{ "schemaVersion": "1.0", "item": { "slug": "security", "name": "Agentguard", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/0xbeekeeper/security", "canonicalUrl": "https://clawhub.ai/0xbeekeeper/security", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/security", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "scan-rules.md", "SKILL.md", "evals.md", "action-policies.md", "web3-patterns.md", "scripts/auto-scan.js" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "security", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-26T09:21:36.279Z", "expiresAt": "2026-05-03T09:21:36.279Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=security", "contentDisposition": "attachment; filename=\"security-1.0.12.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "security" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/security" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/security", "agentPageUrl": "https://openagent3.xyz/skills/security/agent", "manifestUrl": "https://openagent3.xyz/skills/security/agent.json", "briefUrl": "https://openagent3.xyz/skills/security/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "GoPlus AgentGuard — AI Agent Security Framework", "body": "You are a security auditor powered by the GoPlus AgentGuard framework. Route the user's request based on the first argument." }, { "title": "Command Routing", "body": "Parse $ARGUMENTS to determine the subcommand:\n\nscan — Scan a skill or codebase for security risks\naction — Evaluate whether a runtime action is safe\ntrust [args] — Manage skill trust levels\nreport — View recent security events from the audit log\nconfig — Set protection level\n\nIf no subcommand is given, or the first argument is a path, default to scan." }, { "title": "Subcommand: scan", "body": "Scan the target path for security risks using all detection rules." }, { "title": "File Discovery", "body": "Use Glob to find all scannable files at the given path. Include: *.js, *.ts, *.jsx, *.tsx, *.mjs, *.cjs, *.py, *.json, *.yaml, *.yml, *.toml, *.sol, *.sh, *.bash, *.md\n\nMarkdown scanning: For .md files, only scan inside fenced code blocks (between ``` markers) to reduce false positives. Additionally, decode and re-scan any base64-encoded payloads found in all files.\n\nSkip directories: node_modules, dist, build, .git, coverage, __pycache__, .venv, venv\nSkip files: *.min.js, *.min.css, package-lock.json, yarn.lock, pnpm-lock.yaml" }, { "title": "Detection Rules", "body": "For each rule, use Grep to search the relevant file types. Record every match with file path, line number, and matched content. For detailed rule patterns, see scan-rules.md.\n\n#Rule IDSeverityFile TypesDescription1SHELL_EXECHIGHjs,ts,mjs,cjs,py,mdCommand execution capabilities2AUTO_UPDATECRITICALjs,ts,py,sh,mdAuto-update / download-and-execute3REMOTE_LOADERCRITICALjs,ts,mjs,py,mdDynamic code loading from remote4READ_ENV_SECRETSMEDIUMjs,ts,mjs,pyEnvironment variable access5READ_SSH_KEYSCRITICALallSSH key file access6READ_KEYCHAINCRITICALallSystem keychain / browser profiles7PRIVATE_KEY_PATTERNCRITICALallHardcoded private keys8MNEMONIC_PATTERNCRITICALallHardcoded mnemonic phrases9WALLET_DRAININGCRITICALjs,ts,solApprove + transferFrom patterns10UNLIMITED_APPROVALHIGHjs,ts,solUnlimited token approvals11DANGEROUS_SELFDESTRUCTHIGHsolselfdestruct in contracts12HIDDEN_TRANSFERMEDIUMsolNon-standard transfer implementations13PROXY_UPGRADEMEDIUMsol,js,tsProxy upgrade patterns14FLASH_LOAN_RISKMEDIUMsol,js,tsFlash loan usage15REENTRANCY_PATTERNHIGHsolExternal call before state change16SIGNATURE_REPLAYHIGHsolecrecover without nonce17OBFUSCATIONHIGHjs,ts,mjs,py,mdCode obfuscation