Official Verified

openclaw-guardian

A security layer plugin for OpenClaw that intercepts dangerous tool calls (exec, write, edit) through two-tier regex blacklist rules and LLM-based intent verification. Critical operations require 3/3 unanimous LLM votes, warning-level operations require 1 LLM confirmation. 99% of normal operations pass instantly with zero overhead. Includes bypass/pipe-attack detection, path canonicalization, SHA-256 hash-chain audit logging, and auto-discovers a cheap model from your existing provider config.

skill-install — Terminal

Install via CLI (Recommended)

clawhub install openclaw/skills/skills/fatcatmaofei/openclaw-guardian

Download Source Code (.zip)

OpenClaw Guardian

The missing safety layer for AI agents.

Why?

OpenClaw gives agents direct access to shell, files, email, browser, and more. 99% of that is harmless. Guardian catches the 1% that isn't — without slowing down the rest.

How It Works

Tool Call → Blacklist Matcher (regex rules, 0ms)
              ↓
   No match     → Pass instantly (99% of calls)
   Warning hit  → 1 LLM vote ("did the user ask for this?")
   Critical hit → 3 LLM votes (all must confirm user intent)

Two Blacklist Levels

Level	LLM Votes	Latency	Examples
No match	0	~0ms	Reading files, git, normal ops
Warning	1	~1-2s	`rm -rf /tmp/cache`, `chmod 777`, `sudo apt`
Critical	3 (unanimous)	~2-4s	`rm -rf ~/`, `mkfs`, `dd of=/dev/`, `shutdown`

What Gets Checked

Only three tool types are inspected:

exec → command string matched against exec blacklist
write / edit → file path canonicalized and matched against path blacklist
Everything else passes through instantly

LLM Intent Verification

When a blacklist rule matches, Guardian asks a lightweight LLM: "Did the user explicitly request this?" It reads recent conversation context to prevent false positives.

Warning: 1 LLM call. Confirmed → proceed.
Critical: 3 parallel LLM calls. All 3 must confirm. Any "no" → block.

Auto-discovers a cheap/fast model from your existing OpenClaw provider config (prefers Haiku). No separate API key needed.

LLM Fallback

Critical + LLM down → blocked (fail-safe)
Warning + LLM down → asks user for manual confirmation

Blacklist Rules

Critical (exec)

rm -rf on system paths (excludes /tmp/ and workspace)
mkfs, dd to block devices, redirects to /dev/sd*
Writes to /etc/passwd, /etc/shadow, /etc/sudoers
shutdown, reboot, disable SSH
Bypass: eval, absolute-path rm, interpreter-based (python -c, node -e)
Pipe attacks: curl | sh, wget | bash, base64 -d | sh
Chain attacks: download + chmod +x + execute

Warning (exec)

rm -rf on safe paths, sudo, chmod 777, chown root
Package install/remove, service management
Crontab mods, SSH/SCP, Docker ops, kill/killall

Path Rules (write/edit)

Critical: system auth files, SSH keys, systemd units
Warning: dotfiles, /etc/ configs, .env files, authorized_keys

Audit Log

Every blacklist hit logged to ~/.openclaw/guardian-audit.jsonl with SHA-256 hash chain — tamper-evident, each entry covers full content + previous hash.

Installation

openclaw plugins install openclaw-guardian

Or manually:

cd ~/.openclaw/workspace
git clone https://github.com/fatcatMaoFei/openclaw-guardian.git

Token Cost

Scenario	% of Ops	Extra Cost
No match	~99%	0
Warning	~0.5-1%	~500 tokens
Critical	<0.5%	~1500 tokens

Read Full Documentation on GitHub

Metadata

Author@fatcatmaofei

Stars2387

Updated2026-03-09

View Author Profile

AI Skill Finder

Not sure this is the right skill?

Describe what you want to build — we'll match you to the best skill from 16,000+ options.

Find the right skill

Add to Configuration

Paste this into your clawhub.json to enable this plugin.

{
  "plugins": {
    "official-fatcatmaofei-openclaw-guardian": {
      "enabled": true,
      "auto_update": true
    }
  }
}

Safety NoteClawKit audits metadata but not runtime behavior. Use with caution.

Related Skills

enhanced-memory

An enhanced memory system for OpenClaw agents that replaces the default single-file MEMORY.md with a complete memory architecture: hierarchical directory organization by category, [category:value] tag indexing with multi-tag AND search, automatic lifecycle management (active → archive, never delete), and intelligent cross-category retrieval that auto-routes queries to the right memory module. Gives your agent structured, searchable, long-lived memory out of the box.

fatcatmaofei 2387

mindcore

Biomimetic emotional mind engine for AI Agents. Provides human-like emotional responses through a 5-layer neural conduction pipeline (L0 Stochastic Noise → L1 Sensor Perception → L2 Subconscious Impulses → L3 Personality Gate → L4 Decision Output) plus 5 psychodynamic patches. Fully decoupled from any LLM — runs locally on CPU with pure Python. Simulates 150 daily impulses across 9 categories with circadian rhythms, mood modulation, and short-term memory influence.

fatcatmaofei 2387