ScopeBlind Passport — Signed Access Control for Your Agent
What This Skill Does
This skill wraps your OpenClaw agent's MCP tool calls through protect-mcp, adding:
- - Shadow mode — logs every tool call with a signed receipt (blocks nothing by default)
- Per-tool policies — block, rate-limit, or require approval for specific tools
- Signed receipts — Ed25519-signed, JCS-canonicalized proof of every decision
- Trust tiers — available for advanced configurations to gate tool access by verified track record
- Local daily digest — human-readable summary of what your agent did
Any platform can log what its agents do. Very few will let you verify those logs without trusting them.
When to Use This Skill
Use this skill when:
- - You want to know what your agent did while you weren't watching
- You need signed, tamper-proof proof of agent actions for compliance or auditing
- You want to block dangerous tools (deletedatabase, sendemailasceo, rm_rf)
- You want rate limits on expensive or risky operations
- You want a daily summary of your agent's activity
Do NOT Use This Skill When
- - You only want basic OpenClaw built-in allowlists (those work fine for simple cases)
- You don't need signed cryptographic proof (just want logs, not receipts)
Setup
Fast path (recommended)
If you already have an OpenClaw config, generate a passported wrapper pack first:
CODEBLOCK0
That writes:
- - �INLINECODE1
- INLINECODE2
- INLINECODE3
- INLINECODE4
- INLINECODE5
- INLINECODE6
Copy the mcpServers entries from wrapped-config.json into your OpenClaw config.
First Run (generates signing keys + default policy)
CODEBLOCK1
This creates:
- -
keys/gateway.json — Ed25519 signing keypair (in current directory) - INLINECODE10� — default shadow-mode policy (logs everything, blocks nothing)
Wrapping Your MCP Servers
For each MCP server your agent uses, wrap it through protect-mcp. In your OpenClaw MCP config:
Before:
�CODEBLOCK2
After:
�CODEBLOCK3
That's it. Every tool call now produces a signed receipt.
Applying a Policy Pack
To move from shadow mode to enforce mode, copy a policy template and add --enforce:
CODEBLOCK4
Then update your MCP config args to include --enforce:
�CODEBLOCK5
See the policies/ directory for pre-built templates.
Commands
When the user asks you to perform these actions, execute them:
"Show my passport" / "What's my agent identity?"
CODEBLOCK6
Display the output, which shows:
- - Total decisions (allow/deny/rate-limited)
- Time range of activity
- Top tools used
- Trust tiers seen
"What did you do today?" / "Show my daily report"
CODEBLOCK7
Display the local summary, which includes:
- - Actions taken (allowed, blocked, awaiting approval)
- Tools used and frequency
- Trust tier status
- Blocked tools with reasons
"Show my receipts" / "Prove what you did"
CODEBLOCK8
Shows the 20 most recent decisions with tool name, decision, and timestamp.
"Why was that blocked?"
When a tool call is blocked or rate-limited, explain:
- - Which policy rule triggered the block
- The agent's current trust tier
- What tier would be needed to use that tool
- How to request an approval or policy change
Approval Flow
When protect-mcp blocks a high-risk action that has require_approval: true in the policy, it returns:
CODEBLOCK9
When you receive this response:
- 1. Tell the user: "I need your approval to use [tool_name]. Should I proceed?"
- Wait for the user to respond with approval.
- When the user approves, grant the approval by running:
CODEBLOCK10
Replace REQUEST_ID, TOOL_NAME, and NONCE with the values from the REQUIRES_APPROVAL response.
- 4. After granting approval, retry the original tool call. It will now succeed.
When the user denies: Tell them the action was blocked and explain what was prevented.
Check current approvals:
CODEBLOCK11
Policy Packs
Pre-built policies are available in the policies/ directory:
| Pack | What it does |
|---|
| INLINECODE19 | Log everything, block nothing (default) |
| INLINECODE20 |
Rate-limit browsing, require approval for forms, block JS |
|
email-safe.json | Read freely, require approval to send, block delete |
|
strict.json | Block everything except reads (read-only mode) |
Verification
Every receipt is independently verifiable. The MIT-licensed verifier requires zero trust in ScopeBlind.
Quick test (no receipts needed)
CODEBLOCK12
Getting receipts to verify
Receipts are available from the local HTTP status server while protect-mcp is running:
CODEBLOCK13
If the local status server is unavailable, use the persisted receipt file:
CODEBLOCK14
Verifying a receipt
CODEBLOCK15
The verifier checks Ed25519 signatures against public keys. No API calls, no accounts, no ScopeBlind servers involved.
