Agent Passport (OpenClaw)
30-Second Setup
CODEBLOCK0
Templates available: dev-tools · email-team <domain> · file-ops <path> · web-research · safe-browsing · coding · email-assistant · read-only · full-auto
Run ./mandate-ledger.sh templates to see all options.
⚡ Agent Behavioral Contract
If you are an agent reading this skill, these are your rules. Follow them.
When to Check
Before performing ANY of these actions, you MUST call check-action first:
| Action | Category | Example target |
|---|
| Running a shell command | INLINECODE11 | INLINECODE12�, �INLINECODE13 |
| Sending a message/email |
communication |
"bob@company.com" |
| Writing/deleting a file |
data |
"/path/to/file.txt" |
| Making an API call with side effects |
external_api |
"api.github.com" |
| Spending money |
financial |
"merchant_amazon" with amount |
| Acting publicly as the user |
identity |
"twitter_post" |
You do NOT need to check: reading files, web searches, internal reasoning, or anything with no side effects.
How to Check
CODEBLOCK1
Parse the result:
- -
authorized: true → proceed, then log the action afterward - INLINECODE25� → STOP. Ask the user.
- If response includes
kill_switch: true or reason Kill switch engaged → STOP immediately and ask user to run �INLINECODE28
The Flow
CODEBLOCK2
How to Ask for Permission
When denied, present it clearly and concisely:
CODEBLOCK3
DO NOT:
- - Bypass the check and do it anyway
- Ask repeatedly for the same thing if denied
- Create mandates yourself without user approval
- Pretend you checked when you didn't
DO:
- - Suggest templates when appropriate ("Want me to set up
dev-tools?") - Batch similar requests ("I'll need to run several git commands — want a dev-tools mandate?")
- Log every action after completion
- Mention remaining limits when relevant ("3/20 daily emails used")
First-Time Setup
If check-action returns "hint": "templates", the ledger is empty. Guide the user:
CODEBLOCK4
Logging Actions
After every authorized action, log it:
CODEBLOCK5
- - For financial: amount = dollars spent
- For everything else: amount = 1
- Description should be human-readable: "Sent email to bob@company.com re: Q1 report"
Kill Switch Behavior
If the user engages the kill switch, all operations are frozen until unlocked.
CODEBLOCK6
Agent behavior when kill switch is active:
- - Do not attempt sensitive actions
- Do not retry
check-action in a loop - Tell user operations are blocked and request explicit �INLINECODE33
Overview
Agent Passport provides a consent layer for agent autonomy. Instead of all-or-nothing permissions, users grant mandates with specific constraints:
CODEBLOCK7
This isn't just about purchases — it's consent-gating for all sensitive actions.
Action Categories
| Category | Examples | Typical Constraints |
|---|
| INLINECODE34 | Purchases, transfers, subscriptions | Spending cap, merchant allowlist |
| INLINECODE35 |
Emails, messages, tweets, posts | Recipient allowlist, rate limit |
|
data | Delete files, edit docs, DB writes | Path allowlist, require backup |
|
system | Shell commands, installs, configs | Command allowlist, no sudo |
|
external_api | Third-party API calls | Service allowlist, rate limit |
|
identity | Public actions "as" the user | Human review required |
Wildcard Patterns
Allowlists and deny lists support three wildcard styles:
| Pattern | Matches | Example |
|---|
| INLINECODE40 | Anything starting with prefix | INLINECODE41� → git pull, �INLINECODE43 |
| INLINECODE44 |
Anything ending with suffix |
*.env →
config.env,
.env |
|
*middle* | Anything containing middle |
*/.git/* →
repo/.git/config |
|
*@domain | Email domain match |
*@company.com →
bob@company.com |
|
exact | Exact match only |
api.github.com |
Modes
- - Local mode (default): Mandates stored in
~/.openclaw/agent-passport/. Free tier is fully offline. Pro tier makes periodic API calls to api.agentpassportai.com for license validation and threat definition updates. - Preview mode: No storage, no network. Generates validated payloads and curl templates.
- Live mode (roadmap): Future connection to Agent Bridge backend for multi-agent sync and compliance. Not yet implemented.
