ClawHub
Code Pluginsource linked

AxonFlow Governancev1.2.1

Policy enforcement, approval gates, and audit trails for OpenClaw — govern tool inputs before execution, scan outbound messages for PII/secrets, and record agent activity for review and compliance

@axonflow/openclaw·runtime axonflow-governance·by @saurabhjain1592
Community code plugin. Review compatibility and verification before install.
openclaw plugins install clawhub:@axonflow/openclaw
Latest release: v1.2.1Download zip

Capabilities

Tags
executes-code
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
axonflow-governance

Compatibility

Built With Open Claw Version
2026.3.22
Min Gateway Version
2026.3.22
Plugin Api Range
>=2026.3.22
Plugin Sdk Version
2026.3.22
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, and shipped code (axonflow-client, governance, telemetry, message-guard, audit) align with a governance/audit plugin that calls a self-hosted AxonFlow endpoint. Required credentials are optional (clientId/clientSecret) and used only for AxonFlow; no unrelated cloud credentials or binaries are requested.
Instruction Scope
SKILL.md instructions stay within governance scope (health check, policy checks, telemetry opt-out). It does perform network calls to the configured AxonFlow endpoint (policy checks, audit writes, health check) and sends an anonymous startup telemetry ping by default (plugin version, OS/arch/Node version, AxonFlow platform version, hook configuration). The telemetry and health-check network activity are expected for this plugin but are notable because they transmit metadata off the host (opt-out controls are provided).
Install Mechanism
There is no arbitrary download URL or extract/install step in the skill bundle. The repo includes compiled dist/, package.json, and CI/publish workflows indicating normal npm/ClawHub packaging. The earlier claim of being "instruction-only" is inconsistent with the presence of code, but installation is via npm/ClawHub (standard), not via a remote one-off URL.
Credentials
The plugin does not require unrelated credentials; it uses an AxonFlow endpoint and optional clientId/clientSecret (sensible for a governance client). Telemetry can be disabled via DO_NOT_TRACK=1 or AXONFLOW_TELEMETRY=off — telemetry is opt-out and by default sends platform and configuration metadata (no PII promised). If you run in highly sensitive environments, consider explicitly disabling telemetry and review whether sending AxonFlow platform version / hook config is acceptable.
Persistence & Privilege
The plugin is not marked always:true and does not request privileged persistent platform presence. It performs normal plugin behavior (hooks, outbound HTTP to configured endpoint). Autonomous invocation remains enabled by default (platform default) but is appropriate for a governance hook plugin.
Assessment
This plugin appears to do what it claims: block/approve tool calls, scan outbound messages, and write audit events to a configured AxonFlow instance. Before installing: 1) Confirm the AxonFlow endpoint you configure is trusted and on your infrastructure (endpoint is where all policy/audit data goes). 2) If you require no external telemetry, set DO_NOT_TRACK=1 or AXONFLOW_TELEMETRY=off (telemetry is enabled by default and sends non-PII platform/config metadata). 3) If using licensed features, provide clientId/clientSecret securely and verify how credentials are stored on the host. 4) Test in a staging agent to verify the plugin’s fail-open/fail-closed behavior (onError) matches your risk posture. 5) Note the bundle includes runnable code (dist/ & package.json) even though metadata said “instruction-only” — review package.json and network-call points (axonflow-client / telemetry) if you need to audit outgoing endpoints further.
dist/telemetry.js:29
Environment variable access combined with network send.
src/telemetry.ts:33
Environment variable access combined with network send.
tests/telemetry.test.ts:7
Environment variable access combined with network send.
!
tests/telemetry.test.ts:1
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/getaxonflow/axonflow-openclaw-plugin
Commit
1f09c462d06f
Tag
v1.2.1
Provenance
No
Scan status
pending

Tags

latest
1.2.1

@axonflow/openclaw

Policy enforcement, approval gates, and audit trails for OpenClaw.

Why

OpenClaw is widely deployed with 13+ CVEs disclosed in 2026 (multiple CVSS 9.8+), 135,000+ publicly exposed instances, and 1,184 malicious skills poisoned in ClawHub via the ClawHavoc supply chain attack. OpenClaw provides agent runtime and tool execution but no centralized policy enforcement, no PII scanning, and no compliance-grade audit trails.

This plugin adds the governance layer. AxonFlow governs, OpenClaw orchestrates. No LLM provider keys needed — OpenClaw handles all LLM calls, AxonFlow only enforces policies and records audit trails. Your data stays on your infrastructure.

This plugin is useful when you want to:

  • block dangerous tool calls (reverse shells, SSRF, destructive commands) before they run
  • detect and redact PII and secrets in outbound messages before delivery
  • require human approval for high-risk tools (exec, web_fetch, message)
  • keep a compliance-grade audit trail of every tool call and LLM interaction
  • gain visibility into token usage and LLM activity across agents via audit trails

What It Does

HookPurpose
before_tool_callEvaluate tool inputs against AxonFlow policies before execution
after_tool_callRecord tool execution in AxonFlow audit trail
message_sendingScan outbound messages for PII/secrets before delivery
llm_inputRecord prompt, model, and provider for audit
llm_outputRecord response summary, token usage, and latency for audit

The plugin also:

  • Verifies AxonFlow connectivity on startup and logs a warning if unreachable
  • Tracks governance metrics in-process (tool calls blocked/allowed, messages redacted, etc.) accessible via getMetrics()

Current Limitation

Tool results written into the OpenClaw session transcript are not yet scanned by this plugin. OpenClaw's tool_result_persist hook is synchronous today, so it cannot call AxonFlow's HTTP policy APIs.

