🛡️ Gatewaystack Governance — 默认拒绝治理
v0.2.0为每次工具调用提供“默认拒绝”治理:身份校验、作用域管控、速率限制、注入检测、审计日志,并可选输出 DLP、升级策略,保障 AI 调用安全合规。
2· 725·0 当前·0 累计
by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This plugin appears to do what it claims, but take these precautions before installing:
- Verify the package source and publisher on npm/GitHub (the SKILL.md and package.json point to a GitHub repo and an npm package). Confirm the maintainer identity and package integrity (checksums, npm publisher account).
- Audit and protect the audit log and state files. The plugin records tool names and arguments (and optionally DLP matches) in audit.jsonl and other state files; these can contain secrets. E...详细分析 ▾
✓ 用途与能力
Name/description (governance for tool calls) align with the included code and package.json: it implements identity, scope, rate limiting, injection detection, audit logging, optional DLP/behavioral features, and registers as an OpenClaw plugin. Required binary is only 'node', which is appropriate for a Node.js plugin.
ℹ 指令范围
SKILL.md and code are explicit about what they read/write: policy.json, audit.jsonl, baseline and state files (.agent-tool-usage.json, .pending-reviews.json, .behavioral-baseline.json). The plugin logs full context of tool calls (including arguments) to an append-only JSONL file — this is expected for audit but may capture sensitive data. Instructions do not appear to read unrelated system credentials or network endpoints; they focus on plugin policy, audit, and optional GatewayStack packages.
✓ 安装机制
No remote-download install spec inside the skill bundle; SKILL.md instructs installation via 'openclaw plugins install @gatewaystack/gatewaystack-governance' / npm. package.json is present and lists peer dependencies (optional) from the same namespace. There are no obscure URLs, shorteners, or arbitrary archive extracts in the provided files.
✓ 凭证需求
The skill requests no environment variables or external credentials. Peer dependencies for optional features are reasonable. The main proportionality concern is that audit logs and state files store tool arguments and summaries (which can contain secrets) — the plugin design requires this for audit/behavioral features, so it is proportionate but worth protecting.
✓ 持久化与权限
The skill is not marked 'always:true' and uses the normal plugin extension points (openclaw.extensions → src/plugin.js). It registers hooks to intercept tool calls which is documented and expected for a governance plugin. It does create local state and log files in the plugin/session area, which is normal for this functionality.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.02026/2/16
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install gatewaystack-governance
镜像加速npx clawhub@latest install gatewaystack-governance --registry https://cn.longxiaskill.com