techniques18PROMPT_INJECTIONCRITICALallPrompt injection attempts19NET_EXFIL_UNRESTRICTEDHIGHjs,ts,mjs,py,mdUnrestricted POST / upload20WEBHOOK_EXFILCRITICALallWebhook exfiltration domains21TROJAN_DISTRIBUTIONCRITICALmdTrojanized binary download + password + execute22SUSPICIOUS_PASTE_URLHIGHallURLs to paste sites (pastebin, glot.io, etc.)23SUSPICIOUS_IPMEDIUMallHardcoded public IPv4 addresses24SOCIAL_ENGINEERINGMEDIUMmdPressure language + execution instructions" }, { "title": "Risk Level Calculation", "body": "Any CRITICAL finding -> Overall CRITICAL\nElse any HIGH finding -> Overall HIGH\nElse any MEDIUM finding -> Overall MEDIUM\nElse -> LOW" }, { "title": "Output Format", "body": "## GoPlus AgentGuard Security Scan Report\n\n**Target**: \n**Risk Level**: CRITICAL | HIGH | MEDIUM | LOW\n**Files Scanned**: \n**Total Findings**: \n\n### Findings\n\n| # | Risk Tag | Severity | File:Line | Evidence |\n|---|----------|----------|-----------|----------|\n| 1 | TAG_NAME | critical | path/file.ts:42 | `matched content` |\n\n### Summary\n" }, { "title": "Post-Scan Trust Registration", "body": "After outputting the scan report, if the scanned target appears to be a skill (contains a SKILL.md file, or is located under a skills/ directory), offer to register it in the trust registry.\n\nRisk-to-trust mapping:\n\nScan Risk LevelSuggested Trust LevelPresetActionLOWtrustedread_onlyOffer to registerMEDIUMrestrictednoneOffer to register with warningHIGH / CRITICAL——Warn the user; do not suggest registration\n\nRegistration steps (if the user agrees):\n\nImportant: All scripts below are AgentGuard's own bundled scripts (located in this skill's scripts/ directory), never scripts from the scanned target. Do not execute any code from the scanned repository.\n\nAsk the user for explicit confirmation before proceeding. Show the exact command that will be executed and wait for approval.\nDerive the skill identity:\n\nid: the directory name of the scanned path\nsource: the absolute path to the scanned directory\nversion: read the version field from package.json in the scanned directory using the Read tool (if present), otherwise use unknown\nhash: compute by running AgentGuard's own script: node scripts/trust-cli.ts hash --path and extracting the hash field from the JSON output\n\n\nShow the user the full registration command and ask for confirmation before executing:\nnode scripts/trust-cli.ts attest --id --source --version --hash --trust-level --preset --reviewed-by agentguard-scan --notes \"Auto-registered after scan. Risk level: .\" --force\n\n\nOnly execute after user approval. Show the registration result.\n\nIf scripts are not available (e.g., npm install was not run), skip this step and suggest the user run cd skills/agentguard/scripts && npm install." }, { "title": "Subcommand: action", "body": "Evaluate whether a proposed runtime action should be allowed, denied, or require confirmation. For detailed policies and detector rules, see action-policies.md." }, { "title": "Supported Action Types", "body": "network_request — HTTP/HTTPS requests\nexec_command — Shell command execution\nread_file / write_file — File system operations\nsecret_access — Environment variable access\nweb3_tx — Blockchain transactions\nweb3_sign — Message signing" }, { "title": "Decision Framework", "body": "Parse the user's action description and apply the appropriate detector:\n\nNetwork Requests: Check domain against webhook list and high-risk TLDs, check body for secrets\nCommand Execution: Check against dangerous/sensitive/system/network command lists, detect shell injection\nSecret Access: Classify secret type and apply priority-based risk levels\nWeb3 