Enterprise Legal Guardrails
Use this skill to preflight bot output before posting, messaging, or publishing anything that could create legal/compliance risk.
What it is
A generic
outbound guardrail checker used by workflows before execute actions such as post/comment/message/chat/send in any app.
When to use
- - Before
create_post, create_comment, send_message, or equivalent publish actions. - Before market-related commentary, strategy claims, or price/certainty statements.
- Before HR-sensitive or workplace-adjacent messaging.
- Before anti-spam or coordination-heavy communications.
- Before handling or exposing personal identifiers.
Workflow
- 1. Draft text.
- Run the checker with the matching action/profile.
- If result is PASS/WATCH, proceed.
- If REVIEW, rewrite or route for human/legal review.
- If BLOCK, do not execute.
Use it as a shared OpenClaw outbound safety layer for any skill that publishes content.
Babylon is only one current integration example, not the primary purpose of the skill.
Quick usage
CODEBLOCK0
CODEBLOCK1
CODEBLOCK2
App scope (global filtering)
Scope applies to any app-context passed with --app and these env vars (legacy names preserved for compatibility):
- -
ENTERPRISE_LEGAL_GUARDRAILS_OUTBOUND_SCOPE (all|include|exclude) - INLINECODE6� (comma-separated list)
- INLINECODE7
- INLINECODE8
- INLINECODE9
Examples:
- -
all: check all outbound content. - INLINECODE11� +
whatsapp,email: only check those apps. - INLINECODE13� +
whatsapp,email,moltbook,babylon: everything except these apps.
If scope is omitted, default is all.
Profiles
- -
social: public social text, comments, announcements. - INLINECODE17�: unsolicited/pumping/coordinating messaging.
- INLINECODE18�: workplace, hiring, performance, or employee conduct language.
- INLINECODE19�: personally identifying data and private information disclosures.
- INLINECODE20�: market/financial claims and outcome assertions.
- INLINECODE21�: legal conclusions/implication language.
If no profile is provided, defaults are derived from --action:
- -
post|comment|message → �INLINECODE24 - INLINECODE25� → �INLINECODE26
- INLINECODE27� → �INLINECODE28
Output
- -
PASS: safe to execute - INLINECODE30�: low risk; optional rewrite
- INLINECODE31�: human/legal review recommended
- INLINECODE32�: do not execute
Tuning
You can tune decision sensitivity via environment variables (or CLI flags in direct runs):
- -
ENTERPRISE_LEGAL_GUARDRAILS_REVIEW_THRESHOLD (default: 5) - INLINECODE35� (
default: 9)
CLI overrides:
- - �INLINECODE37
- INLINECODE38
Legacy aliases are supported in legacy env names: ELG_* and BABYLON_GUARDRAILS_*.
Universal outbound adapter (no-native integration path)
For skills/tools without native guardrail hooks (for example: Gmail, custom website
publishing, custom message bots), run outbound operations through the wrapper:
CODEBLOCK3
Examples:
CODEBLOCK4
Use this wrapper to apply the same policy checks in non-Babylon outbound flows.
Compatibility
Legacy name legal-risk-checker is preserved in OpenClaw workspaces that still reference it.
References
See references/guardrail-policy-map.md for the full policy rule set and suggested rewrites.
Packaging
A distributable bundle is available at:
Hardening controls for guard_and_run.py
For non-native outbound integrations, treat guard_and_run as an execution
boundary. Recommended flags/env:
Execution safety is allowlist-first by default. Wrapper requires explicit
--allowed-command (or env alias) unless --allow-any-command is explicitly enabled.
- -
--allow-any-command / �INLINECODE49
- Explicitly bypass allowlist enforcement (unsafe; audit-first use only).
- -
--suppress-allow-any-warning / �INLINECODE51
- Suppresses the runtime safety warning when
--allow-any-command is intentionally enabled.
- -
--allow-any-command-reason / �INLINECODE54
- Mandatory rationale for any
allow-any bypass invocation. Suggested format:
SEC-1234: emergency fix.
- -
--allow-any-command-approval-token / �INLINECODE58
- Mandatory approval token for any
allow-any bypass invocation; stored as a short token fingerprint in audit logs.
- -
--allowed-command <exe...> / �INLINECODE61
- Allow-list executables (supports comma/space lists and wildcards).
- -
--strict / �INLINECODE63
- Escalate
REVIEW to hard block.
- - �INLINECODE65
- INLINECODE66� / �INLINECODE67
- INLINECODE68�,
--checker-timeout, �INLINECODE70 - INLINECODE71� / �INLINECODE72
These flags provide execution safety, command scoping, and immutable trail for
post-incident review without changing checker logic.
