{ "schemaVersion": "1.0", "item": { "slug": "tork-guardian", "name": "Tork Guardian", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/torkjacobs/tork-guardian", "canonicalUrl": "https://clawhub.ai/torkjacobs/tork-guardian", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/tork-guardian", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=tork-guardian", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "CHANGELOG.md", "README.md", "package-lock.json", "package.json", "SKILL.md", "vitest.config.ts" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/tork-guardian" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/tork-guardian", "agentPageUrl": "https://openagent3.xyz/skills/tork-guardian/agent", "manifestUrl": "https://openagent3.xyz/skills/tork-guardian/agent.json", "briefUrl": "https://openagent3.xyz/skills/tork-guardian/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Then review README.md for any prerequisites, environment setup, or post-install checks. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Then review README.md for any prerequisites, environment setup, or post-install checks. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Tork Guardian for OpenClaw", "body": "OpenClaw is powerful. Tork makes it safe.\n\nEnterprise-grade security and governance layer for OpenClaw agents. Detect PII, enforce policies, generate compliance receipts, control tool access, and scan skills for vulnerabilities before installation." }, { "title": "Installation", "body": "npm install @torknetwork/guardian" }, { "title": "Quick Start", "body": "import { TorkGuardian } from '@torknetwork/guardian';\n\nconst guardian = new TorkGuardian({\n apiKey: process.env.TORK_API_KEY!,\n});\n\n// Govern an LLM request before sending\nconst result = await guardian.governLLM({\n messages: [\n { role: 'user', content: 'Email john@example.com about the project' },\n ],\n});\n// PII is redacted: \"Email [EMAIL_REDACTED] about the project\"\n\n// Check if a tool call is allowed\nconst decision = guardian.governTool({\n name: 'shell_execute',\n args: { command: 'rm -rf /' },\n});\n// { allowed: false, reason: 'Blocked shell command pattern: \"rm -rf\"' }" }, { "title": "Network Security", "body": "Tork Guardian governs all network activity — port binds, outbound connections, and DNS lookups — with SSRF prevention, reverse shell detection, and per-skill rate limiting." }, { "title": "Using the network handler", "body": "const guardian = new TorkGuardian({\n apiKey: process.env.TORK_API_KEY!,\n networkPolicy: 'default',\n});\n\nconst network = guardian.getNetworkHandler();\n\n// Validate a port bind\nconst bind = network.validatePortBind('my-skill', 3000, 'tcp');\n// { allowed: true, reason: 'Port 3000/tcp bound' }\n\n// Validate an outbound connection\nconst egress = network.validateEgress('my-skill', 'api.openai.com', 443);\n// { allowed: true, reason: 'Egress to api.openai.com:443 allowed' }\n\n// Validate a DNS lookup (flags raw IPs)\nconst dns = network.validateDNS('my-skill', 'api.openai.com');\n// { allowed: true, reason: 'DNS lookup for api.openai.com allowed' }\n\n// Get the full activity log for compliance\nconst log = network.getActivityLog();\n\n// Get a network report with anomaly detection\nconst report = network.getMonitor().getNetworkReport();" }, { "title": "Standalone functions", "body": "import { validatePortBind, validateEgress, validateDNS } from '@torknetwork/guardian';\n\nconst config = { apiKey: 'tork_...', networkPolicy: 'strict' as const };\n\nvalidatePortBind(config, 'my-skill', 3000, 'tcp');\nvalidateEgress(config, 'my-skill', 'api.openai.com', 443);\nvalidateDNS(config, 'my-skill', 'api.openai.com');" }, { "title": "Switching policies", "body": "// Default — balanced for dev & production\nconst guardian = new TorkGuardian({\n apiKey: 'tork_...',\n networkPolicy: 'default',\n});\n\n// Strict — enterprise lockdown (443 only, explicit domain allowlist)\nconst guardian = new TorkGuardian({\n