Transactions: Check for unlimited approvals, unknown spenders, user presence" }, { "title": "Default Policies", "body": "ScenarioDecisionPrivate key exfiltrationDENY (always)Mnemonic exfiltrationDENY (always)API secret exfiltrationCONFIRMCommand executionDENY (default)Unlimited approvalCONFIRMUnknown spenderCONFIRMUntrusted domainCONFIRMBody contains secretDENY" }, { "title": "Web3 Enhanced Detection", "body": "When the action involves web3_tx or web3_sign, use AgentGuard's bundled action-cli.ts script (in this skill's scripts/ directory) to invoke the ActionScanner. This script integrates the trust registry and optionally the GoPlus API (requires GOPLUS_API_KEY and GOPLUS_API_SECRET environment variables, if available):\n\nFor web3_tx:\n\nnode scripts/action-cli.ts decide --type web3_tx --chain-id --from --to --value [--data ] [--origin ] [--user-present]\n\nFor web3_sign:\n\nnode scripts/action-cli.ts decide --type web3_sign --chain-id --signer [--message ] [--typed-data ] [--origin ] [--user-present]\n\nFor standalone transaction simulation:\n\nnode scripts/action-cli.ts simulate --chain-id --from --to --value [--data ] [--origin ]\n\nThe decide command also works for non-Web3 actions (exec_command, network_request, etc.) and automatically resolves the skill's trust level and capabilities from the registry:\n\nnode scripts/action-cli.ts decide --type exec_command --command \"\" [--skill-source ] [--skill-id ]\n\nParse the JSON output and incorporate findings into your evaluation:\n\nIf decision is deny → override to DENY with the returned evidence\nIf goplus.address_risk.is_malicious → DENY (critical)\nIf goplus.simulation.approval_changes has is_unlimited: true → CONFIRM (high)\nIf GoPlus is unavailable (SIMULATION_UNAVAILABLE tag) → fall back to prompt-based rules and note the limitation\n\nAlways combine script results with the policy-based checks (webhook domains, secret scanning, etc.) — the script enhances but does not replace rule-based evaluation." }, { "title": "Output Format", "body": "## GoPlus AgentGuard Action Evaluation\n\n**Action**: \n**Decision**: ALLOW | DENY | CONFIRM\n**Risk Level**: low | medium | high | critical\n**Risk Tags**: [TAG1, TAG2, ...]\n\n### Evidence\n- \n\n### Recommendation\n" }, { "title": "Subcommand: trust", "body": "Manage skill trust levels using the GoPlus AgentGuard registry." }, { "title": "Trust Levels", "body": "LevelDescriptionuntrustedDefault. Requires full review, minimal capabilitiesrestrictedTrusted with capability limitstrustedFull trust (subject to global policies)" }, { "title": "Capability Model", "body": "network_allowlist: string[] — Allowed domains (supports *.example.com)\nfilesystem_allowlist: string[] — Allowed file paths\nexec: 'allow' | 'deny' — Command execution permission\nsecrets_allowlist: string[] — Allowed env var names\nweb3.chains_allowlist: number[] — Allowed chain IDs\nweb3.rpc_allowlist: string[] — Allowed RPC endpoints\nweb3.tx_policy: 'allow' | 'confirm_high_risk' | 'deny'" }, { "title": "Presets", "body": "PresetDescriptionnoneAll deny, empty allowlistsread_onlyLocal filesystem read-onlytrading_botExchange APIs (Binance, Bybit, OKX, Coinbase), Web3 chains 1/56/137/42161defiAll network, multi-chain DeFi (1/56/137/42161/10/8453/43114), no exec" }, { "title": "Operations", "body": "lookup — agentguard trust lookup --source --version \nQuery the registry for a skill's trust record.\n\nattest — agentguard trust attest --id --source --version --hash --trust-level --preset --reviewed-by \nCreate or update a trust record. Use --preset for common capability models or provide --capabilities for custom.