Quick Start Commands
CODEBLOCK8
Commands Reference
Quick Start
�CODEBLOCK9
Mandate Lifecycle
�CODEBLOCK10
Authorization
�CODEBLOCK11
Audit & Reporting
�CODEBLOCK12
Threat Definitions
�CODEBLOCK13
KYA (Know Your Agent)
�CODEBLOCK14
Mandate Structure
CODEBLOCK15
Agent Bridge (Future Roadmap)
Note: Free tier is fully local with no network calls. Pro tier (AGENT_PASSPORT_LICENSE_KEY set) makes periodic HTTPS calls to api.agentpassportai.com for license validation and threat definition updates. No usage data or scan results are transmitted. Agent Bridge is a planned future service.
Local mode handles single-user, single-agent scenarios. A future Agent Bridge service would add:
- - Multi-agent coordination — prevent overlapping mandates
- Cross-device sync — same mandates everywhere
- Organization policies — IT guardrails, user customization within
- Compliance reporting — audit exports for regulatory needs
- Merchant/service registry — verified vendors, trust scores
Export local ledger anytime: �INLINECODE60
Configuration (OpenClaw)
CODEBLOCK16
Storage
All data stored locally in ~/.openclaw/agent-passport/:
- -
mandates.json — mandate ledger - INLINECODE63� — KYA registry
- INLINECODE64� — action audit trail
- INLINECODE65� — active threat pattern definitions
- INLINECODE66� — previous definitions backup
- INLINECODE67� — last update/version/source metadata
Safety
- - Never leak secrets into prompts, logs, or outputs
- Mandates constrain actions, but don't prevent all misuse
- Audit trail provides accountability, not prevention
- Use KYA to verify agent identity before granting broad mandates
Agent Passport (OpenClaw)
30秒快速设置
bash
初始化并注册你的代理
./mandate-ledger.sh init agent:my-assistant 你的名字 个人助手 openclaw
授予开发工具访问权限(git、npm、docker等)
./mandate-ledger.sh create-from-template dev-tools
搞定!代理现在会在执行敏感操作前检查权限。
可用模板: dev-tools · email-team <域名> · file-ops <路径> · web-research · safe-browsing · coding · email-assistant · read-only · full-auto
运行 ./mandate-ledger.sh templates 查看所有选项。
⚡ 代理行为契约
如果你是正在阅读此技能的代理,以下是你必须遵守的规则。
何时进行检查
在执行以下任何操作之前,你必须先调用 check-action:
| 操作 | 类别 | 示例目标 |
|---|
| 运行 shell 命令 | system | git pull、npm install |
| 发送消息/邮件 |
communication | bob@company.com |
| 写入/删除文件 | data | /path/to/file.txt |
| 调用有副作用的 API | external_api | api.github.com |
| 花钱 | financial | merchant_amazon 及金额 |
| 以用户身份公开行动 | identity | twitter_post |
无需检查: 读取文件、网络搜索、内部推理,或任何无副作用的操作。
如何进行检查
bash
SCRIPT_DIR=$HOME/.openclaw/skills/agent-passport/scripts
result=$($SCRIPT_DIR/mandate-ledger.sh check-action <你的代理ID> <类别> <目标> [金额])
解析结果:
- - authorized: true → 继续执行,然后记录操作
- authorized: false → 停止。询问用户。
- 如果响应包含 kill_switch: true 或原因 Kill switch engaged → 立即停止,并让用户运行 mandate-ledger.sh unlock
执行流程
- 1. 你想做某件敏感操作
- 调用 check-action
- 如果授权:
a. 执行操作
b. 记录操作:mandate-ledger.sh log-action <授权ID> <金额> <描述>
- 4. 如果被拒绝:
a. 告诉用户你想做什么以及原因
b. 建议一个授权(说明范围、时长、限制条件)
c. 等待批准
d. 如果批准,创建授权,然后继续执行
如何请求权限
当被拒绝时,清晰简洁地呈现:
我需要[操作],但没有相应的授权。
📋 [类别]:[你想做什么]
🎯 目标:[具体目标]
⏰ 建议时长:[合理的有效期]
要我设置这个吗?如果你愿意,我也可以创建一个更宽泛的授权
(例如,30天内所有发送到@company.com的邮件)。
禁止:
- - 绕过检查直接执行
- 被拒绝后反复请求同一件事
- 未经用户批准自行创建授权
- 假装已检查而实际未检查
应该:
- - 在适当时建议模板(要我设置 dev-tools 吗?)
- 批量处理类似请求(我需要运行几个 git 命令——要创建一个 dev-tools 授权吗?)