apiKey: 'tork_...',\n networkPolicy: 'strict',\n});\n\n// Custom — override any setting\nconst guardian = new TorkGuardian({\n apiKey: 'tork_...',\n networkPolicy: 'custom',\n allowedOutboundPorts: [443, 8443],\n allowedDomains: ['api.myservice.com'],\n maxConnectionsPerMinute: 30,\n});\n\nSee docs/NETWORK-SECURITY.md for full details on threat coverage, policy comparison, and compliance receipts." }, { "title": "Example Configs", "body": "Pre-built configurations for common environments:\n\nimport {\n MINIMAL_CONFIG,\n DEVELOPMENT_CONFIG,\n PRODUCTION_CONFIG,\n ENTERPRISE_CONFIG,\n} from '@torknetwork/guardian';\n\nConfigPolicyNetworkDescriptionMINIMAL_CONFIGstandarddefaultJust an API key, all defaultsDEVELOPMENT_CONFIGminimaldefaultPermissive policies, full loggingPRODUCTION_CONFIGstandarddefaultBlocked exfil domains (pastebin, ngrok, burp)ENTERPRISE_CONFIGstrictstrictExplicit domain allowlist, 20 conn/min, TLS only\n\nimport { TorkGuardian, PRODUCTION_CONFIG } from '@torknetwork/guardian';\n\nconst guardian = new TorkGuardian({\n ...PRODUCTION_CONFIG,\n apiKey: process.env.TORK_API_KEY!,\n});" }, { "title": "Configuration", "body": "const guardian = new TorkGuardian({\n // Required\n apiKey: 'tork_...',\n\n // Optional\n baseUrl: 'https://www.tork.network', // API endpoint\n policy: 'standard', // 'strict' | 'standard' | 'minimal'\n redactPII: true, // Enable PII redaction\n\n // Shell command governance\n blockShellCommands: [\n 'rm -rf', 'mkfs', 'dd if=', 'chmod 777',\n 'shutdown', 'reboot',\n ],\n\n // File access control\n allowedPaths: [], // Empty = allow all (except blocked)\n blockedPaths: [\n '.env', '.env.local', '~/.ssh',\n '~/.aws', 'credentials.json',\n ],\n\n // Network governance\n networkPolicy: 'default', // 'default' | 'strict' | 'custom'\n allowedInboundPorts: [3000, 8080], // Ports skills may bind to\n allowedOutboundPorts: [443], // Ports for outbound connections\n allowedDomains: ['api.openai.com'], // If non-empty, only these domains are allowed\n blockedDomains: ['evil.com'], // Domains always blocked\n maxConnectionsPerMinute: 60, // Per-skill egress rate limit\n});" }, { "title": "Policies", "body": "PolicyPIIShellFilesNetworkstrictDeny on detectionBlock allWhitelist onlyBlock allstandardRedactBlock dangerousBlock sensitiveAllowminimalRedactAllow allAllow allAllow all" }, { "title": "Standalone Functions", "body": "import { redactPII, generateReceipt, governToolCall } from '@torknetwork/guardian';\n\n// Redact PII from text\nconst result = await redactPII('tork_...', 'Call 555-123-4567');\n\n// Generate a compliance receipt\nconst receipt = await generateReceipt('tork_...', 'Processed user data');\n\n// Check a tool call against policy\nconst decision = governToolCall(\n { name: 'file_write', args: { path: '.env' } },\n { policy: 'standard', blockedPaths: ['.env'] }\n);" }, { "title": "Security Scanner", "body": "Scan any OpenClaw skill for vulnerabilities before installing it. The scanner checks for 14 security patterns across code and network categories." }, { "title": "CLI", "body": "# Scan a skill directory\nnpx tork-scan ./my-skill\n\n# Full details for every finding\nnpx tork-scan ./my-skill --verbose\n\n# JSON output for CI/CD\nnpx tork-scan ./my-skill --json\n\n# Fail on any high or critical finding\nnpx tork-scan ./my-skill --strict" }, { "title": "Programmatic", "body": "import { SkillScanner, generateBadge } from '@torknetwork/guardian';\n\nconst scanner = new SkillScanner();\nconst report = await scanner.scanSkill('./my-skill');\n\nconsole.log(`Risk: ${report.riskScore}/100`);\nconsole.log(`Verdict: ${report.verdict}`); // 'verified' | 'reviewed' | 'flagged'\n\nSee docs/SCANNER.md for the full rule reference, severity weights, and example output." }, { "title": "Tork Verified Badges", "body": "Skills that pass the security scanner receive a Tork Verified badge:\n\nBadgeScoreMeaningTork Verified (green)0 - 29Safe to installTork Reviewed (yellow)30 - 49Manual review recommendedTork Flagged (red)50 - 100Security risks detected\n\nimport { SkillScanner, generateBadge, generateBadgeMarkdown } from '@torknetwork/guardian';\n\nconst scanner = new SkillScanner();\nconst report = await scanner.scanSkill('./my-skill');\nconst badge = generateBadge(report);\n\n// Add to your README\nconsole.log(generateBadgeMarkdown(badge));" }, { "title": "Get Your API Key", "body": "Sign up at tork.network to get your API key." } ], "body": "Tork Guardian for OpenClaw\n\nOpenClaw is powerful. Tork makes it safe.