企业法律护栏
使用此技能在发布、发送消息或发布任何可能产生法律/合规风险的内容之前,对机器人输出进行预检。
功能说明
这是一个通用的
出站护栏检查器,由工作流在任何应用中执行发布/评论/消息/聊天/发送等操作前使用。
使用场景
- - 在 createpost、createcomment、send_message 或等效的发布操作之前
- 在涉及市场评论、策略声明或价格/确定性陈述之前
- 在涉及人力资源敏感或职场相关内容之前
- 在涉及反垃圾邮件或协调密集型通信之前
- 在处理或暴露个人标识符之前
工作流程
- 1. 起草文本
- 使用匹配的操作/配置文件运行检查器
- 如果结果为通过/关注,继续执行
- 如果为审核,重写或转交人工/法律审核
- 如果为阻止,不执行
将其作为任何发布内容的技能的共享 OpenClaw 出站安全层使用。
Babylon 仅是当前集成示例之一,并非该技能的主要用途。
快速使用
bash
python3 scripts/checkenterpriseguardrails.py \
--action post \
--app <应用名称> \
--policies social antispam hr \
--text 此处为草稿文本
bash
python3 scripts/checkenterpriseguardrails.py \
--action comment \
--scope include \
--apps whatsapp,telegram \
--text 此处为草稿文本
bash
python3 scripts/checkenterpriseguardrails.py \
--action market-analysis \
--text 市场评论... \
--json
应用范围(全局过滤)
范围适用于通过 --app 传递的任何应用上下文以及以下环境变量(为兼容性保留旧名称):
- - ENTERPRISELEGALGUARDRAILSOUTBOUNDSCOPE(all|include|exclude)
- ENTERPRISELEGALGUARDRAILSOUTBOUNDAPPS(逗号分隔列表)
- BABYLONGUARDRAILSSCOPE
- BABYLONGUARDRAILSOUTBOUNDSCOPE
- BABYLONGUARDRAILS_APPS
示例:
- - all:检查所有出站内容
- include + whatsapp,email:仅检查这些应用
- exclude + whatsapp,email,moltbook,babylon:除这些应用外的所有内容
如果省略范围,默认为 all。
配置文件
- - social:公共社交媒体文本、评论、公告
- antispam:未经请求/刷屏/协调性消息
- hr:职场、招聘、绩效或员工行为相关语言
- privacy:个人身份数据和隐私信息披露
- market:市场/金融声明和结果断言
- legal:法律结论/暗示性语言
如果未提供配置文件,默认值从 --action 派生:
- - post|comment|message → social,legal
- trade|market-analysis → market,financial
- generic → legal,social
输出结果
- - PASS:安全可执行
- WATCH:低风险;可选择重写
- REVIEW:建议人工/法律审核
- BLOCK:不执行
调优
您可以通过环境变量(或直接运行时的 CLI 标志)调整决策灵敏度:
- - ENTERPRISELEGALGUARDRAILSREVIEWTHRESHOLD(默认值:5)
- ENTERPRISELEGALGUARDRAILSBLOCKTHRESHOLD(默认值:9)
CLI 覆盖参数:
- - --review-threshold
- --block-threshold
旧环境名称支持遗留别名:ELG 和 BABYLONGUARDRAILS_。
通用出站适配器(无原生集成路径)
对于没有原生护栏钩子的技能/工具(例如:Gmail、自定义网站发布、自定义消息机器人),通过包装器运行出站操作:
bash
python3 /path/to/enterprise-legal-guardrails/scripts/guardandrun.py --app <应用名称> --action --text $草稿 -- <出站命令...>
示例:
bash
通过 gog 使用 Gmail
python3 /path/to/enterprise-legal-guardrails/scripts/guard
andrun.py --app gmail --action message --text 您好,... -- gog gmail send --to user@domain.com --subject 更新 --body 您好,...
网站/出版物发布流程
python3 /path/to/enterprise-legal-guardrails/scripts/guard
andrun.py --app website --action post --text $发布文案 -- npm run publish-post $发布文案
使用此包装器在非 Babylon 的出站流程中应用相同的策略检查。
兼容性
旧名称 legal-risk-checker 在仍引用它的 OpenClaw 工作空间中保留。
参考资料
完整策略规则集和建议重写内容请参见 references/guardrail-policy-map.md。
打包
可分发包位于:
- - dist/enterprise-legal-guardrails.skill
guardandrun.py 的加固控制
对于非原生出站集成,将 guardandrun 视为执行边界。推荐的标志/环境变量:
执行安全默认采用白名单优先。包装器需要显式指定 --allowed-command(或环境别名),除非显式启用 --allow-any-command。
- - --allow-any-command / ENTERPRISELEGALGUARDRAILSALLOWANY_COMMAND
- 显式绕过白名单强制执行(不安全;仅限审计优先使用)
- - --suppress-allow-any-warning / ENTERPRISELEGALGUARDRAILSSUPPRESSALLOWANYWARNING
- 当有意启用 --allow-any-command 时,抑制运行时安全警告
- - --allow-any-command-reason / ENTERPRISELEGALGUARDRAILSALLOWANYCOMMANDREASON
- 任何 allow-any 绕过调用的强制性理由。建议格式:SEC-1234: 紧急修复
- - --allow-any-command-approval-token / ENTERPRISELEGALGUARDRAILSALLOWANYCOMMANDAPPROVAL_TOKEN
- 任何 allow-any 绕过调用的强制性审批令牌;以短令牌指纹形式存储在审计日志中
- - --allowed-command <可执行文件...> / ENTERPRISELEGALGUARDRAILSALLOWEDCOMMANDS
- 白名单可执行文件(支持逗号/空格列表和通配符)
- - --strict / ENTERPRISELEGALGUARDRAILS_STRICT
- 将 REVIEW 升级为硬阻止
- - --sanitize-env
- --keep-env <变量...> / --keep-env-prefix <前缀...>
- --command-timeout、--checker-timeout、--max-text-bytes
- --audit-log <文件> / ENTERPRISELEGALGUARDRAILSAUDITLOG
这些标志提供执行安全性、命令范围限定和不可变的事后审查追踪,无需更改检查器逻辑。
