Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AgentGate - Enterprise Security Firewall for OpenClaw
v1.0.0Enforces regex-based, real-time authorization policies on OpenClaw agents’ tool calls, blocking, allowing, or requiring approval before execution.
⭐ 0· 617·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes a networked firewall that forwards agent API key, tool name, and serialized arguments to a remote cloud function and stores logs in Firestore. That capability would legitimately require an API key, endpoint config, and installable SDK; however the registry metadata declares no required env vars, no install spec, and no homepage even though the SKILL.md includes a specific endpoint/website. The absence of declared credentials and install info is inconsistent with the described purpose.
Instruction Scope
Instructions explicitly tell integrators to send the agent API key and JSON.stringify(args) to a remote endpoint on every tool call, to poll Firestore every 2s for approvals, and to trigger Telegram webhooks. That means potentially sensitive data (shell commands, HTTP request bodies, filesystem contents, Stripe args, emails, etc.) will be transmitted to an external service — there is no mention of encryption, minimization, access/retention policies, or what fields are redacted. The SKILL.md also instructs installing and using an npm SDK but provides no code or provenance for that package inside the registry.
Install Mechanism
This is an instruction-only skill (no install spec in registry), yet SKILL.md tells users to npm install @agentgate/openclaw-guard and to sign up at a vercel.app dashboard. Installing an npm package from the public registry is a common pattern, but the registry should declare that dependency and any required environment configuration. The lack of an install spec and lack of code in the package bundle means the user must trust an external npm package and the remote service.
Credentials
The runtime flow requires an AGENTGATE_API_KEY (used on every tool call) and likely service-specific credentials (Firestore, Telegram/webhook config). Yet the skill metadata lists no required env vars or primary credential. Requesting an API key that will receive full serialized tool arguments (potentially secrets) is high-privilege and should be explicitly declared and justified — it is not.
Persistence & Privilege
The skill does not request 'always' presence and leaves autonomous invocation enabled (normal). It will, however, be implemented as a wrapper on the agent's tool-execution path and thus intercepts all calls. That interception behavior is consistent with the stated purpose, but combined with the remote-forwarding design it increases the blast radius because every tool call and the agent API key are transmitted off-host.
What to consider before installing
Before installing or using this skill, consider the following: (1) The SKILL.md requires an AGENTGATE_API_KEY and installing an npm package, but the registry metadata does not declare those — ask the publisher to explicitly list required env vars and provide the package source code. (2) This skill forwards full serialized tool arguments (which may contain secrets, file contents, Stripe amounts, SMTP data, etc.) to a remote endpoint and stores audit logs in Firestore — verify the remote service's privacy, retention, and access controls, and whether payloads are redacted or encrypted. (3) Review the source for @agentgate/openclaw-guard and the cloud functions (or ask for an auditable deployment), and only install from a verified, pinned package/version. (4) If you must test, run in an isolated environment with non-production credentials and limited data, rotate any API keys used, and monitor agent/audit logs closely. (5) If your threat model requires that sensitive data never leaves your environment, prefer a local-only enforcement solution or require the publisher to provide an on-prem/self-host option and a security whitepaper explaining data flows. If the publisher cannot provide clear provenance and data-handling guarantees, treat this skill as high-risk.Like a lobster shell, security has layers — review code before you run it.
ai-agentvk97d45zn9jyg3mbq33234xwpc981r0ejauthorizationvk97d45zn9jyg3mbq33234xwpc981r0ejenterprisevk97d45zn9jyg3mbq33234xwpc981r0ejfirewallvk97d45zn9jyg3mbq33234xwpc981r0ejguardrailsvk97d45zn9jyg3mbq33234xwpc981r0ejlatestvk97d45zn9jyg3mbq33234xwpc981r0ejopenclawvk97d45zn9jyg3mbq33234xwpc981r0ejsecurityvk97d45zn9jyg3mbq33234xwpc981r0ej
License
MIT-0
Free to use, modify, and redistribute. No attribution required.