\n\nEnterprise-grade security and governance layer for OpenClaw agents. Detect PII, enforce policies, generate compliance receipts, control tool access, and scan skills for vulnerabilities before installation.\n\nInstallation\nnpm install @torknetwork/guardian\n\nQuick Start\nimport { TorkGuardian } from '@torknetwork/guardian';\n\nconst guardian = new TorkGuardian({\n apiKey: process.env.TORK_API_KEY!,\n});\n\n// Govern an LLM request before sending\nconst result = await guardian.governLLM({\n messages: [\n { role: 'user', content: 'Email john@example.com about the project' },\n ],\n});\n// PII is redacted: \"Email [EMAIL_REDACTED] about the project\"\n\n// Check if a tool call is allowed\nconst decision = guardian.governTool({\n name: 'shell_execute',\n args: { command: 'rm -rf /' },\n});\n// { allowed: false, reason: 'Blocked shell command pattern: \"rm -rf\"' }\n\nNetwork Security\n\nTork Guardian governs all network activity — port binds, outbound connections, and DNS lookups — with SSRF prevention, reverse shell detection, and per-skill rate limiting.\n\nUsing the network handler\nconst guardian = new TorkGuardian({\n apiKey: process.env.TORK_API_KEY!,\n networkPolicy: 'default',\n});\n\nconst network = guardian.getNetworkHandler();\n\n// Validate a port bind\nconst bind = network.validatePortBind('my-skill', 3000, 'tcp');\n// { allowed: true, reason: 'Port 3000/tcp bound' }\n\n// Validate an outbound connection\nconst egress = network.validateEgress('my-skill', 'api.openai.com', 443);\n// { allowed: true, reason: 'Egress to api.openai.com:443 allowed' }\n\n// Validate a DNS lookup (flags raw IPs)\nconst dns = network.validateDNS('my-skill', 'api.openai.com');\n// { allowed: true, reason: 'DNS lookup for api.openai.com allowed' }\n\n// Get the full activity log for compliance\nconst log = network.getActivityLog();\n\n// Get a network report with anomaly detection\nconst report = network.getMonitor().getNetworkReport();\n\nStandalone functions\nimport { validatePortBind, validateEgress, validateDNS } from '@torknetwork/guardian';\n\nconst config = { apiKey: 'tork_...', networkPolicy: 'strict' as const };\n\nvalidatePortBind(config, 'my-skill', 3000, 'tcp');\nvalidateEgress(config, 'my-skill', 'api.openai.com', 443);\nvalidateDNS(config, 'my-skill', 'api.openai.com');\n\nSwitching policies\n// Default — balanced for dev & production\nconst guardian = new TorkGuardian({\n apiKey: 'tork_...',\n networkPolicy: 'default',\n});\n\n// Strict — enterprise lockdown (443 only, explicit domain allowlist)\nconst guardian = new TorkGuardian({\n apiKey: 'tork_...',\n networkPolicy: 'strict',\n});\n\n// Custom — override any setting\nconst guardian = new TorkGuardian({\n apiKey: 'tork_...',\n networkPolicy: 'custom',\n allowedOutboundPorts: [443, 8443],\n allowedDomains: ['api.myservice.com'],\n maxConnectionsPerMinute: 30,\n});\n\n\nSee docs/NETWORK-SECURITY.md for full details on threat coverage, policy comparison, and compliance receipts.