Назад към всички

claw-permission-firewall

// Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:

$ git log --oneline --stat
stars:1,933
forks:367
updated:March 4, 2026
SKILL.mdreadonly

Claw Permission Firewall

Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:

  • ALLOW (safe to execute)
  • DENY (blocked by policy)
  • NEED_CONFIRMATION (risky; require explicit confirmation)

It also returns a sanitizedAction with secrets redacted, plus a structured audit record.

This is not a gateway hardening tool. It complements gateway security scanners by enforcing per-action policy at runtime.

What it protects against

  • Exfiltration to unknown domains
  • Prompt-injection “send secrets” attempts (secret detection + redaction)
  • Reading sensitive local files (~/.ssh, ~/.aws, .env, etc.)
  • Unsafe execution patterns (rm -rf, curl | sh, etc.)

Inputs

Provide an action object to evaluate:

{
  "traceId": "optional-uuid",
  "caller": { "skillName": "SomeSkill", "skillVersion": "1.2.0" },
  "action": {
    "type": "http_request | file_read | file_write | exec",
    "method": "GET|POST|PUT|DELETE",
    "url": "https://api.github.com/...",
    "headers": { "authorization": "Bearer ..." },
    "body": "...",
    "path": "./reports/out.json",
    "command": "rm -rf /"
  },
  "context": {
    "workspaceRoot": "/workspace",
    "mode": "strict | balanced | permissive",
    "confirmed": false
  }
}

Outputs

{
  "decision": "ALLOW | DENY | NEED_CONFIRMATION",
  "riskScore": 0.42,
  "reasons": [{"ruleId":"...","message":"..."}],
  "sanitizedAction": { "...": "..." },
  "confirmation": { "required": true, "prompt": "..." },
  "audit": { "traceId":"...", "policyVersion":"...", "actionFingerprint":"..." }
}

Default policy behavior (v1)

  • Exec disabled by default
  • HTTP requires TLS
  • Denylist blocks common exfil hosts (pastebins, raw script hosts)
  • File access is jailed to workspaceRoot
  • Always redacts Authorization, Cookie, X-API-Key, and common token patterns

Recommended usage pattern

  1. Your skill creates an action object.
  2. Call this skill to evaluate it.
  3. If ALLOW → execute sanitizedAction.
  4. If NEED_CONFIRMATION → ask user and re-run with context.confirmed=true.
  5. If DENY → stop and show the reasons.

Files

  • policy.yaml contains the policy (edit for your environment).