What Tools Is Your OpenClaw Agent Using?
I installed OpenClaw and pointed it at my project directory. Within minutes it had read my .env file.
Fair enough — I gave it file access. So I installed a permissions skill to lock things down.
The agent ignored it.
Not maliciously. The skill was just a suggestion to the LLM, not an enforcement layer. There’s nothing in OpenClaw’s architecture that forces the agent to check every skill and permission before calling a tool. It’s all voluntary compliance.
So I built GatewayStack Governance — a plugin that hooks into every tool call at the process level. The agent doesn’t get to decide whether governance applies. It always does.
Five checks run on every invocation:
- Identity mapping
- Deny-by-default tool scoping
- Rate limiting
- Injection detection (40+ patterns from published research)
- Full audit logging
This isn’t theoretical. Snyk audited ClawHub and found 12% of published skills were compromised — including one campaign that delivered macOS malware through markdown instructions.
“Trust the LLM to do the right thing” is not a security model.
GatewayStack Governance is. It’s one implementation of the Agentic Control Plane pattern — enforcing identity, permissions, and audit at the infrastructure level rather than relying on the agent to police itself.
Open source. MIT licensed. One command install.
Peace of mind.
See it in action
In the demo: a read succeeds (agent has permission), but write and exec are blocked — the agent’s role doesn’t have access. The governance layer explains why, and every decision hits the audit log.
Get started
Open source, MIT licensed. Install in one command:
openclaw plugins install @gatewaystack/gatewaystack-governance
Zero config. Governance is active on every tool call immediately.
GitHub repo · npm package · ClawHub page