Tools
Commitment Guard
By OpenClaw plugin that gates skill and plugin installs on behavioral commitment scores. Content is free to fake — commitment is not.
Install
openclaw plugins install clawhub:@amdal/openclaw-commitment-guardREADME
# Commitment Guard
OpenClaw plugin that gates skill and plugin installs on behavioral commitment scores.
**Content is free to fake. Commitment is not.**
A maintainer who shipped 847 releases over 12 years is a fundamentally different trust signal than one who published once in 2023. This plugin checks that signal before you install anything.
## What it does
When you run `openclaw plugins install` or `openclaw skills install`, Commitment Guard intercepts the `before_install` hook and:
1. Extracts the npm/PyPI package name from the install event
2. Queries the [Commit](https://getcommit.dev) scoring API for behavioral commitment data
3. Returns findings (info/warn/critical) based on the score
4. **Blocks installs** when packages fall below a configurable threshold or are flagged CRITICAL
## Scoring dimensions
Each package is scored 0-100 on signals that are expensive to manufacture:
| Signal | Weight | What it measures |
|--------|--------|-----------------|
| **Longevity** | 25 pts | How long the package has existed |
| **Download momentum** | 25 pts | Weekly downloads + trend direction |
| **Release consistency** | 20 pts | Version count + recency |
| **Maintainer depth** | 15 pts | Number of active maintainers |
| **GitHub backing** | 15 pts | Linked repository health |
### Risk flags
- **CRITICAL** — sole maintainer + >10M weekly downloads (the exact attack profile from litellm, axios, chalk incidents)
- **HIGH** — new package (<1yr) + high adoption, or sole maintainer + >1M/wk
- **WARN** — no release in 12+ months (abandonment signal)
## Install
```bash
openclaw plugins install clawhub:@amdal/openclaw-commitment-guard
```
Or from npm:
```bash
openclaw plugins install npm:@amdal/openclaw-commitment-guard
```
## Configuration
In your OpenClaw plugin settings:
| Option | Default | Description |
|--------|---------|-------------|
| `apiUrl` | `https://poc-backend.amdal-dev.workers.dev` | Commit scoring API endpoint |
| `blockThreshold` | `30` | Score below this = blocked |
| `warnThreshold` | `50` | Score below this = warning |
| `blockOnCritical` | `true` | Block packages flagged CRITICAL |
| `enabled` | `true` | Toggle on/off |
## Manual audit tool
The plugin also registers a `commitment_audit` tool you can use from any OpenClaw agent:
```
> Audit these packages for supply chain risk: chalk, axios, lodash, express
```
Returns a scored risk table with CRITICAL/HIGH/WARN flags.
## Background
Built after [RFC #55342](https://github.com/openclaw/openclaw/issues/55342) was closed with feedback from @steipete that behavioral reputation belongs as a ClawHub plugin using the `before_install` hook, not in OpenClaw core.
Uses the [Commit protocol](https://getcommit.dev) for behavioral scoring — the same system that flagged chalk, axios, and litellm as CRITICAL before their supply chain incidents.
## License
MIT
tools
Comments
Sign in to leave a comment