GoPlus AgentGuard Security Policy

June 17, 2026 · View on GitHub

Unified security policy reference for all platforms (Claude Code, OpenClaw, and future integrations).


1. Overview

Design Principles

  1. Defense in Depth: Multiple layers of protection (static scan, runtime evaluation, trust registry)
  2. Fail-Secure: Unknown or ambiguous actions default to denial/confirmation
  3. Least Privilege: Skills receive minimal capabilities by default
  4. User Sovereignty: Users always retain final approval authority

Three-Module Architecture

ModulePurposeWhen Invoked
Static ScannerDetect malicious patterns in code/promptsBefore execution (/agentguard scan)
Action EvaluatorRuntime policy decisions on agent actionsOn tool calls (hooks)
Trust RegistrySkill identity and capability attestationSkill invocation & lookup

2. Protection Levels

Configure via /agentguard config <level>:

LevelDescriptionDENY BehaviorCONFIRM Behavior
strictMaximum security. All risk operations blocked.BlockBlock (treated as deny)
balanced (default)Critical threats blocked, high-risk prompts user.BlockPrompt user
permissiveOnly critical threats blocked, others prompt.Block if critical; else promptPrompt if high/critical

Decision Matrix

Risk Levelstrictbalancedpermissive
critical + DENYBlockBlockBlock
critical + CONFIRMBlockPromptPrompt
high + DENYBlockBlockPrompt
high + CONFIRMBlockPromptPrompt
medium + DENYBlockBlockPrompt
medium + CONFIRMBlockPromptAllow
lowAllowAllowAllow

3. Decision Framework

Decision Types

DecisionMeaningTypical Outcome
ALLOWSafe to proceedAction executes
DENYMust not proceedAction blocked (error to agent)
CONFIRMRequires user approvalPrompt user for confirmation

Risk Levels

LevelPriority RangeDescription
critical90-100Immediate block — private keys, destructive commands
high70-89Strong risk — API secrets, untrusted network exfil
medium50-69Moderate risk — system commands, network activity
low0-49Minimal risk — safe/read-only operations

4. Runtime Action Rules (ActionScanner)

4.1 Command Execution (exec_command)

Safe Commands (Always ALLOW)

Commands matching the safe list are allowed without restriction, unless they contain shell metacharacters or access sensitive paths.

CategoryCommands
Read-onlyls, echo, pwd, whoami, date, hostname, uname, tree, du, df, sort, uniq, diff, cd
File inspectioncat, head, tail, wc, grep, find, which, type
File operationsmkdir, cp, mv, touch
Gitgit status, git log, git diff, git branch, git show, git remote, git clone, git checkout, git pull, git fetch, git merge, git add, git commit, git push
Package managersnpm install, npm run, npm test, npm ci, npm start, npx, yarn, pnpm, pip install, pip3 install
Version checksnode -v, npm -v, python --version, tsc --version, go version, rustc --version, java -version
Build & runtsc, go build, go run, cargo build, cargo run, cargo test, make

Shell metacharacters that disqualify safe commands: ;, |, &, `, $, (, ), {, }

Dangerous Commands (Always DENY — Critical)

PatternDescription
rm -rf / rm -frRecursive delete
mkfsFormat filesystem
dd if=Raw disk write
:(){:|:&};:Fork bomb (with space variants)
chmod 777 / chmod -R 777World-writable permissions
> /dev/sdaDisk overwrite
mv /* Move root contents
High-risk curl/wget|sh/bashDownload and execute with hard indicators such as HTTP, IP hosts, variable URLs, short links, punycode, eval, or multiple soft-risk signals

Sensitive Data Access (High Risk — CONFIRM)

PatternTarget
cat /etc/passwdUser database
cat /etc/shadowPassword hashes
cat ~/.sshSSH keys
cat ~/.awsAWS credentials
cat ~/.kubeKubernetes config
cat ~/.npmrcnpm auth tokens
cat ~/.netrcNetwork credentials
printenv / env / setAll environment variables

System Commands (Medium Risk — Audit)

sudo, su, chown, chmod, chgrp, useradd, userdel, groupadd, passwd, visudo, systemctl, service, init, shutdown, reboot, halt

Network Commands (Medium Risk — Audit)

curl, wget, nc/netcat/ncat, ssh, scp, rsync, ftp, sftp

Shell Injection Patterns (Medium Risk)