What is protected today:

  • tool inputs before execution
  • outbound messages before delivery
  • tool and LLM audit trails

What is not protected yet:

  • tool results entering the LLM context through the session transcript

If OpenClaw adds async support for tool_result_persist, AxonFlow can add transcript/result scanning immediately. Upstream issue: openclaw/openclaw#58558.

Prerequisites

This plugin connects to AxonFlow, a self-hosted governance platform, for policy evaluation and audit logging. AxonFlow must be running before you use the plugin. Your data stays on your infrastructure.

# Start AxonFlow (Docker — runs entirely on your machine)
git clone https://github.com/getaxonflow/axonflow.git
cd axonflow
docker compose up -d

See Getting Started for full setup options.

Install

Available on ClawHub and npm.

openclaw plugins install @axonflow/openclaw

Or via the ClawHub install path:

openclaw plugins install clawhub:@axonflow/openclaw

Either install path works; the ClawHub form is included for users browsing plugins there.

For the full integration walkthrough (architecture, hook coverage, policy examples, troubleshooting), see the OpenClaw Integration Guide.

Configure

In your OpenClaw config:

plugins:
  @axonflow/openclaw:
    endpoint: http://localhost:8080
    # In community mode, clientId defaults to "community"
    # and clientSecret can be left unset.
    # Set both only for evaluation/enterprise credentials.
    # clientId: your-client-id
    # clientSecret: your-client-secret
    # requestTimeoutMs: 8000
    highRiskTools:
      - web_fetch
      - message

Configuration Options

OptionRequiredDefaultDescription
endpointYesAxonFlow agent gateway URL
clientIdNo"community"Tenant identity for data isolation. Override for evaluation/enterprise.
clientSecretNo""License key for evaluation/enterprise features. Requires clientId to be set.
highRiskToolsNo[]Tools that require human approval even when policy allows
governedToolsNo[] (all)Tools to govern. Empty = all tools.
excludedToolsNo[]Tools to exclude from governance
defaultOperationNo"execute"Operation type for mcp_check_input ("execute" or "query")
onErrorNo"block"Behavior when AxonFlow is unreachable: "block" (fail-closed) or "allow" (fail-open)
requestTimeoutMsNo8000Timeout for policy checks, output scans, audit writes, and health checks. Increase for remote AxonFlow deployments.

Valid configurations:

  • Both omitted → community mode (clientId defaults to "community")
  • clientId only → community mode with custom tenant identity
  • Both set → licensed mode (evaluation/enterprise)
  • clientSecret only → error (licensed mode requires explicit tenant identity to prevent data going to the wrong tenant)

How It Works

User sends message → OpenClaw receives
    │
    ▼
┌─────────────────────────────────────────────┐
│ llm_input (audit)                           │
│ → Record prompt, model, provider            │
└─────────────────────────────────────────────┘
    │
    ▼
LLM generates response (may include tool calls)
    │
    ▼
┌─────────────────────────────────────────────┐
│ llm_output (audit)                          │
│ → Record response, tokens, latency          │
└─────────────────────────────────────────────┘
    │
    ▼  (if tool calls in response)
┌─────────────────────────────────────────────┐
│ before_tool_call (governance)               │
│ → mcp_check_input(openclaw.{tool}, args)    │
│ → BLOCK / REQUIRE APPROVAL / ALLOW          │
└─────────────────────────────────────────────┘
    │
    ▼
Tool executes (web_fetch, message, MCP, etc.)
    │
    ▼
Tool result persisted to session transcript
(not scanned — pending async hook support)
    │
    ▼
┌─────────────────────────────────────────────┐
│ after_tool_call (audit)                     │
│ → audit_tool_call(tool, params, result)     │
└─────────────────────────────────────────────┘
    │
    ▼
┌─────────────────────────────────────────────┐
│ message_sending (governance)                │
│ → mcp_check_output(openclaw.message_sending) │
│ → CANCEL / REDACT / ALLOW                   │
└─────────────────────────────────────────────┘
    │
    ▼
Message delivered to user channel

Telemetry

This plugin sends an anonymous telemetry ping on initialization to help us understand usage patterns, including local and self-hosted evaluations. The ping includes: plugin version, platform info (OS, architecture, Node.js version), AxonFlow platform version, and hook configuration (count, onError mode). No PII, no tool arguments, no policy data.

Opt out:

  • DO_NOT_TRACK=1 (standard)
  • AXONFLOW_TELEMETRY=off

The startup ping is enabled by default for local, self-hosted, and remote deployments. Opt-out controls always win.

Starter Policies

See policies/README.md for recommended policy setup for OpenClaw deployments, including protections against reverse shells, credential exfiltration, SSRF, path traversal, and agent config file poisoning.

Links

License

MIT