Safety Harness

Name: Safety Harness
Rating: 3.5 (1 reviews)
Author: evalops

By evalops 👁 55 views ▲ 0 votes

Safety harness plugin for OpenClaw: policy enforcement for exec/fs/net + audit logging

GitHub

Install

openclaw plugins install @evalops/openclaw-safety-harness

README

# OpenClaw Safety Harness (Plugin)

Drop-in **OpenClaw plugin** that enforces safety policy at the **tool-call boundary** (exec/fs/net) and logs every decision to an audit log.

This is meant to be adoptable without forking OpenClaw or merging changes upstream.

## Install

Once published:

```bash
openclaw plugins install @evalops/openclaw-safety-harness
openclaw gateway restart
```

Local dev install:

```bash
openclaw plugins install /absolute/path/to/openclaw-safety-harness
openclaw gateway restart
```

## Configure

Edit `~/.openclaw/openclaw.json`:

```json5
{
  "plugins": {
    "entries": {
      "openclaw-safety-harness": {
        "enabled": true,
        "config": {
          "mode": "audit",

          "exec": {
            "deShell": true,
            "requireArgv": false,
            "denyShell": true,
            "denyBins": [
              "bash",
              "sh",
              "zsh",
              "sudo",
              "ssh",
              "scp",
              "curl",
              "wget"
            ],
            "forceSecurity": "allowlist",
            "forceAsk": "on-miss"
          },

          "fs": {
            "workspaceOnly": true,
            "deny": ["~/.ssh/**", "~/.openclaw/credentials/**"]
          },

          "net": {
            "denyPrivateIps": true,
            "denyHosts": ["localhost", "127.0.0.1"]
          }
        }
      }
    }
  }
}
```

Then restart the Gateway.

## What It Does

1. **Tool allow/deny**
   - Optional `tools.allow` and `tools.deny` with glob-style patterns (example: `web_*`).

2. **Exec hardening**
   - **De-shelling**: converts safe `exec.command` strings into `exec.argv` automatically (shell-free execution).
   - Optional `exec.requireArgv` (block command strings in enforce mode).
   - Optional `exec.denyShell` (block command strings in enforce mode).
   - Bin allow/deny via `exec.allowBins` / `exec.denyBins`.
   - Can force OpenClaw’s built-in exec approvals knobs by mutating tool params: `exec.forceSecurity`, `exec.forceAsk`, `exec.forceHost`.

3. **FS policy**
   - Defaults to `fs.workspaceOnly=true`.
   - Optional allowlists (`fs.allowRead`, `fs.allowWrite`) and denylist (`fs.deny`) using glob-style patterns.
   - Applies to `read`, `write`, `edit`, and `apply_patch` (extracts paths from patch text).

4. **Net policy**
   - Applies to `web_fetch.url` and `browser.targetUrl`.
   - Optional host allow/deny and best-effort private IP literal blocking.

5. **Skill capability contracts (frontmatter)**
   - If a skill’s `SKILL.md` declares any of these keys, the harness enforces them for that session once the skill is activated (inferred by observing a successful `read` of `SKILL.md`):
     - `allowed-tools`
     - `allowed-exec-bins`
     - `allowed-fs-read`
     - `allowed-fs-write`
     - `allowed-net-hosts`

## Commands

The plugin registers `/harness`:

- `/harness status`
- `/harness violations`
- `/harness suggest` (prints a config snippet based on observed usage in this Gateway runtime)

## Notes

- Start with `mode=audit`, run real workflows, then use `/harness suggest` and tighten into `mode=enforce`.
- This is policy enforcement, not a perfect sandbox. For stronger isolation, prefer OpenClaw sandbox execution (container) and OS-level sandboxing.

tools