Agent Skills
› NeverSight/learn-skills.dev
› gov_openclaw_json
gov_openclaw_json
GitHub安全修改OpenClaw平台配置文件,含备份、验证与回滚。适用于策略调整或插件配置变更,需先输出PLAN并查阅文档,严格限制作用域,禁止触碰Brain Docs及工作区代码文件。
Trigger Scenarios
需要修改~/.openclaw/openclaw.json配置文件
涉及plugins.allow或runtimeGatePolicy的策略变更
需要安装、启用或禁用扩展插件
Install
npx skills add NeverSight/learn-skills.dev --skill gov_openclaw_json -g -y
SKILL.md
Frontmatter
{
"name": "gov_openclaw_json",
"metadata": {
"openclaw": {
"emoji": "🧱",
"requires": {
"bins": [
"openclaw"
]
}
}
},
"description": "Controlled OpenClaw platform config change with backup, validation, and rollback.",
"user-invocable": true
}
/gov_openclaw_json
Purpose
Handle OpenClaw platform control-plane changes safely.
Default target is ~/.openclaw/openclaw.json.
Common governance profile:
- Ensure
plugins.allowkeeps existing trusted ids and includesopenclaw-workspace-governance. - Manage governance runtime policy for unknown future commands:
plugins.entries[].config.runtimeGatePolicy.allowShellPrefixesplugins.entries[].config.runtimeGatePolicy.allowShellRegexplugins.entries[].config.runtimeGatePolicy.denyShellPrefixesplugins.entries[].config.runtimeGatePolicy.denyShellRegex
Allowed scope (hard)
~/.openclaw/openclaw.json~/.openclaw/extensions/only when plugin install/enable/disable/uninstall requires it
Not in scope (hard)
- Brain Docs (
USER.md,IDENTITY.md,TOOLS.md,SOUL.md,MEMORY.md,HEARTBEAT.md,memory/*.md) - Normal workspace coding/docs files under
<workspace-root> - If request is non-platform file change, re-route to normal Mode C lifecycle (
PLAN -> READ -> CHANGE -> QC -> PERSIST) - For conservative Brain Docs behavior hardening, route to
gov_brain_audit(single entry; preview by default, then approved apply if needed).
Required workflow (hard)
- Classify request as Mode C governance change.
- Output
PLAN GATEfirst (no writes before PLAN + READ). - Pre-modification config reference check (before any change):
a. Search local workspace for OpenClaw documentation:
- check
skills/directory for relevant OpenClaw skill docs or config references - check for any local
openclaw-docplugin docs, release notes, or official reference materials b. If local docs do not contain the needed config reference for the requested change: - read official docs:
https://docs.openclaw.ai/ - check official releases for version-sensitive info:
https://github.com/openclaw/openclaw/releases - check official repo for config structure reference:
https://github.com/openclaw/openclaw/c. If web fetch tool is not available (not configured or restricted in this OpenClaw instance), log the limitation and proceed with local-only verification + operator confirmation of intended config values. d. If verification cannot be completed (no local docs and no web fetch), report uncertainty and required next check; do not infer config structure or valid values. e. IncludeCONFIG_REF_SOURCEin output: which source was used (local docs / official web / operator-confirmed / unverified).
- check
- Read governance files + target platform file before changing.
- Create workspace-local backup first:
archive/_platform_backup_<ts>/...
- Confirm expected old value exists before patching.
- Apply minimal patch only to approved keys/sections.
- For
plugins.allowalignment:- if
plugins.allowis missing/non-array, create it as array - append
openclaw-workspace-governanceonly if missing - preserve existing ids and order; do not drop unrelated trusted ids
- if
- For
runtimeGatePolicyalignment:- keep existing rules unless operator explicitly removes them
- add only requested allow/deny prefixes/regex entries
- do not widen scope beyond operator intent
- For
- Validate result:
- preferred:
openclaw config check - fallback: read-back evidence of changed keys/sections
- preferred:
- If validation fails: rollback from backup and stop.
- Persist evidence:
- run report in
_runs/ - update
_control/WORKSPACE_INDEX.md - include before/after excerpts + backup path
Input contract
If request does not provide enough detail, ask for missing fields before any patch:
- target path/key path
- expected old value
- new value
- whether restart is allowed if required Exception:
- If operator intent is clearly "align plugin allowlist for governance setup/upgrade", use built-in profile above without forcing extra prompts.
- If operator intent is clearly "unblock a governance false block for official/new custom command", use built-in runtimeGatePolicy profile above without forcing extra prompts.
Output contract
Always report:
- workspace root
FILES_READ(exact paths)TARGET_FILES_TO_CHANGE(exact paths)CONFIG_REF_SOURCE(one of:local docs/official web/operator-confirmed/unverified)- target platform path
- backup path
- changed key paths
- validation result
- rollback result (if triggered)
NEXT STEP (Operator):- if PASS and change touched
plugins.allow:/gov_setup check(fallback:/skill gov_setup check) - if PASS and change touched
runtimeGatePolicy:openclaw gateway restart, then retry original command - if PASS and no allowlist change:
/gov_audit(fallback:/skill gov_audit) - if FAIL/BLOCKED: one unblock action + retry command
- if PASS and change touched
- Use branded output format (match
formatCommandOutputstyle):
- First line:
🐾 OpenClaw Governance · /gov_openclaw_json ─────────────────────────────────dividers between sections- Status line:
✅ STATUS/⚠️ STATUS/❌ STATUS(emoji prefix, then status value on next line) - Bullet items:
•prefix (not-) - Next step:
👉prefix on action text - Commands: indented with 2 spaces (no
COMMAND TO COPYlabel)
Fallback
- If slash command is unavailable or name-collided, use:
/skill gov_openclaw_json
Version History
- e0220ca Current 2026-07-05 23:04


