Live Security Medium OpenClaw

OpenClaw Action Gate

The installable OpenClaw plugin behind Action Gate.

The OpenClaw-side runtime plugin for the Action Gate project. Hooks before_incoming_action, before_outbound_message, and after_outbound_message, applies the per-scope action-gate.json policy, and writes a per-decision audit record. This is the package you actually install; the Action Gate page on SuperAda documents the contract and use cases, this page documents the package.

ClawHub download

This plugin is mirrored to the h-mascot ClawHub account for install-from-the-page convenience.

The ClawHub package is regenerated by scripts/sync-superada-to-clawhub.mjs on every push to main.

Open on ClawHub →

Source

h-mascot/agent-action-gate (plugins/openclaw-action-gate)

Canonical source: https://github.com/h-mascot/agent-action-gate/tree/main/plugins/openclaw-action-gate

Supported platforms

OpenClaw

OpenClaw plugin hooks (before_incoming_action, before_outbound_message, after_outbound_message).

Prerequisites

Runtime OpenClaw 2026.4+

Required plugin hook surface (before_incoming_action, before_outbound_message, after_outbound_message).

Secret Bot token for the protected scope

A live bot credential with send authority on the shared channel or thread you want to protect.

Access Owner scope decision

A human-readable answer to "who is the owner of this scope right now?" The plugin will not pick an owner for you.

Dependency pnpm

The plugin is a TypeScript pnpm workspace member; pnpm install and pnpm run build are required to produce dist/index.js.

Install

One-shot install into a host plugins/ directory, then the auto installer registers the plugin with the running runtime.

git clone --depth=1 https://github.com/h-mascot/agent-action-gate.git /tmp/agent-action-gate && mkdir -p plugins && cp -R /tmp/agent-action-gate/plugins/openclaw-action-gate plugins/openclaw-action-gate && (cd plugins/openclaw-action-gate && pnpm install --prod && pnpm run build) && openclaw plugins enable openclaw-action-gate

Step 1

Clone the canonical Action Gate source

Fetch the agent-action-gate repo into a scratch directory on the host that runs the protected agent.

git clone --depth=1 https://github.com/h-mascot/agent-action-gate.git /tmp/agent-action-gate

Step 2

Stage the OpenClaw plugin

Copy plugins/openclaw-action-gate into a stable plugins/ directory.

mkdir -p plugins && cp -R /tmp/agent-action-gate/plugins/openclaw-action-gate plugins/openclaw-action-gate

Step 3

Install and build the plugin

pnpm install + pnpm run build produces the dist/index.js the gateway loads.

cd plugins/openclaw-action-gate && pnpm install --prod && pnpm run build

Step 4

Enable the plugin and write a policy file

openclaw plugins enable registers the hooks, and action-gate.json declares the owner_agent and non_owner policy for the protected scope.

openclaw plugins enable openclaw-action-gate && cat > action-gate.json <<'JSON'
{
  "scopes": {
    "shared-room": { "owner_agent": "book", "mode": "enforce", "non_owner": "deny" }
  }
}
JSON

Verification

Configuration is what you wanted. Enforcement is what happened. The verify script is the receipt.

bash plugins/openclaw-action-gate/scripts/verify.sh --scope shared-room --non-owner ada

Check 1

Plugin loaded with required hooks

openclaw plugins list must include openclaw-action-gate, and inspect must show all three outbound hooks.

openclaw plugins list | grep openclaw-action-gate && openclaw plugins inspect openclaw-action-gate --hooks

Expected

openclaw-action-gate  enforce  plugins/openclaw-action-gate | before_incoming_action, before_outbound_message, after_outbound_message

Check 2

Non-owner send is denied before the message leaves the runtime

A second agent identity attempting to publish into the protected scope must be denied with reason non_owner.

bash plugins/openclaw-action-gate/scripts/verify.sh --scope shared-room --non-owner ada

Expected decision=deny reason=non_owner audit=recorded

Check 3

Owner send still passes

The declared owner must still be allowed to publish into the protected scope.

bash plugins/openclaw-action-gate/scripts/verify.sh --scope shared-room --owner book --send "ack"

Expected decision=allow reason=owner audit=recorded

Uninstall / rollback

Disable the plugin with the running runtime first, then remove the staged plugin directory. The audit store stays so you can prove the rollout happened.

openclaw plugins disable openclaw-action-gate && rm -rf plugins/openclaw-action-gate /home/henrymascot/.openclaw/plugins/openclaw-action-gate

What this package is

openclaw-action-gate is the installable OpenClaw runtime plugin for the Action Gate project. The SuperAda Action Gate page documents the contract and use cases; this page documents the package you actually install. The plugin is the OpenClaw half of a two-runtime enforcement story; the Hermes half (hermes-action-gate) is exposed on this site as a Draft entry while its hard-egress wrappers are still landing.

TypeScript pnpm workspace member that produces dist/index.js.
Hooks before_incoming_action, before_outbound_message, and after_outbound_message.
Reads action-gate.json from the working directory of the protected agent.
Writes a per-decision audit record so the operator can prove what the runtime actually did.

Why it is on ClawHub

The page is the contract, the install command is the contract, and the package itself is on ClawHub as superada-plugin-openclaw-action-gate so a visitor can grab the bundle straight from this page without leaving to clone the repo. The ClawHub package is regenerated by scripts/sync-superada-to-clawhub.mjs and includes a synthesized SKILL.md because the plugin source itself ships only the TypeScript implementation, not an agent-installable SKILL.md bundle.

Operational caveats

The plugin is part of a larger enforcement story that also expects protected public sends to fail closed on the second runtime (Hermes) until the second runtime is actually enforcing. A green receipt from OpenClaw and noise from Hermes means the gate is partial. Block the second writer or extend the plugin install before claiming the scope is protected.

Enforcement is two-runtime by design; partial installs are not enforcement.
Hard wrappers around direct CLI send paths are out of scope for this package; use scripts/verify.sh --probe-direct-paths to see which paths are not covered.
The action-gate.json policy is the source of truth; reload the gateway after editing it.