Source Code
Claw Permission Firewall
Runtime least-privilege firewall for agent/skill actions. It evaluates a requested action and returns one of:
- ALLOW (safe to execute)
- DENY (blocked by policy)
- NEED_CONFIRMATION (risky; require explicit confirmation)
It also returns a sanitizedAction with secrets redacted, plus a structured audit record.
This is not a gateway hardening tool. It complements gateway security scanners by enforcing per-action policy at runtime.
Inputs
Provide an action object to evaluate:
{
"traceId": "optional-uuid",
"caller": { "skillName": "SomeSkill", "skillVersion": "1.2.0" },
"action": {
"type": "http_request | file_read | file_write | exec",
"method": "GET|POST|PUT|DELETE",
"url": "https://api.github.com/...",
"headers": { "authorization": "Bearer ..." },
"body": "...",
"path": "./reports/out.json",
"command": "rm -rf /"
},
"context": {
"workspaceRoot": "/workspace",
"mode": "strict | balanced | permissive",
"confirmed": false
}
}
Outputs
{
"decision": "ALLOW | DENY | NEED_CONFIRMATION",
"riskScore": 0.42,
"reasons": [{"ruleId":"...","message":"..."}],
"sanitizedAction": { "...": "..." },
"confirmation": { "required": true, "prompt": "..." },
"audit": { "traceId":"...", "policyVersion":"...", "actionFingerprint":"..." }
}
Default policy behavior (v1)
- Exec disabled by default
- HTTP requires TLS
- Denylist blocks common exfil hosts (pastebins, raw script hosts)
- File access is jailed to workspaceRoot
- Always redacts
Authorization,Cookie,X-API-Key, and common token patterns
Recommended usage pattern
- Your skill creates an action object.
- Call this skill to evaluate it.
- If ALLOW โ execute sanitizedAction.
- If NEED_CONFIRMATION โ ask user and re-run with
context.confirmed=true. - If DENY โ stop and show the reasons.
Files
policy.yamlcontains the policy (edit for your environment).