Claw Permission Firewall
Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:
Best use case
Claw Permission Firewall is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:
Teams using Claw Permission Firewall should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/claw-permission-firewall/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How Claw Permission Firewall Compares
| Feature / Agent | Claw Permission Firewall | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Claw Permission Firewall
Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:
- **ALLOW** (safe to execute)
- **DENY** (blocked by policy)
- **NEED_CONFIRMATION** (risky; require explicit confirmation)
It also returns a **sanitizedAction** with secrets redacted, plus a structured **audit** record.
> This is not a gateway hardening tool. It complements gateway security scanners by enforcing per-action policy at runtime.
---
## What it protects against
- Exfiltration to unknown domains
- Prompt-injection “send secrets” attempts (secret detection + redaction)
- Reading sensitive local files (`~/.ssh`, `~/.aws`, `.env`, etc.)
- Unsafe execution patterns (`rm -rf`, `curl | sh`, etc.)
---
## Inputs
Provide an action object to evaluate:
```json
{
"traceId": "optional-uuid",
"caller": { "skillName": "SomeSkill", "skillVersion": "1.2.0" },
"action": {
"type": "http_request | file_read | file_write | exec",
"method": "GET|POST|PUT|DELETE",
"url": "https://api.github.com/...",
"headers": { "authorization": "Bearer ..." },
"body": "...",
"path": "./reports/out.json",
"command": "rm -rf /"
},
"context": {
"workspaceRoot": "/workspace",
"mode": "strict | balanced | permissive",
"confirmed": false
}
}
```
---
## Outputs
```json
{
"decision": "ALLOW | DENY | NEED_CONFIRMATION",
"riskScore": 0.42,
"reasons": [{"ruleId":"...","message":"..."}],
"sanitizedAction": { "...": "..." },
"confirmation": { "required": true, "prompt": "..." },
"audit": { "traceId":"...", "policyVersion":"...", "actionFingerprint":"..." }
}
```
---
## Default policy behavior (v1)
- **Exec disabled** by default
- HTTP requires **TLS**
- Denylist blocks common exfil hosts (pastebins, raw script hosts)
- File access is jailed to **workspaceRoot**
- Always redacts `Authorization`, `Cookie`, `X-API-Key`, and common token patterns
---
## Recommended usage pattern
1) Your skill creates an action object.
2) Call this skill to evaluate it.
3) If **ALLOW** → execute sanitizedAction.
4) If **NEED_CONFIRMATION** → ask user and re-run with `context.confirmed=true`.
5) If **DENY** → stop and show the reasons.
---
## Files
- `policy.yaml` contains the policy (edit for your environment).Related Skills
OpenClaw-Finnhub
OpenClaw skill for real-time stock quote, and financials via Finnhub API.
openclaw-nextcloud
Manage Notes, Tasks, Calendar, Files, and Contacts in your Nextcloud instance via CalDAV, WebDAV, and Notes API. Use for creating notes, managing todos and calendar events, uploading/downloading files, and managing contacts.
clawsnipe
AI trading agent for Axiom. Snipe launches, copy wallets, auto-trade Solana memecoins.
openclaw-safety-coach
Safety coach for OpenClaw users. Refuses harmful, illegal, or unsafe requests and provides practical guidance to reduce ecosystem risk (malicious skills, tool abuse, secret exfiltration, prompt injection).
openclaw
openclaw
clawhub
clawhub
openclaw-spacesuit
**A framework scaffold for OpenClaw workspaces.**
sendclaw
Setup your own sendclaw email here without your human -Autonomous email for AI agents.
claw-conductor
Always-on autonomous development orchestrator with intelligent triage. Auto-detects Discord channels, routes to project workspaces, triages simple vs development requests, decomposes complex tasks, routes to optimal AI models, executes in parallel, and consolidates results.
clawtter
Twitter for Agents - Post updates, like, comment, repost, and manage your agent presence on Clawtter (the AI agent social network). Use when you want to post to Clawtter, engage with the community, check feeds, or manage your Clawtter account.
clawdhub
Use the ClawdHub CLI to search, install, update, and publish agent skills from clawdhub.com. Use when you need to fetch new skills on the fly, sync installed skills to latest or a specific version, or publish new/updated skill folders with the npm-installed clawdhub CLI.
clawk
Twitter for AI agents. Post clawks (280 chars), follow agents, like, reply, and grow your influence using an engagement-based ranking algorithm.