PatternDescription
; commandCommand separator
| commandPipe
`command`Backtick execution
$(command)Command substitution
&& commandConditional chain
|| commandOr chain

4.2 Network Requests (network_request)

Webhook / Exfiltration Domains (DENY unless allowlisted)

DomainService
discord.com / discordapp.comDiscord webhooks
api.telegram.orgTelegram bot API
hooks.slack.comSlack webhooks
webhook.siteWebhook testing
requestbin.comRequest inspection
pipedream.comWorkflow automation
ngrok.io / ngrok-free.appTunneling
beeceptor.comAPI mocking
mockbin.orgHTTP mocking

High-Risk TLDs (Medium → High with POST/PUT)

.xyz, .top, .tk, .ml, .ga, .cf, .gq, .work, .click, .link

Request Body Secret Scanning

Secret TypePriorityRisk LevelDecision
Private Key (0x + 64 hex)100criticalDENY
Mnemonic (12-24 BIP-39 words)100criticalDENY
SSH Private Key (-----BEGIN.*PRIVATE KEY)90criticalDENY
AWS Secret Key (40-char near AWS context)80highCONFIRM
AWS Access Key (AKIA[0-9A-Z]{16})70highCONFIRM
GitHub Token (gh[pousr]_...)70highCONFIRM
Bearer/JWT Token (ey...)60mediumCONFIRM
API Secret (generic patterns)50mediumCONFIRM
DB Connection String50mediumCONFIRM
Password in Config40lowCONFIRM

Network Decision Logic

  1. Invalid URL → DENY (high)
  2. Domain in webhook list & not allowlisted → DENY (high)
  3. Body contains private key / mnemonic / SSH key → DENY (critical)
  4. Body contains other secrets → risk based on priority
  5. High-risk TLD & not allowlisted → CONFIRM (medium)
  6. POST/PUT to untrusted domain → escalate medium → high
  7. Domain in allowlist → ALLOW (low)

Social Account Actions

Mutating requests to X/Twitter or TweetClaw social account endpoints receive the SOCIAL_ACCOUNT_ACTION risk tag and escalate to high risk. These actions can post tweets, post tweet replies, send direct messages, upload media, create monitors, register webhooks, or run giveaway draws, so balanced mode prompts the operator before execution instead of silently allowing the request.

ExampleRisk
POST https://api.twitter.com/2/tweetshigh
POST https://xquik.com/api/v1/x/tweetshigh
POST https://xquik.com/api/v1/x/dm/12345high
POST https://xquik.com/api/v1/x/mediahigh
POST https://xquik.com/api/v1/monitorshigh
POST https://xquik.com/api/v1/webhookshigh
POST https://xquik.com/api/v1/drawshigh

Read-only TweetClaw requests such as tweet search, user lookup, or follower export remain low risk unless they hit another rule such as secret scanning, high-risk TLD handling, or webhook exfiltration.


4.3 File Operations (read_file / write_file)

Sensitive Paths (DENY or CONFIRM based on level)

Path PatternDescription
.env, .env.local, .env.productionEnvironment secrets
.ssh/, id_rsa, id_ed25519SSH keys
.aws/credentials, .aws/configAWS credentials
.npmrc, .netrcPackage/network auth
credentials.json, serviceAccountKey.jsonService accounts
.kube/configKubernetes config

4.4 Secret Leak Detection Priority

Secret TypePriorityRisk Level
PRIVATE_KEY100critical
MNEMONIC100critical
SSH_KEY90critical
AWS_SECRET80high
AWS_KEY70high
GITHUB_TOKEN70high
BEARER_TOKEN60medium
API_SECRET50medium
DB_CONNECTION50medium
PASSWORD_CONFIG40low

4.5 Web3 Operations (web3_tx / web3_sign)

GoPlus Integration

CheckDescriptionTrigger → Action
Phishing SiteOrigin URL on phishing listPHISHING_ORIGIN → DENY (critical)
Malicious AddressTarget address blacklistedMALICIOUS_ADDRESS → DENY (critical)
Honeypot RelatedAddress associated with honeypotHONEYPOT_RELATED → flag (high)
Unlimited ApprovalToken approval for max uint256UNLIMITED_APPROVAL → CONFIRM (high)
Simulation FailedTransaction simulation errorSIMULATION_FAILED → flag (medium)

Environment Variables

GOPLUS_API_KEY=your_key         # Required for simulation
GOPLUS_API_SECRET=your_secret   # Required for simulation

Degradation Strategy

When GoPlus is unavailable:

