 'npm install -g protect-mcp@latest @scopeblind/passport@latest' which is a normal way to install the referenced tooling but does execute arbitrary code from the npm packages. The registry metadata itself does not include a separate install spec (the install instructions are only in SKILL.md). Users should verify the protect-mcp and @scopeblind/passport packages (source, maintainers, release integrity) before running a global npm install.

✓

Credentials

No environment variables, secrets, or external credentials are requested. The skill writes local signing keys (keys/gateway.json) and policy files into the current directory, which is necessary for signing receipts and enforcing policies; those key files should be protected by the user, but their creation is proportionate to the stated purpose.

✓

Persistence & Privilege

The skill is not forced-always and does not request elevated platform privileges. It modifies the agent's MCP configuration (expected for wrapping tool calls) and writes its own keys/policy files locally. There is no instruction to change other skills' configurations or system-wide settings.

Assessment

This skill appears coherent for adding signed, local access-control around MCP tool calls. Before installing: (1) inspect the npm packages it asks you to install (protect-mcp and @scopeblind/passport) — check their npm pages and GitHub repos for legitimacy; (2) avoid running global installs as root if you have concerns, or install in an isolated environment; (3) be aware signing keys are created in your current directory (keys/gateway.json) — store them securely and avoid committing them to source control; (4) protect the local approval server (127.0.0.1:9876) so approvals can’t be triggered by other local processes if that matters; (5) review the included policy templates to ensure they match your risk model. If you need higher assurance, review the protect-mcp package source (or vendor a known release) before using it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97720w0hem9fr74em86bybdms83ntj2

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ScopeBlind Passport — Signed Access Control for Your Agent

What This Skill Does

This skill wraps your OpenClaw agent's MCP tool calls through protect-mcp, adding:

Shadow mode — logs every tool call with a signed receipt (blocks nothing by default)
Per-tool policies — block, rate-limit, or require approval for specific tools
Signed receipts — Ed25519-signed, JCS-canonicalized proof of every decision
Trust tiers — available for advanced configurations to gate tool access by verified track record
Local daily digest — human-readable summary of what your agent did

Any platform can log what its agents do. Very few will let you verify those logs without trusting them.

When to Use This Skill

Use this skill when:

You want to know what your agent did while you weren't watching
You need signed, tamper-proof proof of agent actions for compliance or auditing
You want to block dangerous tools (delete_database, send_email_as_ceo, rm_rf)
You want rate limits on expensive or risky operations
You want a daily summary of your agent's activity

Do NOT Use This Skill When

You only want basic OpenClaw built-in allowlists (those work fine for simple cases)
You don't need signed cryptographic proof (just want logs, not receipts)

Setup

Fast path (recommended)

If you already have an OpenClaw config, generate a passported wrapper pack first:

npx @scopeblind/passport wrap --runtime openclaw --config ./openclaw.json --policy email-safe

That writes:

wrapped-config.json
manifest.json
passport.bundle.json
protect-mcp.json
keys/gateway.json
VERIFY.md

Copy the mcpServers entries from wrapped-config.json into your OpenClaw config.

First Run (generates signing keys + default policy)

npx protect-mcp init

This creates:

keys/gateway.json — Ed25519 signing keypair (in current directory)
protect-mcp.json — default shadow-mode policy (logs everything, blocks nothing)

Wrapping Your MCP Servers

For each MCP server your agent uses, wrap it through protect-mcp. In your OpenClaw MCP config:

Before:

{
  "mcpServers": {
    "filesystem": {
      "command": "node",
      "args": ["filesystem-server.js"]
    }
  }
}

After:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["protect-mcp", "--policy", "protect-mcp.json", "--", "node", "filesystem-server.js"]
    }
  }
}

That's it. Every tool call now produces a signed receipt.

Applying a Policy Pack

To move from shadow mode to enforce mode, copy a policy template and add --enforce:

# Copy a policy template
cp policies/email-safe.json protect-mcp.json

Then update your MCP config args to include --enforce:

"args": ["protect-mcp", "--policy", "protect-mcp.json", "--enforce", "--", "node", "server.js"]

See the policies/ directory for pre-built templates.

Commands

When the user asks you to perform these actions, execute them:

"Show my passport" / "What's my agent identity?"

npx protect-mcp status

Display the output, which shows:

Total decisions (allow/deny/rate-limited)
Time range of activity
Top tools used
Trust tiers seen

"What did you do today?" / "Show my daily report"

npx protect-mcp digest --today

Display the local summary, which includes:

Actions taken (allowed, blocked, awaiting approval)
Tools used and frequency
Trust tier status
Blocked tools with reasons

"Show my receipts" / "Prove what you did"

npx protect-mcp receipts --last 20

Shows the 20 most recent decisions with tool name, decision, and timestamp.

"Why was that blocked?"

When a tool call is blocked or rate-limited, explain:

Which policy rule triggered the block
The agent's current trust tier
What tier would be needed to use that tool
How to request an approval or policy change

Approval Flow

When protect-mcp blocks a high-risk action that has require_approval: true in the policy, it returns:

REQUIRES_APPROVAL: The tool "send_email" requires human approval before execution.
Tell the user you need their approval to use "send_email" and will retry when granted.
Do NOT retry this tool call until the user explicitly approves it.

When you receive this response:

Tell the user: "I need your approval to use [tool_name]. Should I proceed?"
Wait for the user to respond with approval.
When the user approves, grant the approval by running:

# For one-time approval (scoped to this specific request):
curl -s -X POST http://127.0.0.1:9876/approve -H 'Content-Type: application/json' -d '{"request_id":"REQUEST_ID","tool":"TOOL_NAME","mode":"once","nonce":"NONCE"}'

# For always-allow this tool (session-scoped, 24h TTL):
curl -s -X POST http://127.0.0.1:9876/approve -H 'Content-Type: application/json' -d '{"tool":"TOOL_NAME","mode":"always","nonce":"NONCE"}'

Replace REQUEST_ID, TOOL_NAME, and NONCE with the values from the REQUIRES_APPROVAL response.

After granting approval, retry the original tool call. It will now succeed.

When the user denies: Tell them the action was blocked and explain what was prevented.

Check current approvals:

curl -s http://127.0.0.1:9876/approvals

Policy Packs

Pre-built policies are available in the policies/ directory:

Pack	What it does
`shadow.json`	Log everything, block nothing (default)
`web-browsing-safe.json`	Rate-limit browsing, require approval for forms, block JS
`email-safe.json`	Read freely, require approval to send, block delete
`strict.json`	Block everything except reads (read-only mode)

Verification

Every receipt is independently verifiable. The MIT-licensed verifier requires zero trust in ScopeBlind.

Quick test (no receipts needed)

npx @veritasacta/verify --self-test

Getting receipts to verify

Receipts are available from the local HTTP status server while protect-mcp is running:

# Get the most recent receipt
curl -s http://127.0.0.1:9876/receipts/latest | jq -r '.receipt' > receipt.json

# Get all recent receipts
curl -s http://127.0.0.1:9876/receipts | jq -r '.receipts[0].receipt' > receipt.json

If the local status server is unavailable, use the persisted receipt file:

tail -n 1 .protect-mcp-receipts.jsonl > receipt.json

Verifying a receipt

# Get the public key from status (shown under "Passport Identity")
npx protect-mcp status

# Verify with the public key
npx @veritasacta/verify receipt.json --key <public-key-hex>

The verifier checks Ed25519 signatures against public keys. No API calls, no accounts, no ScopeBlind servers involved.

Comments

Loading comments…