Compliance and policy enforcement for agent workspaces. Define security policies, audit compliance, check command restrictions, and generate audit-ready reports. Free alert layer — upgrade to openclaw-marshal-pro for active enforcement, blocking, and automated remediation.
Define security policies for your workspace and audit compliance. Check installed skills against command, network, and data handling rules. Generate audit-ready compliance reports.
Agent workspaces accumulate skills that execute commands, access the network, and handle data. Without a defined security policy, there is no way to know whether installed skills comply with your organization's requirements — or whether your workspace itself meets basic security hygiene standards.
This skill lets you define a policy once and audit everything against it.
Need active enforcement? Upgrade to openclaw-marshal-pro for hook-based blocking, auto-remediation, heartbeat integration, and compliance templates (GDPR, HIPAA, SOC2).
Create a default security policy file (.marshal-policy.json) with sensible defaults.
python3 {baseDir}/scripts/marshal.py policy --init --workspace /path/to/workspace
Display the current active policy.
python3 {baseDir}/scripts/marshal.py policy --show --workspace /path/to/workspace
Quick overview of loaded policy rules.
python3 {baseDir}/scripts/marshal.py policy --workspace /path/to/workspace
Audit all installed skills and workspace configuration against the active policy. Reports compliance score, violations, and recommendations.
python3 {baseDir}/scripts/marshal.py audit --workspace /path/to/workspace
Check a single skill against the policy. Reports pass/fail per rule.
python3 {baseDir}/scripts/marshal.py check openclaw-warden --workspace /path/to/workspace
Produce a formatted, copy-pastable compliance report suitable for audit documentation.
python3 {baseDir}/scripts/marshal.py report --workspace /path/to/workspace
One-line summary: policy loaded, compliance score, critical violations count.
python3 {baseDir}/scripts/marshal.py status --workspace /path/to/workspace
If --workspace is omitted, the script tries:
OPENCLAW_WORKSPACE environment variable~/.openclaw/workspace (default)| Category | Checks | Severity |
|---|---|---|
| Command Safety | Dangerous patterns (eval, exec, pipe-to-shell, rm -rf /) | CRITICAL |
| Command Policy | Blocked and review-required commands from policy | HIGH/MEDIUM |
| Network Policy | Domain allow/blocklists, suspicious TLD patterns | CRITICAL/HIGH |
| Data Handling | Secret scanner installed, PII scanner configured | HIGH/MEDIUM |
| Workspace Hygiene | .gitignore, audit trail (ledger), skill signing (signet) | HIGH/MEDIUM |
| Configuration | Debug modes, verbose logging left enabled | LOW |
The .marshal-policy.json file defines all rules:
*.tk)0 — Compliant, no issues1 — Review needed (medium/high findings)2 — Critical violations detectedPython standard library only. No pip install. No network calls. Everything runs locally.
Works with OpenClaw, Claude Code, Cursor, and any tool using the Agent Skills specification.