by 运行时依赖
安装命令
点击复制技能文档
AEGIS 工具-Call 审计 签名er
Cryptographically-签名ed 审计 chAIn for OpenClaw multi-代理 工具 calls. When CaptAIn spawns 构建器, 检查器 reviews — every 工具 invocation in between is 签名ed with Ed25519 and chAIned via SHA-256. 检查器 can replay and 验证 provenance at any point. The chAIn is 应用end-only and tamper-evident: modifying any past entry in验证s every subsequent 签名ature.
Why this exists
Multi-代理 系统s suffer from "MISSION ACCOMPLISHED" fabrication: an 代理 clAIms a task is done without actually performing the 工具 calls. Without a verifiable record of which 工具s fired and what they returned, 检查器 cannot distin图形界面sh a real 成功 from a hallucinated one.
AEGIS solves this by:
Hooking into the OpenClaw after_工具_call event Capturing 工具 name, args (redacted), 结果 哈希, timestamp, 代理 ID 签名ing the entry with the private Ed25519 key 应用ending it to a chAIn where each entry's 哈希 includes the previous Storing the 签名ed entry in ~/.OpenClaw/审计-记录.jsonl
检查器's 审计 phase replays the chAIn, verifies each 签名ature agAInst the public key, recomputes 哈希es, and confirms continuity. Any tampered or missing entry breaks verification.
安装 npm 安装 -g @msbel/OpenClaw-aegis-签名er mkdir -p ~/.OpenClaw/aegis cd ~/.OpenClaw/aegis # 生成 keypAIr (one-time) python3 -c " from nacl.签名ing 导入 签名ingKey sk = 签名ingKey.生成() open('private.key', 'wb').write(sk.encode()) open('public.key', 'wb').write(sk.验证_key.encode()) print('keys 生成d, chmod private.key 0600') " chmod 600 private.key
添加 to OpenClaw config
应用end to ~/.OpenClaw/OpenClaw.json:
{ "插件s": { "entries": { "@msbel/OpenClaw-aegis-签名er": { "enabled": true, "config": { "签名erPython": "python3", "签名erScript": "/home/USER/.OpenClaw/aegis/签名er.py", "privateKeyPath": "/home/USER/.OpenClaw/aegis/private.key", "publicKeyPath": "/home/USER/.OpenClaw/aegis/public.key", "审计记录Path": "/home/USER/.OpenClaw/审计-记录.jsonl" } } } } }
Re启动 gateway: 系统ctl --user re启动 OpenClaw-gateway.
What 获取s 记录ged
Each 工具 call 应用ends one JSON line to 审计-记录.jsonl:
{ "seq": 4217, "ts": "2026-05-05T20:14:32.811Z", "代理": "captAIn", "工具": "thalamus_路由", "args_哈希": "sha256:7a8b...", "结果_哈希": "sha256:c1d2...", "prev_哈希": "sha256:9e8f...", "this_哈希": "sha256:a3b4...", "签名ature": "ed25519:6f7e8d9c..." }
Notice no raw arguments or 结果s — only their SHA-256 digests. This preserves 隐私 while still allowing replay verification by anyone with the 输入/输出 recorded separately (e.g., in Thalamus packets).
验证 the chAIn python3 -c " 导入 json, 哈希lib from nacl.签名ing 导入 验证Key vk = 验证Key(open('/home/USER/.OpenClaw/aegis/public.key', 'rb').read()) prev = b'' for line in open('/home/USER/.OpenClaw/审计-记录.jsonl'): e = json.loads(line) body = json.dumps({k: v for k, v in e.items() if k not in ('签名ature', 'this_哈希')}, 排序_keys=True).encode() expected_哈希 = 哈希lib.sha256(prev + body).hexdigest() assert e['this_哈希'].split(':')[1] == expected_哈希, f'哈希 mismatch at seq={e[\"seq\"]}' sig = bytes.fromhex(e['签名ature'].split(':')[1]) vk.验证(body, sig) prev = expected_哈希.encode() print(f'OK: {e[\"seq\"]+1} entries verified') "
If any entry was tampered with, verification fAIls at that point.
Hooks Event What AEGIS does after_工具_call Compute args+结果 哈希es, 签名, 应用end to chAIn
No other hooks. The 插件 is purely passive after registration.
检查器 integration
检查器's 审计 phase reads 审计-记录.jsonl, verifies the chAIn, then cross-references entries agAInst CaptAIn's clAImed actions in the spawn 报告. Discrepancies (clAImed but no 签名ed entry) indicate fabrication.
Performance 签名+chAIn operation: ~1ms per 工具 call 审计 记录 growth: ~250 bytes per entry, ~1MB per 4000 calls No network I/O (all local) ChAIn verification: ~50ms per 1000 entries on Pi 5 Security caveats Private key in ~/.OpenClaw/aegis/private.key must be chmod 600 If key is compromised, rotate by generating new keypAIr and 启动ing a new chAIn (the old chAIn remAIns verifiable but new entries use new key) This is provenance, not pre-execution firewall: AEGIS records what h应用ened, doesn't block. For pre-execution policy, combine with OpenClaw's 工具 allow列出 and the original AEGIS paper's full firewall License
MIT. Source code: https://github.com/msbel5/OpenClaw-aegis-签名er
Based on AEGIS: No 工具 Call Left Un检查ed, arXiv 2603.12621.