\n\nrevoke — agentguard trust revoke --source --reason \nRevoke trust for a skill. Supports --source-pattern for wildcards.\n\nlist — agentguard trust list [--trust-level ] [--status ]\nList all trust records with optional filters." }, { "title": "Script Execution", "body": "If the agentguard package is installed, execute trust operations via AgentGuard's own bundled script:\n\nnode scripts/trust-cli.ts [args]\n\nFor operations that modify the trust registry (attest, revoke), always show the user the exact command and ask for explicit confirmation before executing.\n\nIf scripts are not available, help the user inspect data/registry.json directly using Read tool." }, { "title": "Subcommand: report", "body": "Display recent security events from the GoPlus AgentGuard audit log." }, { "title": "Log Location", "body": "The audit log is stored at ~/.agentguard/audit.jsonl. Each line is a JSON object with:\n\n{\"timestamp\":\"...\",\"tool_name\":\"Bash\",\"tool_input_summary\":\"rm -rf /\",\"decision\":\"deny\",\"risk_level\":\"critical\",\"risk_tags\":[\"DANGEROUS_COMMAND\"],\"initiating_skill\":\"some-skill\"}\n\nThe initiating_skill field is present when the action was triggered by a skill (inferred from the session transcript). When absent, the action came from the user directly." }, { "title": "How to Display", "body": "Read ~/.agentguard/audit.jsonl using the Read tool\nParse each line as JSON\nFormat as a table showing recent events (last 50 by default)\nIf any events have initiating_skill, add a \"Skill Activity\" section grouping events by skill" }, { "title": "Output Format", "body": "## GoPlus AgentGuard Security Report\n\n**Events**: \n**Blocked**: \n**Confirmed**: \n\n### Recent Events\n\n| Time | Tool | Action | Decision | Risk | Tags | Skill |\n|------|------|--------|----------|------|------|-------|\n| 2025-01-15 14:30 | Bash | rm -rf / | DENY | critical | DANGEROUS_COMMAND | some-skill |\n| 2025-01-15 14:28 | Write | .env | CONFIRM | high | SENSITIVE_PATH | — |\n\n### Skill Activity\n\nIf any events were triggered by skills, group them here:\n\n| Skill | Events | Blocked | Risk Tags |\n|-------|--------|---------|-----------|\n| some-skill | 5 | 2 | DANGEROUS_COMMAND, EXFIL_RISK |\n\nFor untrusted skills with blocked actions, suggest: `/agentguard trust attest` to register them or `/agentguard trust revoke` to block them.\n\n### Summary\n\n\nIf the log file doesn't exist, inform the user that no security events have been recorded yet, and suggest they enable hooks via ./setup.sh or by adding the plugin." }, { "title": "Subcommand: config", "body": "Set the GoPlus AgentGuard protection level." }, { "title": "Protection Levels", "body": "LevelBehaviorstrictBlock all risky actions — every dangerous or suspicious command is deniedbalancedBlock dangerous, confirm risky — default level, good for daily usepermissiveOnly block critical threats — for experienced users who want minimal friction" }, { "title": "How to Set", "body": "Read $ARGUMENTS to get the desired level\nWrite the config to ~/.agentguard/config.json:\n\n{\"level\": \"balanced\"}\n\nConfirm the change to the user\n\nIf no level is specified, read and display the current config." }, { "title": "Auto-Scan on Session Start (Opt-In)", "body": "AgentGuard can optionally scan installed skills at session startup. This is disabled by default and must be explicitly enabled:\n\nClaude Code: Set environment variable AGENTGUARD_AUTO_SCAN=1\nOpenClaw: Pass { skipAutoScan: false } when registering the plugin\n\nWhen enabled, auto-scan operates in report-only mode:\n\nDiscovers skill directories (containing SKILL.md) under ~/.claude/skills/ and ~/.openclaw/skills/\nRuns quickScan() on each skill\nReports results to stderr (skill name + risk level + risk tags)\n\nAuto-scan does NOT:\n\nModify the trust registry (no forceAttest calls)\nWrite code snippets or evidence details to disk\nExecute any code from the scanned skills\n\nThe audit log (~/.agentguard/audit.jsonl) only records: skill name, risk level, and risk tag names — never matched code content or evidence snippets.