Links
ScopeBlind Passport — 为你的智能体提供签名访问控制
该技能的功能
该技能通过 protect-mcp 包装你的 OpenClaw 智能体的 MCP 工具调用,增加了:
- - 影子模式 — 记录每次工具调用并生成签名收据(默认不拦截任何操作)
- 按工具策略 — 对特定工具进行拦截、限速或要求审批
- 签名收据 — 每次决策的 Ed25519 签名、JCS 规范化的证明
- 信任等级 — 可用于高级配置,根据已验证的记录对工具访问进行分级控制
- 本地每日摘要 — 智能体活动的人类可读摘要
任何平台都可以记录其智能体的行为。但很少有平台能让你在不信任它们的情况下验证这些日志。
何时使用该技能
在以下情况下使用该技能:
- - 你想知道智能体在你不在场时做了什么
- 你需要智能体行为的签名、防篡改证明以满足合规或审计要求
- 你想拦截危险工具(如 deletedatabase、sendemailasceo、rm_rf)
- 你想对昂贵或高风险操作设置速率限制
- 你想要智能体活动的每日摘要
不要使用该技能的情况
- - 你只需要 OpenClaw 内置的基本白名单(简单场景下已足够)
- 你不需要签名的加密证明(只需要日志,不需要收据)
设置
快速路径(推荐)
如果你已有 OpenClaw 配置,首先生成带护照的包装包:
bash
npx @scopeblind/passport wrap --runtime openclaw --config ./openclaw.json --policy email-safe
这将生成:
- - wrapped-config.json
- manifest.json
- passport.bundle.json
- protect-mcp.json
- keys/gateway.json
- VERIFY.md
将 wrapped-config.json 中的 mcpServers 条目复制到你的 OpenClaw 配置中。
首次运行(生成签名密钥 + 默认策略)
bash
npx protect-mcp init
这将创建:
- - keys/gateway.json — Ed25519 签名密钥对(在当前目录)
- protect-mcp.json — 默认影子模式策略(记录所有内容,不拦截任何操作)
包装你的 MCP 服务器
对于智能体使用的每个 MCP 服务器,通过 protect-mcp 进行包装。在你的 OpenClaw MCP 配置中:
之前:
json
{
mcpServers: {
filesystem: {
command: node,
args: [filesystem-server.js]
}
}
}
之后:
json
{
mcpServers: {
filesystem: {
command: npx,
args: [protect-mcp, --policy, protect-mcp.json, --, node, filesystem-server.js]
}
}
}
就这样。每次工具调用现在都会生成签名收据。
应用策略包
要从影子模式切换到强制模式,复制策略模板并添加 --enforce:
bash
复制策略模板
cp policies/email-safe.json protect-mcp.json
然后更新你的 MCP 配置参数,包含 --enforce:
json
args: [protect-mcp, --policy, protect-mcp.json, --enforce, --, node, server.js]
预构建的模板请参见 policies/ 目录。
命令
当用户要求你执行这些操作时,请执行:
显示我的护照 / 我的智能体身份是什么?
bash
npx protect-mcp status
显示输出,内容包括:
- - 总决策数(允许/拒绝/限速)
- 活动时间范围
- 最常使用的工具
- 已见的信任等级
你今天做了什么? / 显示我的每日报告
bash
npx protect-mcp digest --today
显示本地摘要,内容包括:
- - 已执行的操作(允许、拦截、等待审批)
- 使用的工具及频率
- 信任等级状态
- 被拦截的工具及原因
显示我的收据 / 证明你做了什么
bash
npx protect-mcp receipts --last 20
显示最近 20 条决策,包括工具名称、决策和时间戳。
为什么被拦截了?
当工具调用被拦截或限速时,解释:
- - 触发了哪条策略规则
- 智能体当前的信任等级
- 使用该工具需要什么等级
- 如何请求审批或策略变更
审批流程
当 protect-mcp 拦截了策略中设置了 require_approval: true 的高风险操作时,它会返回:
需要审批:工具 send_email 需要人工审批才能执行。
请告知用户你需要他们的审批才能使用 send_email,并在获得审批后重试。
在用户明确批准之前,不要重试此工具调用。
当你收到此响应时:
- 1. 告诉用户:我需要你的审批才能使用 [工具名称]。是否继续?
- 等待用户回复批准。
- 当用户批准后,通过运行以下命令授予审批:
bash
一次性审批(仅限于此特定请求):
curl -s -X POST http://127.0.0.1:9876/approve -H Content-Type: application/json -d {request_id:请求ID,tool:工具名称,mode:once,nonce:随机数}
始终允许此工具(会话范围,24小时有效期):
curl -s -X POST http://127.0.0.1:9876/approve -H Content-Type: application/json -d {tool:工具名称,mode:always,nonce:随机数}
将 请求ID、工具名称 和 随机数 替换为需要审批响应中的值。
- 4. 授予审批后,重试原始工具调用。现在它将成功执行。
当用户拒绝时: 告知用户该操作已被拦截,并解释阻止了什么。
查看当前审批:
bash
curl -s http://127.0.0.1:9876/approvals
策略包
预构建的策略位于 policies/ 目录中:
| 包 | 功能 |
|---|
| shadow.json | 记录所有内容,不拦截任何操作(默认) |
| web-browsing-safe.json |
限制浏览速度,表单需要审批,拦截 JS |
| email-safe.json | 自由读取,发送需要审批,拦截删除 |
| strict.json | 除读取外拦截所有操作(只读模式) |
验证
每张收据均可独立验证。MIT 许可的验证器无需信任 ScopeBlind。
快速测试(无需收据)
bash
npx @veritasacta/verify --self-test
获取要验证的收据
当 protect-mcp 运行时,可从本地 HTTP 状态服务器获取收据:
bash
获取最新收据
curl -s http://127.0.0.1:9876/receipts/latest | jq -r .receipt > receipt.json
获取所有最近收据
curl -s http://127.0.0.1:9876/receipts | jq -r .receipts[0].receipt > receipt.json
如果本地状态服务器不可用,请使用持久化的收据文件:
bash
tail -n 1 .protect-mcp-receipts.jsonl > receipt.json
验证收据
bash
从状态中获取公钥(显示在护照身份下)
npx protect-mcp status
使用公钥验证
npx @veritasacta/verify receipt.json --key <公钥十六进制>
验证器检查 Ed25519 签名与公钥的匹配。无需 API 调用、无需账户、无需 ScopeBlind 服务器。
链接
