openclaw-marshalCompliance and policy enforcement for agent workspaces. Define security policies, audit compliance, check command restrictions, and generate audit-ready reports. Free alert layer β upgrade to openclaw-marshal-pro for active enforcement, blocking, and automated remediation.
Install via ClawdBot CLI:
clawdbot install AtlasPA/openclaw-marshalDefine security policies for your workspace and audit compliance. Check installed skills against command, network, and data handling rules. Generate audit-ready compliance reports.
Agent workspaces accumulate skills that execute commands, access the network, and handle data. Without a defined security policy, there is no way to know whether installed skills comply with your organization's requirements β or whether your workspace itself meets basic security hygiene standards.
This skill lets you define a policy once and audit everything against it.
Create a default security policy file (.marshal-policy.json) with sensible defaults.
python3 {baseDir}/scripts/marshal.py policy --init --workspace /path/to/workspaceDisplay the current active policy.
python3 {baseDir}/scripts/marshal.py policy --show --workspace /path/to/workspaceQuick overview of loaded policy rules.
python3 {baseDir}/scripts/marshal.py policy --workspace /path/to/workspaceAudit all installed skills and workspace configuration against the active policy. Reports compliance score, violations, and recommendations.
python3 {baseDir}/scripts/marshal.py audit --workspace /path/to/workspaceCheck a single skill against the policy. Reports pass/fail per rule.
python3 {baseDir}/scripts/marshal.py check openclaw-warden --workspace /path/to/workspaceProduce a formatted, copy-pastable compliance report suitable for audit documentation.
python3 {baseDir}/scripts/marshal.py report --workspace /path/to/workspaceOne-line summary: policy loaded, compliance score, critical violations count.
python3 {baseDir}/scripts/marshal.py status --workspace /path/to/workspaceIf --workspace is omitted, the script tries:
OPENCLAW_WORKSPACE environment variable~/.openclaw/workspace (default)| Category | Checks | Severity |
|----------|--------|----------|
| Command Safety | Dangerous patterns (eval, exec, pipe-to-shell, rm -rf /) | CRITICAL |
| Command Policy | Blocked and review-required commands from policy | HIGH/MEDIUM |
| Network Policy | Domain allow/blocklists, suspicious TLD patterns | CRITICAL/HIGH |
| Data Handling | Secret scanner installed, PII scanner configured | HIGH/MEDIUM |
| Workspace Hygiene | .gitignore, audit trail (ledger), skill signing (signet) | HIGH/MEDIUM |
| Configuration | Debug modes, verbose logging left enabled | LOW |
The .marshal-policy.json file defines all rules:
*.tk)0 β Compliant, no issues1 β Review needed (medium/high findings)2 β Critical violations detectedPython standard library only. No pip install. No network calls. Everything runs locally.
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.
Generated Mar 1, 2026
A bank uses OpenClaw Marshal to enforce strict command and network policies across AI agent skills, ensuring no unauthorized data access or risky commands. It generates audit-ready reports for regulatory compliance checks, such as PCI-DSS or GDPR, by scanning for PII and secret leaks.
A hospital deploys this skill to audit AI skills handling patient data, blocking dangerous commands and suspicious network domains. It ensures compliance with HIPAA by requiring PII scanning and workspace hygiene, preventing data breaches in clinical workflows.
A SaaS company integrates OpenClaw Marshal to define and audit security policies for customer-facing AI agents. It checks skills for command safety and network access, maintaining a high compliance score to build trust and reduce operational risks.
A university uses this skill to vet AI skills in research labs, ensuring they comply with institutional policies on data handling and network usage. It provides quick status checks and reports to prevent security incidents in academic projects.
A government agency employs OpenClaw Marshal to audit AI agent workspaces for compliance with security standards, blocking high-risk commands and enforcing audit trails. It generates detailed reports for internal reviews and public accountability.
Offer managed security policy audits for organizations using AI agents, charging subscription fees for regular compliance checks and report generation. This model leverages the skill's local execution to provide scalable, low-overhead services.
Sell custom integrations of OpenClaw Marshal into existing security frameworks, such as SIEM systems, with licensing fees per workspace. This targets large corporations needing tailored policies and automated compliance monitoring.
Provide consulting services to help organizations define and implement security policies using this skill, along with training workshops on AI agent security best practices. Revenue comes from project-based fees and training sessions.
π¬ Integration Tip
Set the OPENCLAW_WORKSPACE environment variable to automate workspace detection and integrate with CI/CD pipelines for continuous compliance checks.
Set up and use 1Password CLI (op). Use when installing the CLI, enabling desktop app integration, signing in (single or multi-account), or reading/injecting/running secrets via op.
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
Perform a comprehensive read-only security audit of Clawdbot's own configuration. This is a knowledge-based skill that teaches Clawdbot to identify hardening opportunities across the system. Use when user asks to "run security check", "audit clawdbot", "check security hardening", or "what vulnerabilities does my Clawdbot have". This skill uses Clawdbot's internal capabilities and file system access to inspect configuration, detect misconfigurations, and recommend remediations. It is designed to be extensible - new checks can be added by updating this skill's knowledge.
Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
Security check for ClawHub skills powered by Koi. Query the Clawdex API before installing any skill to verify it's safe.
Scan Clawdbot and MCP skills for malware, spyware, crypto-miners, and malicious code patterns before you install them. Security audit tool that detects data exfiltration, system modification attempts, backdoors, and obfuscation techniques.