GitHub Repository

GatewayStack governance layer for OpenClaw — identity, scope, rate limiting, injection detection, and audit logging for every tool call

7 starsTypeScript

GatewayStack – Deny-by-default security for OpenClaw tool calls

Name: GatewayStack – Deny-by-default security for OpenClaw tool calls
Availability: InStock
Author: davidcrowe

by davidcrowe·Feb 15, 2026·1 point·0 comments

Visit Project View on HN

AI Analysis

●●●BangerSolve My ProblemSlick

OpenClaw agents could read your SSH keys; this blocks it at the process level, not advisory skills.

Strengths

•Hooks before_tool_call at process level—agent cannot skip, bypass, or talk around it
•Zero dependencies, <1ms overhead, works out-of-box with optional policy files
•Directly addresses published vulnerabilities (Cisco, Snyk, Kaspersky) with deny-by-default model, not skill-based trust

Weaknesses

•Tightly coupled to OpenClaw; market size depends on OpenClaw adoption and MCP standardization
•Threat examples cite 2026 CVE dates (future/fictional), weakening credibility of the threat landscape

Post Description

I installed OpenClaw and pointed it at a project directory. Within minutes it had read my .env file. I tried adding a permissions skill to lock things down. The agent ignored it. Skills are advisory; the LLM can skip the check or be convinced by a prompt injection to bypass it.

So I built a plugin that hooks into before_tool_call at the process level. Checks run on every tool call: identity mapping, deny-by-default scope, enforcement, rate limiting, injection detection, and audit logging. The agent doesn't get a choice — governance runs before the tool executes.

Zero dependencies beyond Node.js. Adds <1ms per call. Works out of the box with no config, or customize with a policy file.