Claw Permission Firewall

Evaluates agent actions for security risks, enforcing least-privilege policies with allow, deny, or confirmation decisions and secret redaction.

تثبيت
$clawhub install claw-permission-firewall

Claw Permission Firewall

Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:

  • ALLOW (safe to execute)

  • DENY (blocked by policy)

  • NEED_CONFIRMATION (risky; require explicit confirmation)

It also returns a sanitizedAction with secrets redacted, plus a structured audit record.

This is not a gateway hardening tool. It complements gateway security scanners by enforcing per-action policy at runtime.

What it protects against

  • Exfiltration to unknown domains

  • Prompt-injection “send secrets” attempts (secret detection + redaction)

  • Reading sensitive local files (~/.ssh, ~/.aws, .env, etc.)

  • Unsafe execution patterns (rm -rf, curl | sh, etc.)

Inputs

Provide an action object to evaluate:

{
  "traceId": "optional-uuid",
  "caller": { "skillName": "SomeSkill", "skillVersion": "1.2.0" },
  "action": {
    "type": "http_request | file_read | file_write | exec",
    "method": "GET|POST|PUT|DELETE",
    "url": "https://api.github.com/...",
    "headers": { "authorization": "Bearer ..." },
    "body": "...",
    "path": "./reports/out.json",
    "command": "rm -rf /"
  },
  "context": {
    "workspaceRoot": "/workspace",
    "mode": "strict | balanced | permissive",
    "confirmed": false
  }
}

Outputs

{
  "decision": "ALLOW | DENY | NEED_CONFIRMATION",
  "riskScore": 0.42,
  "reasons": [{"ruleId":"...","message":"..."}],
  "sanitizedAction": { "...": "..." },
  "confirmation": { "required": true, "prompt": "..." },
  "audit": { "traceId":"...", "policyVersion":"...", "actionFingerprint":"..." }
}

Default policy behavior (v1)

  • Exec disabled by default

  • HTTP requires TLS

  • Denylist blocks common exfil hosts (pastebins, raw script hosts)

  • File access is jailed to workspaceRoot

  • Always redacts Authorization, Cookie, X-API-Key, and common token patterns

1) Your skill creates an action object. 2) Call this skill to evaluate it. 3) If ALLOW → execute sanitizedAction. 4) If NEED_CONFIRMATION → ask user and re-run with context.confirmed=true. 5) If DENY → stop and show the reasons.

Files

  • policy.yaml contains the policy (edit for your environment).

التفاصيل

الإصدار
v1.0.0
التنزيلات
1,174
ClawHub
عرض على ClawHub

Skills شائعة

腾讯文档 tencent-docs
腾讯文档,提供完整的腾讯文档操作能力。当用户需要操作腾讯文档时使用此skill,包括:(1) 创建各类在线文档(文档、Word、Excel、幻灯片、思维导图、流程图)(2) 管理知识库空间(创建空间、查询空间列表)(3) 管理空间节点、文件夹结构 (4) 读取文档内容 (5) 编辑操作智能表 (6)编辑操作文档。
Obsidian
Work with Obsidian vaults (plain Markdown notes) and automate via obsidian-cli.
Microsoft Excel
Microsoft Excel API integration with managed OAuth. Read and write Excel workbooks, worksheets, ranges, tables, and charts stored in OneDrive. Use this skill when users want to read or modify Excel spreadsheets, manage worksheet data, work with tables, or access cell values. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).