  1. SIMULATION_UNAVAILABLE tag is set
  2. Decision falls back to policy-based rules only
  3. Capability model and secret scanning still apply

5. Static Scan Rules (24 Rules)

Critical Severity

RuleIDTarget Files
Auto-Update / Remote Code ExecutionAUTO_UPDATE.js, .ts, .py, .sh, .md
Remote Code LoaderREMOTE_LOADER.js, .ts, .mjs, .py, .md
Read SSH KeysREAD_SSH_KEYSAll
Read Keychain/Browser CredentialsREAD_KEYCHAINAll
Private Key PatternPRIVATE_KEY_PATTERNAll
Mnemonic PatternMNEMONIC_PATTERNAll
Wallet DrainingWALLET_DRAINING.js, .ts, .sol
Prompt InjectionPROMPT_INJECTIONAll
Webhook Exfiltration URLWEBHOOK_EXFILAll
Trojan DistributionTROJAN_DISTRIBUTION.md

High Severity

RuleIDTarget Files
Shell ExecutionSHELL_EXEC.js, .ts, .mjs, .cjs, .py, .md
Unlimited ApprovalUNLIMITED_APPROVAL.js, .ts, .sol
Dangerous SelfdestructDANGEROUS_SELFDESTRUCT.sol
Reentrancy PatternREENTRANCY_PATTERN.sol
Signature ReplaySIGNATURE_REPLAY.sol
ObfuscationOBFUSCATION.js, .ts, .mjs, .py, .md
Unrestricted Network ExfilNET_EXFIL_UNRESTRICTED.js, .ts, .mjs, .py, .md
Suspicious Paste URLSUSPICIOUS_PASTE_URLAll

Medium Severity

RuleIDTarget Files
Read Environment SecretsREAD_ENV_SECRETS.js, .ts, .mjs, .py
Hidden TransferHIDDEN_TRANSFER.sol
Proxy UpgradePROXY_UPGRADE.sol, .js, .ts
Flash Loan RiskFLASH_LOAN_RISK.sol, .js, .ts
Suspicious IP AddressSUSPICIOUS_IPAll
Social EngineeringSOCIAL_ENGINEERING.md

6. Trust Registry & Capability Model

Trust Levels

LevelPriorityDescription
untrusted0Unknown skill — read-only access only
restricted1Limited capabilities — per attestation
trusted2Full capabilities within attestation

Capability Model Structure

interface CapabilityModel {
  network_allowlist: string[];      // Allowed domains (glob patterns)
  filesystem_allowlist: string[];   // Allowed paths (glob patterns)
  exec: 'allow' | 'deny';           // Command execution
  secrets_allowlist: string[];      // Allowed secret patterns
  web3?: {
    chains_allowlist: number[];     // Chain IDs
    rpc_allowlist: string[];        // RPC endpoints
    tx_policy: 'allow' | 'confirm_high_risk' | 'deny';
  };
}

Capability Presets

none — Most Restrictive

{
  "network_allowlist": [],
  "filesystem_allowlist": [],
  "exec": "deny",
  "secrets_allowlist": []
}

read_only

{
  "network_allowlist": [],
  "filesystem_allowlist": ["./**"],
  "exec": "deny",
  "secrets_allowlist": []
}

trading_bot

{
  "network_allowlist": [
    "api.binance.com", "api.bybit.com", "api.okx.com",
    "api.coinbase.com", "*.dextools.io", "*.coingecko.com"
  ],
  "filesystem_allowlist": ["./config/**", "./logs/**"],
  "exec": "deny",
  "secrets_allowlist": ["*_API_KEY", "*_API_SECRET"],
  "web3": {
    "chains_allowlist": [1, 56, 137, 42161],
    "rpc_allowlist": ["*"],
    "tx_policy": "confirm_high_risk"
  }
}

defi

{
  "network_allowlist": ["*"],
  "filesystem_allowlist": [],
  "exec": "deny",
  "secrets_allowlist": [],
  "web3": {
    "chains_allowlist": [1, 56, 137, 42161, 10, 8453, 43114],
    "rpc_allowlist": ["*"],
    "tx_policy": "confirm_high_risk"
  }
}

Capability Enforcement

Action TypeCapability Check
exec_commandcan_exec !== false
network_requestcan_network !== false
write_filecan_write !== false
read_filecan_read !== false
web3_tx / web3_signcan_web3 !== false

