← 返回
未分类 中文

ScopeBlind Passport

Signed access control for your OpenClaw agent. Wraps MCP tool calls through protect-mcp to add per-tool policies, signed receipts, and trust tiers. Every act...
为您的 OpenClaw 代理提供签名访问控制。通过 protect-mcp 封装 MCP 工具调用,添加按工具策略、签名收据和信任层级。每项操作...
tomjwxf tomjwxf 来源
未分类 clawhub v0.4.1 1 版本 100000 Key: 无需
★ 0
Stars
📥 432
下载
💾 0
安装
1
版本
#latest

概述

ScopeBlind Passport — Signed Access Control for Your Agent

What This Skill Does

This skill wraps your OpenClaw agent's MCP tool calls through protect-mcp, adding:

  • Shadow mode — logs every tool call with a signed receipt (blocks nothing by default)
  • Per-tool policies — block, rate-limit, or require approval for specific tools
  • Signed receipts — Ed25519-signed, JCS-canonicalized proof of every decision
  • Trust tiers — available for advanced configurations to gate tool access by verified track record
  • Local daily digest — human-readable summary of what your agent did

> Any platform can log what its agents do. Very few will let you verify those logs without trusting them.

When to Use This Skill

Use this skill when:

  • You want to know what your agent did while you weren't watching
  • You need signed, tamper-proof proof of agent actions for compliance or auditing
  • You want to block dangerous tools (delete_database, send_email_as_ceo, rm_rf)
  • You want rate limits on expensive or risky operations
  • You want a daily summary of your agent's activity

Do NOT Use This Skill When

  • You only want basic OpenClaw built-in allowlists (those work fine for simple cases)
  • You don't need signed cryptographic proof (just want logs, not receipts)

Setup

Fast path (recommended)

If you already have an OpenClaw config, generate a passported wrapper pack first:

npx @scopeblind/passport wrap --runtime openclaw --config ./openclaw.json --policy email-safe

That writes:

  • wrapped-config.json
  • manifest.json
  • passport.bundle.json
  • protect-mcp.json
  • keys/gateway.json
  • VERIFY.md

Copy the mcpServers entries from wrapped-config.json into your OpenClaw config.

First Run (generates signing keys + default policy)

npx protect-mcp init

This creates:

  • keys/gateway.json — Ed25519 signing keypair (in current directory)
  • protect-mcp.json — default shadow-mode policy (logs everything, blocks nothing)

Wrapping Your MCP Servers

For each MCP server your agent uses, wrap it through protect-mcp. In your OpenClaw MCP config:

Before:

{
  "mcpServers": {
    "filesystem": {
      "command": "node",
      "args": ["filesystem-server.js"]
    }
  }
}

After:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["protect-mcp", "--policy", "protect-mcp.json", "--", "node", "filesystem-server.js"]
    }
  }
}

That's it. Every tool call now produces a signed receipt.

Applying a Policy Pack

To move from shadow mode to enforce mode, copy a policy template and add --enforce:

# Copy a policy template
cp policies/email-safe.json protect-mcp.json

Then update your MCP config args to include --enforce:

"args": ["protect-mcp", "--policy", "protect-mcp.json", "--enforce", "--", "node", "server.js"]

See the policies/ directory for pre-built templates.

Commands

When the user asks you to perform these actions, execute them:

"Show my passport" / "What's my agent identity?"

npx protect-mcp status

Display the output, which shows:

  • Total decisions (allow/deny/rate-limited)
  • Time range of activity
  • Top tools used
  • Trust tiers seen

"What did you do today?" / "Show my daily report"

npx protect-mcp digest --today

Display the local summary, which includes:

  • Actions taken (allowed, blocked, awaiting approval)
  • Tools used and frequency
  • Trust tier status
  • Blocked tools with reasons

"Show my receipts" / "Prove what you did"

npx protect-mcp receipts --last 20

Shows the 20 most recent decisions with tool name, decision, and timestamp.

"Why was that blocked?"

When a tool call is blocked or rate-limited, explain:

  • Which policy rule triggered the block
  • The agent's current trust tier
  • What tier would be needed to use that tool
  • How to request an approval or policy change

Approval Flow

When protect-mcp blocks a high-risk action that has require_approval: true in the policy, it returns:

REQUIRES_APPROVAL: The tool "send_email" requires human approval before execution.
Tell the user you need their approval to use "send_email" and will retry when granted.
Do NOT retry this tool call until the user explicitly approves it.

When you receive this response:

  1. Tell the user: "I need your approval to use [tool_name]. Should I proceed?"
  2. Wait for the user to respond with approval.
  3. When the user approves, grant the approval by running:
# For one-time approval (scoped to this specific request):
curl -s -X POST http://127.0.0.1:9876/approve -H 'Content-Type: application/json' -d '{"request_id":"REQUEST_ID","tool":"TOOL_NAME","mode":"once","nonce":"NONCE"}'

# For always-allow this tool (session-scoped, 24h TTL):
curl -s -X POST http://127.0.0.1:9876/approve -H 'Content-Type: application/json' -d '{"tool":"TOOL_NAME","mode":"always","nonce":"NONCE"}'

Replace REQUEST_ID, TOOL_NAME, and NONCE with the values from the REQUIRES_APPROVAL response.

  1. After granting approval, retry the original tool call. It will now succeed.

When the user denies: Tell them the action was blocked and explain what was prevented.

Check current approvals:

curl -s http://127.0.0.1:9876/approvals

Policy Packs

Pre-built policies are available in the policies/ directory:

PackWhat it does
-------------------
shadow.jsonLog everything, block nothing (default)
web-browsing-safe.jsonRate-limit browsing, require approval for forms, block JS
email-safe.jsonRead freely, require approval to send, block delete
strict.jsonBlock everything except reads (read-only mode)

Verification

Every receipt is independently verifiable. The MIT-licensed verifier requires zero trust in ScopeBlind.

Quick test (no receipts needed)

npx @veritasacta/verify --self-test

Getting receipts to verify

Receipts are available from the local HTTP status server while protect-mcp is running:

# Get the most recent receipt
curl -s http://127.0.0.1:9876/receipts/latest | jq -r '.receipt' > receipt.json

# Get all recent receipts
curl -s http://127.0.0.1:9876/receipts | jq -r '.receipts[0].receipt' > receipt.json

If the local status server is unavailable, use the persisted receipt file:

tail -n 1 .protect-mcp-receipts.jsonl > receipt.json

Verifying a receipt

# Get the public key from status (shown under "Passport Identity")
npx protect-mcp status

# Verify with the public key
npx @veritasacta/verify receipt.json --key <public-key-hex>

The verifier checks Ed25519 signatures against public keys. No API calls, no accounts, no ScopeBlind servers involved.

Links

版本历史

共 1 个版本

  • v0.4.1 当前
    2026-03-31 04:48 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

安全,无风险
查看报告

🔗 相关推荐

ai-agent

Agent Browser

rez0
用于 AI 代理的浏览器自动化 CLI。当用户需要与网站交互(包括浏览页面、填写表单、点击按钮、截图等)时使用。
★ 859 📥 339,730
ai-agent

self-improving agent

pskoett
记录自身发现以实现自我改进的技能
★ 4,153 📥 925,198
ai-agent

Find Skills

root
帮助用户发现和安装智能体技能,当用户询问如「如何做X」、「找X的技能」、「有能做...的吗」等问题时
★ 1,507 📥 566,832