Install
openclaw skills install jjy-agentguardAgentguard
AgentGuard security engine — intercept dangerous operations, audit all actions, protect sensitive data. All commands/file/network operations go through ag_* tools for rule engine review. AgentGuard 安全引擎 — 拦截危险操作、审计所有行为、保护敏感数据。所有命令/文件/网络操作通过 ag_* 工具经规则引擎审核后执行。
AgentGuard Security Engine
You now have the AgentGuard Security Engine integrated. All Agent operations must pass security review — use ag_* tools instead of native operations.
This is a general-purpose AI Agent security engine for intercepting and auditing command execution, file I/O, and network access. It does not handle any form of digital asset management or financial transactions.
Security Architecture
AgentGuard provides four layers of protection to ensure agents cannot bypass security controls:
- Gateway Tool Blocking (L1) — During setup,
setup.shinstalls the AgentGuard binary to a system path and starts the daemon. Users must manually addtools.denyentries toopenclaw.jsonto disable nativeexec/write/edit/apply_patch/processtools at the Gateway layer. Agents are physically unable to call blocked native tools. Rollback: manually delete thetools.denyentries inopenclaw.jsonto restore native tools. - Rule Engine (L2) — All
ag_*tool calls are reviewed against command blacklists/whitelists, file path controls, and domain whitelists. - Redaction Engine (L3) — Automatically filters API credentials, auth tokens, SSH keys, and 15 categories of sensitive information (bidirectional input+output redaction).
- Audit Log (L4) — All operations are logged to local SQLite, viewable in the Dashboard, tamper-proof.
⚠️ Native dangerous tools are blocked at the Gateway layer. You can only use the
ag_*tools listed below to perform operations.
Security Tools
Operation Tools (replace native tools)
| ag_* Tool | Replaces | Security |
|---|---|---|
ag_execute_command | exec / process | Command blacklist + dangerous command interception + output redaction |
ag_read_file | read | Sensitive path blocking (.ssh/, system credential store, browser data) + content redaction |
ag_write_file | write / edit / apply_patch | Path access control + write content redaction check |
ag_list_directory | read (directory) | Directory access control |
ag_http_request | browser / network tools | Domain whitelist + data exfiltration prevention |
Inspection Tools
| ag_* Tool | Purpose |
|---|---|
ag_skill_check | Check if a skill/plugin is on the security whitelist |
ag_status | View engine status: mode / audit stats / Panic state |
Control Tools
| ag_* Tool | Purpose |
|---|---|
ag_panic | Emergency stop — immediately reject all subsequent operations |
ag_resume | Resume normal operation |
Usage Rules
- Must use
ag_*tools for all command, file, and network operations. Do not use nativeexec,read,write,apply_patch,processto bypass security. - When
ag_*returnsIntercepted, do not attempt to bypass — inform the user the operation was blocked and why. - When returning
Awaiting Approval, tell the user to approve in the Dashboard. - If AgentGuard daemon is not running (connection failed), prompt the user:
- Install: run
setup.shin the skill directory (installs from local binary, no network download) - Start:
agentguard daemon start
- Install: run
- Use
ag_statusanytime to check current security state. - Use
ag_panicfor emergency stop when suspicious behavior is detected.
Security Modes
- enforce — Violations are rejected immediately
- supervised — Suspicious operations pause for user approval
- permissive — Audit logging only, no blocking
Dashboard
Audit logs viewable at: http://127.0.0.1:19821
Features: real-time operation timeline / audit statistics / rule configuration / one-click Panic
Uninstall & Rollback
agentguard daemon stop— stop the daemon- Delete the
tools.denyentries inopenclaw.json rm /usr/local/bin/agentguard— remove the binary
AgentGuard 安全引擎
你现在集成了 AgentGuard 安全引擎。所有 Agent 操作必须经过安全审核,你需要使用 ag_* 系列工具替代原生操作。
本工具为通用 AI Agent 安全防护引擎,用于拦截和审计 Agent 的命令执行、文件读写及网络访问操作,不涉及任何形式的数字资产管理或金融交易功能。
安全架构
AgentGuard 通过 四层防护 确保 Agent 无法绕过安全监管:
- Gateway 工具封锁 (L1) — 安装时
setup.sh将 AgentGuard 二进制文件安装到系统路径并启动守护进程。用户需在openclaw.json中手动添加tools.deny条目以在 Gateway 层禁用原生exec/write/edit/apply_patch/process工具。Agent 物理上无法调用被封锁的原生工具。回滚方式:手动删除openclaw.json中的tools.deny条目即可恢复原生工具。 - 规则引擎 (L2) — 所有
ag_*工具调用经命令黑白名单、文件路径控制、域名白名单审核 - 脱敏引擎 (L3) — 自动过滤 API 凭证、认证令牌、SSH 密钥等 15 类敏感信息(输入+输出双向脱敏)
- 审计日志 (L4) — 所有操作记录到本地 SQLite,可在 Dashboard 查看,不可篡改
⚠️ 原生危险工具已在 Gateway 层被封锁,你只能使用下方
ag_*工具执行操作。
安全工具
操作类 (替代原生工具)
| ag_* 工具 | 替代原生工具 | 安全能力 |
|---|---|---|
ag_execute_command | exec / process | 命令黑白名单 + 危险命令拦截 + 输出脱敏 |
ag_read_file | read | 敏感路径拦截 (.ssh/, 系统凭证存储, 浏览器数据) + 内容脱敏 |
ag_write_file | write / edit / apply_patch | 路径访问控制 + 写入内容脱敏检查 |
ag_list_directory | read (目录) | 目录访问控制 |
ag_http_request | browser / 网络工具 | 域名白名单 + 数据外泄防护 |
检查类
| ag_* 工具 | 用途 |
|---|---|
ag_skill_check | 检查 Skill/插件是否在安全白名单中 |
ag_status | 查看引擎状态:运行模式 / 审计统计 / Panic 状态 |
控制类
| ag_* 工具 | 用途 |
|---|---|
ag_panic | 紧急暂停 — 立即拒绝所有后续操作 |
ag_resume | 恢复正常运行 |
使用规则
- 必须使用
ag_*工具执行所有命令、文件和网络操作。不得使用exec、read、write、apply_patch、process等原生工具绕过安全检查。 - 当
ag_*工具返回拦截信息时,不要尝试绕过,向用户说明操作被安全策略拦截及原因。 - 当返回
等待审批时,告知用户正在等待审批,请在 Dashboard 中操作。 - 如果 AgentGuard daemon 未运行(连接失败),提示用户:
- 安装: 运行 skill 目录下的
setup.sh(从本地 binary 安装,无需网络下载) - 启动:
agentguard daemon start
- 安装: 运行 skill 目录下的
- 可以随时使用
ag_status查看当前安全状态。 - 发现可疑行为或用户要求时,使用
ag_panic紧急暂停。
安全模式
- enforce (强制拦截) — 违反规则的操作直接拒绝
- supervised (监督审批) — 可疑操作暂停等待用户审批
- permissive (宽松放行) — 仅记录审计日志,不拦截
Dashboard
所有操作的审计日志可在本地 Dashboard 查看:http://127.0.0.1:19821
Dashboard 提供:实时操作时间线 / 审计统计图表 / 规则配置 / 一键 Panic
卸载与回滚
agentguard daemon stop停止守护进程- 删除
openclaw.json中的tools.deny条目 rm /usr/local/bin/agentguard移除 binary