Skills Plugins Jobs Pricing
← Back to Plugins
Voice

Capability Manifest Verifier

electricsheephq By electricsheephq 👁 5 views ▲ 0 votes

OpenClaw plugin that enforces evaOS Capability Manifest grants before tool calls

GitHub

Configuration Example

{
  "plugins": {
    "entries": {
      "evaos-capability-manifest-verifier": {
        "enabled": true,
        "manifestJwtEnv": "OPENCLAW_CAPABILITY_MANIFEST_JWT",
        "manifestSecretEnv": "OPENCLAW_CAPABILITY_MANIFEST_SECRET",
        "agentId": "openclaw",
        "defaultDecision": "deny"
      }
    }
  }
}

README

# evaOS OpenClaw Capability Manifest Verifier

OpenClaw plugin that enforces evaOS broker-issued Capability Manifest grants before tool calls.

This is the downstream, ClawHub-installable verifier path for evaOS issue `#143`. It intentionally uses OpenClaw's normal `before_tool_call` hook because ClawHub/external plugins cannot register host-trusted tool policies. The stronger bundled trusted-policy path remains in `openclaw/openclaw#88189`.

## Behavior

- Disabled by default.
- Reads the manifest JWT from `OPENCLAW_CAPABILITY_MANIFEST_JWT` or a configured file path.
- Reads the HS256 verification secret from `OPENCLAW_CAPABILITY_MANIFEST_SECRET`.
- Verifies issuer `evaos-broker`, audience `evaos-runtime`, expiry, HS256 signature, and optional agent id.
- Maps grants to OpenClaw decisions:
  - `allowed` / `allow`: permits the tool call
  - `requires_approval` / `approval`: requests OpenClaw approval
  - `denied` / `deny`: blocks the tool call
- Missing grants fail closed by default.

## Example Configuration

```json
{
  "plugins": {
    "entries": {
      "evaos-capability-manifest-verifier": {
        "enabled": true,
        "manifestJwtEnv": "OPENCLAW_CAPABILITY_MANIFEST_JWT",
        "manifestSecretEnv": "OPENCLAW_CAPABILITY_MANIFEST_SECRET",
        "agentId": "openclaw",
        "defaultDecision": "deny"
      }
    }
  }
}
```

Keep the signing secret in the runtime environment. Do not store it in plugin configuration.

## Boundary Note

This package is suitable for evaOS-owned OpenClaw deployments that can install and enable the plugin. It is not a replacement for a core/bundled host-trusted policy. If OpenClaw core accepts `openclaw/openclaw#88189`, prefer the bundled verifier for stronger policy ownership.
voice

Comments

Sign in to leave a comment

Loading comments...

Similar Plugins in Voice

Mem

Mem

Local-first memory sidecar for OpenClaw — tool-result capture → SQLite ledger → progressive recall; optional embeddings

4
Moltbot Memory Local

Moltbot Memory Local

Privacy-first local memory plugin for Moltbot: SQLite + local embeddings, zero cloud calls

4
Moltbot Extension Powermem

Moltbot Extension Powermem

Moltbot(clawdbot/openclaw) Plugin: give your bot long-term memory with PowerMem—smart extraction, Ebbinghaus recall, mul

3
Voice Call

Voice Call

Enable voice call functionality for OpenClaw agents. Supports Twilio integration for making and receiving phone calls th

2 375696
Recall

Recall

Persistent memory, context compression & profile visibility for 🦞OpenClaw🦞.

1 1
Blackwall Openclaw

Blackwall Openclaw

BLACK_WALL pre-action guardrail for OpenClaw agents. Hooks before_tool_call to call forecast() before any tool runs; blo

0