guardrails - Interactive Security Guardrails Configuration

Helps users configure comprehensive security guardrails for their OpenClaw workspace through an interactive interview process.

Commands

guardrails setup

Interactive setup mode - Guides user through creating their GUARDRAILS.md file.

Workflow:

1. Run environment discovery: bash scripts/discover.sh
2. Classify risks: bash scripts/discover.sh | python3 scripts/classify-risks.py
3. Generate tailored questions: bash scripts/discover.sh | python3 scripts/classify-risks.py | python3 scripts/generate_questions.py
4. Conduct interactive interview with the user:
   • Ask questions from the generated question bank (tailored to discovered environment)
   • Present suggestions for each question
   • Allow custom answers
   • Follow up when appropriate
5. Generate GUARDRAILS.md: echo '<json>' | python3 scripts/generate_guardrails_md.py /path/to/guardrails-config.json
   • Stdin JSON format: {"discovery": {...}, "classification": {...}, "answers": {...}}
6. Present the generated GUARDRAILS.md for review
7. Ask for confirmation before writing to workspace
8. Write GUARDRAILS.md to workspace root
9. Save guardrails-config.json to workspace root

Important:

• Be conversational and friendly during the interview
• Explain why each question matters
• Provide context about discovered risks
• Highlight high-risk skills/integrations
• Allow users to skip or customize any answer
• Review the final output with the user before writing

guardrails review

Review mode - Check existing configuration against current environment.

Workflow:

1. Run discovery and classification
2. Load existing guardrails-config.json
3. Compare discovered skills/integrations against config
4. Identify gaps (new skills not covered, removed skills still in config)
5. Ask user about gaps only - don't re-interview everything
6. Update config and GUARDRAILS.md if changes needed

guardrails monitor

Monitor mode - Detect changes and potential violations.

Workflow:

1. Run: bash scripts/monitor.sh
2. Parse the JSON report
3. If status is "ok": silent or brief acknowledgment
4. If status is "needs-attention": notify user with details
5. If status is "review-recommended": suggest running guardrails review

Can be run manually or via cron/heartbeat.

Files Generated

• GUARDRAILS.md - The main guardrails document (workspace root)
• guardrails-config.json - Machine-readable config for monitoring (workspace root)

Notes

• This skill only helps create guardrails - enforcement is up to the agent
• Discovery (discover.sh) uses bash + jq; classification (classify-risks.py) uses Python standard library only
• Question generation and GUARDRAILS.md generation require an LLM — set OPENAI_API_KEY or ANTHROPIC_API_KEY
• Python scripts require the requests library (pip install requests)
• Discovery and classification are read-only operations
• Only setup and review modes write files, and only with user confirmation