openclaw-marshal-pro

Full compliance and policy enforcement suite: define security policies, audit compliance, auto-enforce violations, quarantine non-compliant skills, generate runtime hooks, and apply compliance templates. Everything in openclaw-marshal (free) plus automated enforcement.

7 stars

byDemerzels-lab

View on GitHub Installation ↓

Best use case

openclaw-marshal-pro is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

Teams using openclaw-marshal-pro should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

You only need a quick one-off answer and do not need a reusable workflow.
You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/openclaw-marshal-pro/SKILL.md --create-dirs "https://raw.githubusercontent.com/Demerzels-lab/elsamultiskillagent/main/public/skills/atlaspa/openclaw-marshal-pro/SKILL.md"

Manual Installation

Download SKILL.md from GitHub
Place it in .claude/skills/openclaw-marshal-pro/SKILL.md inside your project
Restart your AI agent — it will auto-discover the skill

How openclaw-marshal-pro Compares

Feature / Agent	openclaw-marshal-pro	Standard Approach
Platform Support	Not specified	Limited / Varies
Context Awareness	High	Baseline
Installation Complexity	Unknown	N/A

Frequently Asked Questions

What does this skill do?

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# OpenClaw Marshal Pro

Full compliance and policy enforcement suite. Everything in openclaw-marshal (free) plus active enforcement: auto-quarantine non-compliant skills, generate runtime hooks, apply compliance templates, and run full automated protection sweeps.

Free = alert. Pro = subvert + quarantine + defend.

## Commands

### Initialize Policy

Create a default security policy file (`.marshal-policy.json`) with sensible defaults.

```bash
python3 {baseDir}/scripts/marshal.py policy --init --workspace /path/to/workspace
```

### Show Policy

Display the current active policy.

```bash
python3 {baseDir}/scripts/marshal.py policy --show --workspace /path/to/workspace
```

### Policy Summary

Quick overview of loaded policy rules.

```bash
python3 {baseDir}/scripts/marshal.py policy --workspace /path/to/workspace
```

### Full Compliance Audit

Audit all installed skills and workspace configuration against the active policy. Reports compliance score, violations, and recommendations.

```bash
python3 {baseDir}/scripts/marshal.py audit --workspace /path/to/workspace
```

### Check Specific Skill

Check a single skill against the policy. Reports pass/fail per rule with fix recommendations.

```bash
python3 {baseDir}/scripts/marshal.py check openclaw-warden --workspace /path/to/workspace
```

### Generate Compliance Report

Produce a formatted, copy-pastable compliance report suitable for audit documentation.

```bash
python3 {baseDir}/scripts/marshal.py report --workspace /path/to/workspace
```

### Quick Status

One-line summary: policy loaded, compliance score, critical violations count, quarantined skills.

```bash
python3 {baseDir}/scripts/marshal.py status --workspace /path/to/workspace
```

### Enforce (Pro)

Active policy enforcement: scan all skills, auto-quarantine those with CRITICAL violations, generate fix recommendations for MEDIUM violations.

```bash
python3 {baseDir}/scripts/marshal.py enforce --workspace /path/to/workspace
```

### Quarantine a Skill (Pro)

Quarantine a non-compliant skill by prefixing its directory with `.quarantined-`, making it invisible to all agent tools.

```bash
python3 {baseDir}/scripts/marshal.py quarantine bad-skill --workspace /path/to/workspace
```

### Unquarantine a Skill (Pro)

Restore a quarantined skill after investigation.

```bash
python3 {baseDir}/scripts/marshal.py unquarantine bad-skill --workspace /path/to/workspace
```

### Generate Runtime Hooks (Pro)

Generate Claude Code hook configurations that enforce policies at runtime. Creates PreToolUse hooks for Bash (command allowlist/blocklist) and Write (PII pattern scanning).

```bash
python3 {baseDir}/scripts/marshal.py hooks --workspace /path/to/workspace
```

### Compliance Templates (Pro)

List or apply pre-built compliance templates: general (balanced), enterprise (strict), minimal (basic).

```bash
# List available templates
python3 {baseDir}/scripts/marshal.py templates --list --workspace /path/to/workspace

# Apply a template
python3 {baseDir}/scripts/marshal.py templates --apply enterprise --workspace /path/to/workspace
```

### Full Protection Sweep (Pro)

Automated sweep recommended for session startup: load policy, audit all skills, enforce violations, quarantine critical violators, generate summary report.

```bash
python3 {baseDir}/scripts/marshal.py protect --workspace /path/to/workspace
```