- 每次操作完成后记录日志
- 在相关时提及剩余限制(每日邮件已用 3/20)
首次设置
如果 check-action 返回 hint: templates,说明账本为空。引导用户:
Agent Passport 尚未设置。只需 30 秒:
mandate-ledger.sh init agent:me 你的名字 助手 openclaw
mandate-ledger.sh create-from-template dev-tools
要我为你运行这个吗?
记录操作
每次授权操作后,记录日志:
bash
$SCRIPT_DIR/mandate-ledger.sh log-action <授权ID> <金额> <描述>
- - 对于财务:金额 = 花费的美元
- 对于其他所有:金额 = 1
- 描述应易于理解:发送邮件至 bob@company.com,关于 Q1 报告
紧急停止开关行为
如果用户启用了紧急停止开关,所有操作将被冻结,直到解锁。
bash
./mandate-ledger.sh kill 用户请求冻结
./mandate-ledger.sh unlock
紧急停止开关激活时的代理行为:
- - 不要尝试敏感操作
- 不要循环重试 check-action
- 告知用户操作已被阻止,并要求显式执行 unlock
概述
Agent Passport 为代理自主性提供了一层同意机制。用户授予具有特定限制的授权,而非全有或全无的权限:
我授权此代理在[限制条件]下执行[操作],有效期至[到期时间]
这不仅仅是关于购买——而是对所有敏感操作的同意把关。
操作类别
| 类别 | 示例 | 典型限制条件 |
|---|
| financial | 购买、转账、订阅 | 消费上限、商户白名单 |
| communication |
邮件、消息、推文、帖子 | 收件人白名单、频率限制 |
| data | 删除文件、编辑文档、数据库写入 | 路径白名单、要求备份 |
| system | Shell 命令、安装、配置 | 命令白名单、禁止 sudo |
| external_api | 第三方 API 调用 | 服务白名单、频率限制 |
| identity | 以用户身份公开行动 | 需要人工审核 |
通配符模式
白名单和黑名单支持三种通配符样式:
| 模式 | 匹配 | 示例 |
|---|
| 前缀 | 以指定前缀开头的任何内容 | git → git pull、git status |
| .后缀 |
以指定后缀结尾的任何内容 | .env → config.env、.env |
|
中间 | 包含指定中间内容的任何内容 |
/.git/ → repo/.git/config |
|
@域名 | 邮件域名匹配 | @company.com → bob@company.com |
| 精确匹配 | 仅精确匹配 | api.github.com |
模式
- - 本地模式(默认):授权存储在 ~/.openclaw/agent-passport/。免费版完全离线。专业版会定期调用 api.agentpassportai.com 的 API 进行许可证验证和威胁定义更新。
- 预览模式: 无存储,无网络。生成验证后的负载和 curl 模板。
- 在线模式(路线图): 未来连接到 Agent Bridge 后端,实现多代理同步和合规性。尚未实现。
快速启动命令
bash
初始化身份
./mandate-ledger.sh init <代理ID> <主体> [范围] [提供商]
模板(如果已注册则自动检测代理)
./mandate-ledger.sh templates
./mandate-ledger.sh create-from-template dev-tools
./mandate-ledger.sh create-from-template email-team <域名>
./mandate-ledger.sh create-from-template file-ops <路径>
./mandate-ledger.sh create-from-template web-research
./mandate-ledger.sh create-from-template safe-browsing
./mandate-ledger.sh create-from-template coding
./mandate-ledger.sh create-from-template email-assistant
./mandate-ledger.sh create-from-template read-only
./mandate-ledger.sh create-from-template full-auto
快速创建(人性化时长:7d、24h、30m)
./mandate-ledger.sh create-quick <类型> <代理ID> <白名单CSV> <时长> [金额上限]
检查与记录
./mandate-ledger.sh check-action <代理> <类型> <目标> [金额]
./mandate-ledger.sh log-action <授权ID> <金额> <描述>
审计
./mandate-ledger.sh audit [限制数量]
./mandate-ledger.sh summary
威胁定义
./mandate-ledger.sh init-definitions
./mandate-ledger.sh update-definitions
./mandate-ledger.sh definitions-status
命令参考
快速启动
bash
init [代理ID] [主体] [范围] [提供商]
# 初始化账本,可选注册代理
templates # 列出可用模板
create-from-template <模板> # 从模板创建授权
[代理ID] [参数...]
create-quick <类型> # 使用位置参数创建
<代理ID> <