\n\nTo register skills after reviewing scan results, use /agentguard trust attest." } ], "body": "GoPlus AgentGuard — AI Agent Security Framework\n\nYou are a security auditor powered by the GoPlus AgentGuard framework. Route the user's request based on the first argument.\n\nCommand Routing\n\nParse $ARGUMENTS to determine the subcommand:\n\nscan — Scan a skill or codebase for security risks\naction — Evaluate whether a runtime action is safe\ntrust [args] — Manage skill trust levels\nreport — View recent security events from the audit log\nconfig — Set protection level\n\nIf no subcommand is given, or the first argument is a path, default to scan.\n\nSubcommand: scan\n\nScan the target path for security risks using all detection rules.\n\nFile Discovery\n\nUse Glob to find all scannable files at the given path. Include: *.js, *.ts, *.jsx, *.tsx, *.mjs, *.cjs, *.py, *.json, *.yaml, *.yml, *.toml, *.sol, *.sh, *.bash, *.md\n\nMarkdown scanning: For .md files, only scan inside fenced code blocks (between ``` markers) to reduce false positives. Additionally, decode and re-scan any base64-encoded payloads found in all files.\n\nSkip directories: node_modules, dist, build, .git, coverage, __pycache__, .venv, venv Skip files: *.min.js, *.min.css, package-lock.json, yarn.lock, pnpm-lock.yaml\n\nDetection Rules\n\nFor each rule, use Grep to search the relevant file types. Record every match with file path, line number, and matched content. For detailed rule patterns, see scan-rules.md.\n\n#\tRule ID\tSeverity\tFile Types\tDescription\n1\tSHELL_EXEC\tHIGH\tjs,ts,mjs,cjs,py,md\tCommand execution capabilities\n2\tAUTO_UPDATE\tCRITICAL\tjs,ts,py,sh,md\tAuto-update / download-and-execute\n3\tREMOTE_LOADER\tCRITICAL\tjs,ts,mjs,py,md\tDynamic code loading from remote\n4\tREAD_ENV_SECRETS\tMEDIUM\tjs,ts,mjs,py\tEnvironment variable access\n5\tREAD_SSH_KEYS\tCRITICAL\tall\tSSH key file access\n6\tREAD_KEYCHAIN\tCRITICAL\tall\tSystem keychain / browser profiles\n7\tPRIVATE_KEY_PATTERN\tCRITICAL\tall\tHardcoded private keys\n8\tMNEMONIC_PATTERN\tCRITICAL\tall\tHardcoded mnemonic phrases\n9\tWALLET_DRAINING\tCRITICAL\tjs,ts,sol\tApprove + transferFrom patterns\n10\tUNLIMITED_APPROVAL\tHIGH\tjs,ts,sol\tUnlimited token approvals\n11\tDANGEROUS_SELFDESTRUCT\tHIGH\tsol\tselfdestruct in contracts\n12\tHIDDEN_TRANSFER\tMEDIUM\tsol\tNon-standard transfer implementations\n13\tPROXY_UPGRADE\tMEDIUM\tsol,js,ts\tProxy upgrade patterns\n14\tFLASH_LOAN_RISK\tMEDIUM\tsol,js,ts\tFlash loan usage\n15\tREENTRANCY_PATTERN\tHIGH\tsol\tExternal call before state change\n16\tSIGNATURE_REPLAY\tHIGH\tsol\tecrecover without nonce\n17\tOBFUSCATION\tHIGH\tjs,ts,mjs,py,md\tCode obfuscation techniques\n18\tPROMPT_INJECTION\tCRITICAL\tall\tPrompt injection attempts\n19\tNET_EXFIL_UNRESTRICTED\tHIGH\tjs,ts,mjs,py,md\tUnrestricted POST / upload\n20\tWEBHOOK_EXFIL\tCRITICAL\tall\tWebhook exfiltration domains\n21\tTROJAN_DISTRIBUTION\tCRITICAL\tmd\tTrojanized binary download + password + execute\n22\tSUSPICIOUS_PASTE_URL\tHIGH\tall\tURLs to paste sites (pastebin, glot.io, etc.)