\n\nExample Configs\n\nPre-built configurations for common environments:\n\nimport {\n MINIMAL_CONFIG,\n DEVELOPMENT_CONFIG,\n PRODUCTION_CONFIG,\n ENTERPRISE_CONFIG,\n} from '@torknetwork/guardian';\n\nConfig\tPolicy\tNetwork\tDescription\nMINIMAL_CONFIG\tstandard\tdefault\tJust an API key, all defaults\nDEVELOPMENT_CONFIG\tminimal\tdefault\tPermissive policies, full logging\nPRODUCTION_CONFIG\tstandard\tdefault\tBlocked exfil domains (pastebin, ngrok, burp)\nENTERPRISE_CONFIG\tstrict\tstrict\tExplicit domain allowlist, 20 conn/min, TLS only\nimport { TorkGuardian, PRODUCTION_CONFIG } from '@torknetwork/guardian';\n\nconst guardian = new TorkGuardian({\n ...PRODUCTION_CONFIG,\n apiKey: process.env.TORK_API_KEY!,\n});\n\nConfiguration\nconst guardian = new TorkGuardian({\n // Required\n apiKey: 'tork_...',\n\n // Optional\n baseUrl: 'https://www.tork.network', // API endpoint\n policy: 'standard', // 'strict' | 'standard' | 'minimal'\n redactPII: true, // Enable PII redaction\n\n // Shell command governance\n blockShellCommands: [\n 'rm -rf', 'mkfs', 'dd if=', 'chmod 777',\n 'shutdown', 'reboot',\n ],\n\n // File access control\n allowedPaths: [], // Empty = allow all (except blocked)\n blockedPaths: [\n '.env', '.env.local', '~/.ssh',\n '~/.aws', 'credentials.json',\n ],\n\n // Network governance\n networkPolicy: 'default', // 'default' | 'strict' | 'custom'\n allowedInboundPorts: [3000, 8080], // Ports skills may bind to\n allowedOutboundPorts: [443], // Ports for outbound connections\n allowedDomains: ['api.openai.com'], // If non-empty, only these domains are allowed\n blockedDomains: ['evil.com'], // Domains always blocked\n maxConnectionsPerMinute: 60, // Per-skill egress rate limit\n});\n\nPolicies\nPolicy\tPII\tShell\tFiles\tNetwork\nstrict\tDeny on detection\tBlock all\tWhitelist only\tBlock all\nstandard\tRedact\tBlock dangerous\tBlock sensitive\tAllow\nminimal\tRedact\tAllow all\tAllow all\tAllow all\nStandalone Functions\nimport { redactPII, generateReceipt, governToolCall } from '@torknetwork/guardian';\n\n// Redact PII from text\nconst result = await redactPII('tork_...', 'Call 555-123-4567');\n\n// Generate a compliance receipt\nconst receipt = await generateReceipt('tork_...', 'Processed user data');\n\n// Check a tool call against policy\nconst decision = governToolCall(\n { name: 'file_write', args: { path: '.env' } },\n { policy: 'standard', blockedPaths: ['.env'] }\n);\n\nSecurity Scanner\n\nScan any OpenClaw skill for vulnerabilities before installing it. The scanner checks for 14 security patterns across code and network categories.\n\nCLI\n# Scan a skill directory\nnpx tork-scan ./my-skill\n\n# Full details for every finding\nnpx tork-scan ./my-skill --verbose\n\n# JSON output for CI/CD\nnpx tork-scan ./my-skill --json\n\n# Fail on any high or critical finding\nnpx tork-scan ./my-skill --strict\n\nProgrammatic\nimport { SkillScanner, generateBadge } from '@torknetwork/guardian';\n\nconst scanner = new SkillScanner();\nconst report = await scanner.scanSkill('./my-skill');\n\nconsole.log(`Risk: ${report.riskScore}/100`);\nconsole.log(`Verdict: ${report.verdict}`); // 'verified' | 'reviewed' | 'flagged'\n\n\nSee docs/SCANNER.md for the full rule reference, severity weights, and example output.\n\nTork Verified Badges\n\nSkills that pass the security scanner receive a Tork Verified badge:\n\nBadge\tScore\tMeaning\nTork Verified (green)\t0 - 29\tSafe to install\nTork Reviewed (yellow)\t30 - 49\tManual review recommended\nTork Flagged (red)\t50 - 100\tSecurity risks detected\nimport { SkillScanner, generateBadge, generateBadgeMarkdown } from '@torknetwork/guardian';\n\nconst scanner = new SkillScanner();\nconst report = await scanner.scanSkill('./my-skill');\nconst badge = generateBadge(report);\n\n// Add to your README\nconsole.log(generateBadgeMarkdown(badge));\n\nGet Your API Key\n\nSign up at tork.network to get your API key." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/torkjacobs/tork-guardian", "publisherUrl": "https://clawhub.ai/torkjacobs/tork-guardian", "owner": "torkjacobs", "version": "1.0.2", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/tork-guardian", "downloadUrl": "https://openagent3.xyz/downloads/tork-guardian", "agentUrl": "https://openagent3.xyz/skills/tork-guardian/agent", "manifestUrl": "https://openagent3.xyz/skills/tork-guardian/agent.json", "briefUrl": "https://openagent3.xyz/skills/tork-guardian/agent.md" } }