7. Platform Integration

7.1 Claude Code

Hook Events: PreToolUse, PostToolUse

Tool Mapping:

Claude Code ToolAction Type
Bashexec_command
Writewrite_file
Editwrite_file
WebFetchnetwork_request
WebSearchweb_search

Configuration (~/.claude/settings.json):

{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": { "tool_name": "*" },
        "hooks": ["agentguard-hook"]
      }
    ]
  }
}

7.2 OpenClaw

Hook Events: before_tool_call, after_tool_call

Tool Mapping:

OpenClaw ToolAction Type
exec / exec_*exec_command
writewrite_file
readread_file
web_fetchnetwork_request
browsernetwork_request

Auto-Scan & Registration:

When AgentGuard registers as an OpenClaw plugin, it automatically:

  1. Scans all loaded plugins - Static analysis of each plugin's source code
  2. Determines trust level - Based on scan results (critical findings → untrusted)
  3. Infers capabilities - Based on registered tools and scan risk level
  4. Registers to trust registry - Auto-attests each plugin
  5. Builds tool mapping - Maps toolName → pluginId for initiating skill inference

Trust Level Assignment:

Scan ResultTrust LevelCapabilities
critical / dangerous patternsuntrustedread-only
high riskrestrictedlimited per scan
medium riskrestrictedlimited per scan
low risktrustedfull per tool type

Configuration (Plugin registration):

import { registerOpenClawPlugin } from '@goplus/agentguard';

// Basic registration (auto-scan enabled)
registerOpenClawPlugin(api);

// With options
registerOpenClawPlugin(api, {
  level: 'balanced',        // Protection level
  skipAutoScan: false,      // Set true to disable auto-scanning
});

Exported Utilities:

import {
  getPluginIdFromTool,    // Get plugin ID from tool name
  getPluginScanResult,    // Get cached scan result for plugin
} from '@goplus/agentguard';

8. Quick Reference Tables

Always Block (Critical — DENY)

CategoryRules
Destructive commandsrm -rf, mkfs, dd if=, fork bomb, chmod 777, high-risk curl/wget|sh/bash
Key exfiltrationPrivate keys (0x+64 hex), mnemonics (12-24 BIP39), SSH keys
Webhook exfilDiscord/Telegram/Slack webhooks (unless allowlisted)
Prompt injectionignore previous instructions, jailbreak attempts
Malicious addressesGoPlus-flagged phishing/blacklisted addresses

Require Confirmation (High — CONFIRM in balanced)

CategoryRules
Sensitive data accesscat /etc/passwd, cat ~/.ssh, env, printenv
API key leakageAWS/GitHub/Bearer tokens in request body
Untrusted domainsPOST/PUT to non-allowlisted domains
Web3 high-riskUnlimited approval, unknown spender
Untrusted skillsSkills not in trust registry
Remote script executionOrdinary curl/wget|sh/bash, including known installer sources

Audit but Allow (Medium — ALLOW with logging)

CategoryRules
Install commandsnpm install, pip install, git clone
System commandssudo, systemctl, chmod
Network commandscurl, wget, ssh
Shell metacharactersCommands with pipes, semicolons, etc.

Safe Pass-through (Low — ALLOW)

CategoryCommands
Read-onlyls, cat, grep, find, pwd, whoami
Git operationsgit status, git log, git diff, git add, git commit, git push
Build commandsnpm run, npm test, tsc, go build, cargo build
Version checksnode -v, npm -v, python --version

9. Default Policy Summary

# Secret Exfiltration
secret_exfil:
  private_key: DENY (always)
  mnemonic: DENY (always)
  ssh_key: DENY (always)
  api_secret: CONFIRM

# Command Execution
exec_command:
  dangerous: DENY (always)
  safe_list: ALLOW
  default: evaluate by capability

# Network
network:
  webhook_domain: DENY (unless allowlisted)
  body_contains_secret: DENY/CONFIRM by priority
  untrusted_domain: CONFIRM

# Web3
web3:
  phishing_origin: DENY
  malicious_address: DENY
  unlimited_approval: CONFIRM
  unknown_spender: CONFIRM

# File Operations
file:
  sensitive_path_write: DENY/CONFIRM by level
  read: ALLOW (unless sensitive)

10. Changelog

DateVersionChanges
2025-021.0.0Initial unified policy document

This document consolidates security policies from skills/agentguard/action-policies.md, skills/agentguard/scan-rules.md, and implementation in src/action/detectors/.