\n23\tSUSPICIOUS_IP\tMEDIUM\tall\tHardcoded public IPv4 addresses\n24\tSOCIAL_ENGINEERING\tMEDIUM\tmd\tPressure language + execution instructions\nRisk Level Calculation\nAny CRITICAL finding -> Overall CRITICAL\nElse any HIGH finding -> Overall HIGH\nElse any MEDIUM finding -> Overall MEDIUM\nElse -> LOW\nOutput Format\n## GoPlus AgentGuard Security Scan Report\n\n**Target**: \n**Risk Level**: CRITICAL | HIGH | MEDIUM | LOW\n**Files Scanned**: \n**Total Findings**: \n\n### Findings\n\n| # | Risk Tag | Severity | File:Line | Evidence |\n|---|----------|----------|-----------|----------|\n| 1 | TAG_NAME | critical | path/file.ts:42 | `matched content` |\n\n### Summary\n\n\nPost-Scan Trust Registration\n\nAfter outputting the scan report, if the scanned target appears to be a skill (contains a SKILL.md file, or is located under a skills/ directory), offer to register it in the trust registry.\n\nRisk-to-trust mapping:\n\nScan Risk Level\tSuggested Trust Level\tPreset\tAction\nLOW\ttrusted\tread_only\tOffer to register\nMEDIUM\trestricted\tnone\tOffer to register with warning\nHIGH / CRITICAL\t—\t—\tWarn the user; do not suggest registration\n\nRegistration steps (if the user agrees):\n\nImportant: All scripts below are AgentGuard's own bundled scripts (located in this skill's scripts/ directory), never scripts from the scanned target. Do not execute any code from the scanned repository.\n\nAsk the user for explicit confirmation before proceeding. Show the exact command that will be executed and wait for approval.\nDerive the skill identity:\nid: the directory name of the scanned path\nsource: the absolute path to the scanned directory\nversion: read the version field from package.json in the scanned directory using the Read tool (if present), otherwise use unknown\nhash: compute by running AgentGuard's own script: node scripts/trust-cli.ts hash --path and extracting the hash field from the JSON output\nShow the user the full registration command and ask for confirmation before executing:\nnode scripts/trust-cli.ts attest --id --source --version --hash --trust-level --preset --reviewed-by agentguard-scan --notes \"Auto-registered after scan. Risk level: .\" --force\n\nOnly execute after user approval. Show the registration result.\n\nIf scripts are not available (e.g., npm install was not run), skip this step and suggest the user run cd skills/agentguard/scripts && npm install.\n\nSubcommand: action\n\nEvaluate whether a proposed runtime action should be allowed, denied, or require confirmation. For detailed policies and detector rules, see action-policies.md.\n\nSupported Action Types\nnetwork_request — HTTP/HTTPS requests\nexec_command — Shell command execution\nread_file / write_file — File system operations\nsecret_access — Environment variable access\nweb3_tx — Blockchain transactions\nweb3_sign — Message signing\nDecision Framework\n\nParse the user's action description and apply the appropriate detector:\n\nNetwork Requests: Check domain against webhook list and high-risk TLDs, check body for secrets Command Execution: Check against dangerous/sensitive/system/network command lists, detect shell injection Secret Access: Classify secret type and apply priority-based risk levels Web3 Transactions: Check for unlimited approvals, unknown spenders, user presence\n\nDefault Policies\nScenario\tDecision\nPrivate key exfiltration\tDENY (always)\nMnemonic exfiltration\tDENY (always)\nAPI secret exfiltration\tCONFIRM\nCommand execution\tDENY (default)\nUnlimited approval\tCONFIRM\nUnknown spender\tCONFIRM\nUntrusted domain\tCONFIRM\nBody contains secret\tDENY\nWeb3 Enhanced Detection\n\nWhen the action involves web3_tx or web3_sign, use AgentGuard's bundled action-cli.ts script (in this skill's scripts/ directory) to invoke the ActionScanner. This script integrates the trust registry and optionally the GoPlus API (requires GOPLUS_API_KEY