泰途AI 泰途AISkill 市场

gatewaystack-governance

TotalClaw 作者 totalclaw

对每个工具调用进行默认拒绝治理 — 身份、范围、速率限制、注入检测、审计日志记录,以及选择加入输出 DLP、升级和行为监控。在进程级别挂钩 OpenClaw,因此代理无法绕过它。

安装 / 下载方式

TotalClaw CLI推荐
totalclaw install totalclaw:totalclaw~davidcrowe-gatewaystack-governance
cURL直接下载,无需登录
curl -fsSL https://skills.taituai.com/api/skills/totalclaw%3Atotalclaw~davidcrowe-gatewaystack-governance/file -o davidcrowe-gatewaystack-governance.md
## 概述(中文)

对每个工具调用进行默认拒绝治理 — 身份、范围、速率限制、注入检测、审计日志记录,以及选择加入输出 DLP、升级和行为监控。在进程级别挂钩 OpenClaw,因此代理无法绕过它。

## 原文

# GatewayStack Governance

Deny-by-default governance for every tool call in OpenClaw.

Five core checks run automatically on every invocation:

1. **Identity** — maps the agent to a policy role. Unknown agents are denied.
2. **Scope** — deny-by-default tool allowlist. Unlisted tools are blocked.
3. **Rate limiting** — per-user and per-session sliding window limits.
4. **Injection detection** — 40+ patterns from Cisco, Snyk, and Kaspersky research.
5. **Audit logging** — every decision recorded to append-only JSONL.

Three opt-in features extend governance further:

6. **Output DLP** — scans tool output for PII using `@gatewaystack/transformabl-core`. Log or redact.
7. **Escalation** — human-in-the-loop review for medium-severity detections and first-time tool use.
8. **Behavioral monitoring** — detects anomalous tool usage patterns using `@gatewaystack/limitabl-core`.

## Install

```bash
openclaw plugins install @gatewaystack/gatewaystack-governance
```

One command. Zero config. The core 5 checks are active on every tool call immediately.

The plugin hooks into `before_tool_call` at the process level — the agent can't bypass it, skip it, or talk its way around it.

## Customize

To override the defaults, create a policy file:

```bash
cp ~/.openclaw/plugins/gatewaystack-governance/policy.example.json \
   ~/.openclaw/plugins/gatewaystack-governance/policy.json
```

Configure which tools are allowed, who can use them, rate limits, injection detection sensitivity, and the three optional features (DLP, escalation, behavioral monitoring — all disabled by default).

## Optional GatewayStack packages

The opt-in features use GatewayStack packages via lazy import. Install only what you need:

```bash
npm install @gatewaystack/transformabl-core   # for output DLP
npm install @gatewaystack/limitabl-core       # for behavioral monitoring
```

The core 5 checks have zero external dependencies and work without these packages.

## Links

- [GitHub](https://github.com/davidcrowe/openclaw-gatewaystack-governance) — source, docs, getting started guide
- [npm](https://www.npmjs.com/package/@gatewaystack/gatewaystack-governance) — package registry
- MIT licensed