Openclaw Marshal
Compliance and policy enforcement for agent workspaces. Define security policies, audit compliance, check command restrictions, and generate audit-ready reports. Free alert layer — upgrade to opencl
Description
name: openclaw-marshal user-invocable: true metadata: {"openclaw":{"emoji":"📋","requires":{"bins":["python3"]},"os":["darwin","linux","win32"]}}
OpenClaw Marshal
Define security policies for your workspace and audit compliance. Check installed skills against command, network, and data handling rules. Generate audit-ready compliance reports.
Why This Matters
Agent workspaces accumulate skills that execute commands, access the network, and handle data. Without a defined security policy, there is no way to know whether installed skills comply with your organization's requirements — or whether your workspace itself meets basic security hygiene standards.
This skill lets you define a policy once and audit everything against it.
Commands
Initialize Policy
Create a default security policy file (.marshal-policy.json) with sensible defaults.
python3 {baseDir}/scripts/marshal.py policy --init --workspace /path/to/workspace
Show Policy
Display the current active policy.
python3 {baseDir}/scripts/marshal.py policy --show --workspace /path/to/workspace
Policy Summary
Quick overview of loaded policy rules.
python3 {baseDir}/scripts/marshal.py policy --workspace /path/to/workspace
Full Compliance Audit
Audit all installed skills and workspace configuration against the active policy. Reports compliance score, violations, and recommendations.
python3 {baseDir}/scripts/marshal.py audit --workspace /path/to/workspace
Check Specific Skill
Check a single skill against the policy. Reports pass/fail per rule.
python3 {baseDir}/scripts/marshal.py check openclaw-warden --workspace /path/to/workspace
Generate Compliance Report
Produce a formatted, copy-pastable compliance report suitable for audit documentation.
python3 {baseDir}/scripts/marshal.py report --workspace /path/to/workspace
Quick Status
One-line summary: policy loaded, compliance score, critical violations count.
python3 {baseDir}/scripts/marshal.py status --workspace /path/to/workspace
Workspace Auto-Detection
If --workspace is omitted, the script tries:
OPENCLAW_WORKSPACEenvironment variable- Current directory (if AGENTS.md exists)
~/.openclaw/workspace(default)
What Gets Checked
| Category | Checks | Severity |
|---|---|---|
| Command Safety | Dangerous patterns (eval, exec, pipe-to-shell, rm -rf /) | CRITICAL |
| Command Policy | Blocked and review-required commands from policy | HIGH/MEDIUM |
| Network Policy | Domain allow/blocklists, suspicious TLD patterns | CRITICAL/HIGH |
| Data Handling | Secret scanner installed, PII scanner configured | HIGH/MEDIUM |
| Workspace Hygiene | .gitignore, audit trail (ledger), skill signing (signet) | HIGH/MEDIUM |
| Configuration | Debug modes, verbose logging left enabled | LOW |
Policy Format
The .marshal-policy.json file defines all rules:
- commands.allow — Permitted binaries
- commands.block — Blocked command patterns
- commands.review — Commands requiring human review
- network.allow_domains — Permitted network domains
- network.block_domains — Blocked domains
- network.block_patterns — Wildcard domain blocks (e.g.,
*.tk) - data_handling.pii_scan — Require PII scanning
- data_handling.secret_scan — Require secret scanning
- workspace.require_gitignore — Require .gitignore
- workspace.require_audit_trail — Require ledger
- workspace.require_skill_signing — Require signet
Exit Codes
0— Compliant, no issues1— Review needed (medium/high findings)2— Critical violations detected
No External Dependencies
Python standard library only. No pip install. No network calls. Everything runs locally.
Cross-Platform
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.
Reviews (0)
No reviews yet. Be the first to review!
Comments (0)
No comments yet. Be the first to share your thoughts!