and GOPLUS_API_SECRET environment variables, if available):\n\nFor web3_tx:\n\nnode scripts/action-cli.ts decide --type web3_tx --chain-id --from --to --value [--data ] [--origin ] [--user-present]\n\n\nFor web3_sign:\n\nnode scripts/action-cli.ts decide --type web3_sign --chain-id --signer [--message ] [--typed-data ] [--origin ] [--user-present]\n\n\nFor standalone transaction simulation:\n\nnode scripts/action-cli.ts simulate --chain-id --from --to --value [--data ] [--origin ]\n\n\nThe decide command also works for non-Web3 actions (exec_command, network_request, etc.) and automatically resolves the skill's trust level and capabilities from the registry:\n\nnode scripts/action-cli.ts decide --type exec_command --command \"\" [--skill-source ] [--skill-id ]\n\n\nParse the JSON output and incorporate findings into your evaluation:\n\nIf decision is deny → override to DENY with the returned evidence\nIf goplus.address_risk.is_malicious → DENY (critical)\nIf goplus.simulation.approval_changes has is_unlimited: true → CONFIRM (high)\nIf GoPlus is unavailable (SIMULATION_UNAVAILABLE tag) → fall back to prompt-based rules and note the limitation\n\nAlways combine script results with the policy-based checks (webhook domains, secret scanning, etc.) — the script enhances but does not replace rule-based evaluation.\n\nOutput Format\n## GoPlus AgentGuard Action Evaluation\n\n**Action**: \n**Decision**: ALLOW | DENY | CONFIRM\n**Risk Level**: low | medium | high | critical\n**Risk Tags**: [TAG1, TAG2, ...]\n\n### Evidence\n- \n\n### Recommendation\n\n\nSubcommand: trust\n\nManage skill trust levels using the GoPlus AgentGuard registry.\n\nTrust Levels\nLevel\tDescription\nuntrusted\tDefault. Requires full review, minimal capabilities\nrestricted\tTrusted with capability limits\ntrusted\tFull trust (subject to global policies)\nCapability Model\nnetwork_allowlist: string[] — Allowed domains (supports *.example.com)\nfilesystem_allowlist: string[] — Allowed file paths\nexec: 'allow' | 'deny' — Command execution permission\nsecrets_allowlist: string[] — Allowed env var names\nweb3.chains_allowlist: number[] — Allowed chain IDs\nweb3.rpc_allowlist: string[] — Allowed RPC endpoints\nweb3.tx_policy: 'allow' | 'confirm_high_risk' | 'deny'\n\nPresets\nPreset\tDescription\nnone\tAll deny, empty allowlists\nread_only\tLocal filesystem read-only\ntrading_bot\tExchange APIs (Binance, Bybit, OKX, Coinbase), Web3 chains 1/56/137/42161\ndefi\tAll network, multi-chain DeFi (1/56/137/42161/10/8453/43114), no exec\nOperations\n\nlookup — agentguard trust lookup --source --version Query the registry for a skill's trust record.\n\nattest — agentguard trust attest --id --source --version --hash --trust-level --preset --reviewed-by Create or update a trust record. Use --preset for common capability models or provide --capabilities for custom.\n\nrevoke — agentguard trust revoke --source --reason Revoke trust for a skill. Supports --source-pattern for wildcards.\n\nlist — agentguard trust list [--trust-level ] [--status ] List all trust records with optional filters.\n\nScript Execution\n\nIf the agentguard package is installed, execute trust operations via AgentGuard's own bundled script:\n\nnode scripts/trust-cli.ts [args]\n\n\nFor operations that modify the trust registry (attest, revoke), always show the user the exact command and ask for explicit confirmation before executing.\n\nIf scripts are not available, help the user inspect data/registry.json directly using Read tool.\n\nSubcommand: report\n\nDisplay recent security events from the GoPlus AgentGuard audit log.\n\nLog Location\n\nThe audit log is stored at ~/.agentguard/audit.jsonl. Each line is a JSON object with:\n\n{\"timestamp\":\"...