## Workspace Auto-Detection

If `--workspace` is omitted, the script tries:
1. `OPENCLAW_WORKSPACE` environment variable
2. Current directory (if AGENTS.md exists)
3. `~/.openclaw/workspace` (default)

## What Gets Checked

| Category | Checks | Severity |
|----------|--------|----------|
| **Command Safety** | Dangerous patterns (eval, exec, pipe-to-shell, rm -rf /) | CRITICAL |
| **Command Policy** | Blocked and review-required commands from policy | HIGH/MEDIUM |
| **Network Policy** | Domain allow/blocklists, suspicious TLD patterns | CRITICAL/HIGH |
| **Data Handling** | Secret scanner installed, PII scanner configured | HIGH/MEDIUM |
| **Workspace Hygiene** | .gitignore, audit trail (ledger), skill signing (signet) | HIGH/MEDIUM |
| **Configuration** | Debug modes, verbose logging left enabled | LOW |

## Policy Format

The `.marshal-policy.json` file defines all rules:

- **commands.allow** — Permitted binaries
- **commands.block** — Blocked command patterns
- **commands.review** — Commands requiring human review
- **network.allow_domains** — Permitted network domains
- **network.block_domains** — Blocked domains
- **network.block_patterns** — Wildcard domain blocks (e.g., `*.tk`)
- **data_handling.pii_scan** — Require PII scanning
- **data_handling.secret_scan** — Require secret scanning
- **workspace.require_gitignore** — Require .gitignore
- **workspace.require_audit_trail** — Require ledger
- **workspace.require_skill_signing** — Require signet

## Exit Codes

- `0` — Compliant, no issues
- `1` — Review needed (medium/high findings)
- `2` — Critical violations detected

## No External Dependencies

Python standard library only. No pip install. No network calls. Everything runs locally.

## Cross-Platform

Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.

Related Skills

OpenClaw-Finnhub

from Demerzels-lab/elsamultiskillagent

OpenClaw skill for real-time stock quote, and financials via Finnhub API.

openclaw-nextcloud

from Demerzels-lab/elsamultiskillagent

Manage Notes, Tasks, Calendar, Files, and Contacts in your Nextcloud instance via CalDAV, WebDAV, and Notes API. Use for creating notes, managing todos and calendar events, uploading/downloading files, and managing contacts.

openclaw-safety-coach

from Demerzels-lab/elsamultiskillagent

Safety coach for OpenClaw users. Refuses harmful, illegal, or unsafe requests and provides practical guidance to reduce ecosystem risk (malicious skills, tool abuse, secret exfiltration, prompt injection).

openclaw

from Demerzels-lab/elsamultiskillagent

openclaw

openclaw-spacesuit

from Demerzels-lab/elsamultiskillagent

**A framework scaffold for OpenClaw workspaces.**

nutrient-openclaw

from Demerzels-lab/elsamultiskillagent

Document processing for OpenClaw — convert, extract, OCR, redact, sign, and watermark PDFs and Office documents using the Nutrient DWS API. Use when asked to convert documents (DOCX/XLSX/PPTX to PDF, PDF to images or Office formats), extract text or tables from PDFs, apply OCR to scanned documents, redact sensitive information or PII, add watermarks, or digitally sign documents. Triggers on "convert to PDF", "extract text", "OCR this", "redact PII", "watermark", "sign document", or any document processing request.

openclaw-setup

from Demerzels-lab/elsamultiskillagent

Set up a complete OpenClaw personal AI assistant from scratch using Claude Code. Walks through AWS provisioning, OpenClaw installation, Telegram bot creation, API configuration, Google Workspace integration, security hardening, and all power features. Give this to Claude Code and it handles the rest.

OpenClaw Optimizer Skill

from Demerzels-lab/elsamultiskillagent

## Overview

openclaw-backup

from Demerzels-lab/elsamultiskillagent

Enhanced backup and restore for openclaw configuration, skills, commands, and settings. Sync across devices, version control with git, automate backups, and migrate to new machines with advanced compression.

openclaw-trakt

from Demerzels-lab/elsamultiskillagent

Track and recommend TV shows and movies using Trakt.tv. Use when the user asks for show/movie recommendations, wants to track what they're watching, check their watchlist, or get personalized suggestions based on their viewing history. Requires Trakt.tv account with Pro subscription for full functionality.

OpenClaw Claude Code Skill

from Demerzels-lab/elsamultiskillagent

## Description

OpenClaw Async Task

from Demerzels-lab/elsamultiskillagent

## Description