Install
openclaw skills install @zw008/ai-guardianUse this skill whenever the user needs to observe or govern on-endpoint local LLMs running on Ollama — inventory installed/running models with an allow/deny verdict (shadow-AI detection), inspect VRAM residency, model license/params/capabilities and server version, view the model policy, detect model provenance/digest drift (re-pulled or tampered weights), scan a prompt for secrets / PII / source-code / jailbreak with a weighted risk band, route a prompt THROUGH a guard that scans + policy-gates + records + runs-if-allowed (guarded_generate / observe_chat), query the observed-usage log, and roll up anomalies (shadow models, digest drift, high-risk + blocked prompts). Always use this skill for "what local models are installed", "find shadow / unsanctioned AI models", "which model is loaded in VRAM", "scan this prompt for secrets/PII before sending", "stop secrets leaking into a local model", "block a prompt with an API key", "detect a jailbreak / prompt injection", "set a model allowlist / denylist", "detect a tampered / re-pulled model", "audit local LLM usage", or "the complement to IGEL AI Armor". Do NOT use for GPU inference CLUSTERS (multi-node vLLM/Ray serving) — this is for single-endpoint LOCAL LLMs via Ollama; point cluster/serving work to the other AIops-tools. Also not for hypervisors, storage, backup, Kubernetes, or network devices. Preview — passive inventory/state auditing plus opt-in route-through content governance, with a bundled governance harness (audit, policy, token budget, undo, risk-tiers). Mock-validated only; a transparent capture proxy is v0.2 roadmap.
openclaw skills install @zw008/ai-guardianDisclaimer: Community-maintained open-source project, not affiliated with, endorsed by, or sponsored by Ollama, IGEL, or any AI-security vendor. Product and trademark names belong to their owners. Source at github.com/AIops-tools/AI-Guardian under the MIT license.
Governed observability + governance for on-endpoint local LLMs (Ollama) —
18 MCP tools, every one wrapped with the bundled @governed_tool harness: a
local unified audit log under ~/.ai-guardian/, policy engine, token/runaway
budget guard, undo-token recording, and graduated-autonomy risk tiers. It is the
complement to IGEL AI Armor: AI Armor governs whether a local model may run;
ai-guardian records what it did and gates what leaves in the prompt.
Ollama keeps no queryable prompt history (context is client-supplied each
request), so ai-guardian observes on two fronts: passive inventory / state
auditing over /api/tags, /api/ps, /api/show, /api/version; and opt-in
route-through content governance — a caller sends a prompt through
guarded_generate / observe_chat, which scans + policy-gates + records it and
only then calls Ollama.
Standalone: the governance harness is bundled in the package (
ai_guardian.governance) — no external skill-family dependency. Preview / mock-only: a transparent capture proxy for other clients' traffic is v0.2 roadmap, and IGEL AI Armor interop is doc-level positioning.
| Group | Tools | Count | Read/Write |
|---|---|---|---|
| Inventory / state | list_models, running_models, model_details, server_status, vram_usage | 5 | read |
| Policy / provenance | policy_view, model_provenance | 2 | read |
| Content governance (read) | scan_prompt, usage_events, anomaly_report | 3 | read |
| Model lifecycle | pull_model (medium), remove_model (high), unload_model (medium) | 3 | write |
| Policy writes | set_model_allowlist, set_model_denylist, pin_model_digest (all medium) | 3 | write |
| Route-through guard | guarded_generate, observe_chat (medium) | 2 | write |
scan_prompt is pure (no Ollama call). guarded_generate / observe_chat block
when the prompt's risk band >= block_threshold (default high) or the model
is disallowed; blocked calls never reach Ollama and are recorded as blocked.
uv tool install ai-guardian
ai-guardian doctor # works zero-config against a local Ollama
ai-guardian init # optional: endpoint(s) + optional token + model allowlist
list_models / anomaly_report): unsanctioned models show allowed:falsescan_prompt): secrets / PII / source-code / jailbreak → a weighted risk band, no model callguarded_generate / observe_chat): scan + policy-gate + record, then run only if allowedmodel_provenance): current digest vs its pin → driftset_model_allowlist / set_model_denylist) and pin trusted digests (pin_model_digest)running_models / vram_usage) and audit observed usage (usage_events)Do NOT use when the target is a GPU inference cluster (multi-node serving) — that is a different tool in the AIops-tools line. Also not for hypervisors, storage appliances, backup products, container clusters, or network devices.
| If the user wants… | Use |
|---|---|
| On-endpoint local LLM (Ollama): scan prompts, shadow-AI, provenance, policy | ai-guardian (this skill) |
| GPU inference cluster serving/ops | another AIops-tools skill for cluster serving |
| Hypervisor / storage / backup / container / network ops | the matching AIops-tools skill |
list_models → every model with its allow/deny verdict; anything allowed:false is shadow AIanomaly_report → a one-shot rollup of shadow models + digest drift + high-risk / blocked promptsset_model_allowlist(["llama3.*", "qwen*"]) so future shadow models are refused at pull_modelguarded_generate(model, prompt, block_threshold="high")>= high or the model is disallowedusage_events(allowed=False) — the raw prompt is never stored, only its length + redacted findingspin_model_digest(model, digest) (digest from list_models / model_details)model_provenance → any model whose current digest differs from its pin shows status: DRIFT (re-pulled / tampered weights)Call scan_prompt("…text…") (or ai-guardian guard scan "…") to get findings +
the weighted risk band deterministically — useful to pre-check anything offline
before it ever reaches a local model.
~/.ai-guardian/audit.db (relocatable via AI_GUARDIAN_AIOPS_HOME); observed local-LLM usage lives in a separate ~/.ai-guardian/usage.db.remove_model can require a named approver: set AI_GUARDIAN_AUDIT_APPROVED_BY and AI_GUARDIAN_AUDIT_RATIONALE.remove_model supports --dry-run + double confirmation at the CLI and records an undo (re-pull); allowlist/denylist writes record an undo → the prior list.references/capabilities.md — full 18-tool + endpoint referencereferences/cli-reference.md — CLI command referencereferences/setup-guide.md — onboarding, optional token, and connectivity