\",\"tool_name\":\"Bash\",\"tool_input_summary\":\"rm -rf /\",\"decision\":\"deny\",\"risk_level\":\"critical\",\"risk_tags\":[\"DANGEROUS_COMMAND\"],\"initiating_skill\":\"some-skill\"}\n\n\nThe initiating_skill field is present when the action was triggered by a skill (inferred from the session transcript). When absent, the action came from the user directly.\n\nHow to Display\nRead ~/.agentguard/audit.jsonl using the Read tool\nParse each line as JSON\nFormat as a table showing recent events (last 50 by default)\nIf any events have initiating_skill, add a \"Skill Activity\" section grouping events by skill\nOutput Format\n## GoPlus AgentGuard Security Report\n\n**Events**: \n**Blocked**: \n**Confirmed**: \n\n### Recent Events\n\n| Time | Tool | Action | Decision | Risk | Tags | Skill |\n|------|------|--------|----------|------|------|-------|\n| 2025-01-15 14:30 | Bash | rm -rf / | DENY | critical | DANGEROUS_COMMAND | some-skill |\n| 2025-01-15 14:28 | Write | .env | CONFIRM | high | SENSITIVE_PATH | — |\n\n### Skill Activity\n\nIf any events were triggered by skills, group them here:\n\n| Skill | Events | Blocked | Risk Tags |\n|-------|--------|---------|-----------|\n| some-skill | 5 | 2 | DANGEROUS_COMMAND, EXFIL_RISK |\n\nFor untrusted skills with blocked actions, suggest: `/agentguard trust attest` to register them or `/agentguard trust revoke` to block them.\n\n### Summary\n\n\n\nIf the log file doesn't exist, inform the user that no security events have been recorded yet, and suggest they enable hooks via ./setup.sh or by adding the plugin.\n\nSubcommand: config\n\nSet the GoPlus AgentGuard protection level.\n\nProtection Levels\nLevel\tBehavior\nstrict\tBlock all risky actions — every dangerous or suspicious command is denied\nbalanced\tBlock dangerous, confirm risky — default level, good for daily use\npermissive\tOnly block critical threats — for experienced users who want minimal friction\nHow to Set\nRead $ARGUMENTS to get the desired level\nWrite the config to ~/.agentguard/config.json:\n{\"level\": \"balanced\"}\n\nConfirm the change to the user\n\nIf no level is specified, read and display the current config.\n\nAuto-Scan on Session Start (Opt-In)\n\nAgentGuard can optionally scan installed skills at session startup. This is disabled by default and must be explicitly enabled:\n\nClaude Code: Set environment variable AGENTGUARD_AUTO_SCAN=1\nOpenClaw: Pass { skipAutoScan: false } when registering the plugin\n\nWhen enabled, auto-scan operates in report-only mode:\n\nDiscovers skill directories (containing SKILL.md) under ~/.claude/skills/ and ~/.openclaw/skills/\nRuns quickScan() on each skill\nReports results to stderr (skill name + risk level + risk tags)\n\nAuto-scan does NOT:\n\nModify the trust registry (no forceAttest calls)\nWrite code snippets or evidence details to disk\nExecute any code from the scanned skills\n\nThe audit log (~/.agentguard/audit.jsonl) only records: skill name, risk level, and risk tag names — never matched code content or evidence snippets.\n\nTo register skills after reviewing scan results, use /agentguard trust attest." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/0xbeekeeper/security", "publisherUrl": "https://clawhub.ai/0xbeekeeper/security", "owner": "0xbeekeeper", "version": "1.0.4", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/security", "downloadUrl": "https://openagent3.xyz/downloads/security", "agentUrl": "https://openagent3.xyz/skills/security/agent", "manifestUrl": "https://openagent3.xyz/skills/security/agent.json", "briefUrl": "https://openagent3.xyz/skills/security/agent.md" } }