summary: "CLI reference for `openclaw policy` conformance checks"

enterprise conformance layer over existing OpenClaw settings. It does not add a

second configuration system. `policy.jsonc` defines authored requirements,

OpenClaw observes the active workspace as evidence, and policy health checks

report drift through `doctor --lint`. The final conformance signal is a clean

`doctor --lint` run; policy contributes findings to that shared lint surface

instead of creating a separate health gate.

Policy currently manages configured channels and governed tool declarations.

For example, IT or a workspace operator can record that Telegram is not an

approved channel provider, require governed tools to carry risk and sensitivity

metadata, then use `doctor --lint` as the shared conformance gate.

Use policy when a workspace needs a durable statement such as "these channels

must not be enabled" or "governed tools must declare approval metadata" and a

repeatable way to prove that OpenClaw still conforms to that statement. Use

regular config and workspace docs alone when you only need local behavior and

do not need policy findings or attestation output.

policy for channels and tool metadata looks like this:

"tools": {

"requireMetadata": ["risk", "sensitivity", "owner"],

},

and `TOOLS.md` declarations as evidence, then reports observed state that does

not conform.

Tool metadata requirements are authored in `policy.jsonc` with

`tools.requireMetadata`, for example `["risk", "sensitivity", "owner"]`.

Example JSON output:

{

"ok": true,

"attestation": {

"checkedAt": "2026-05-10T20:00:00.000Z",

"policy": {

"path": "policy.jsonc",

"hash": "sha256:..."

},

"workspace": {

"scope": "policy",

"hash": "sha256:..."

},

"findingsHash": "sha256:...",

"attestationHash": "sha256:..."

},

"evidence": {

"channels": [

{

"id": "telegram",

"provider": "telegram",

"source": "oc://openclaw.config/channels/telegram",

"enabled": false

}

],

"tools": [

{

"id": "deploy",

"source": "oc://TOOLS.md/tools/deploy",

"line": 12,

"risk": "critical",

"sensitivity": "restricted",

"capabilities": ["IRREVERSIBLE_EXTERNAL"]

}

]

},

"checksRun": 6,

"checksSkipped": 0,

"findings": []

}

The policy hash identifies the authored rule artifact. The evidence block

records the observed OpenClaw state used by the policy checks. The

`workspace.hash` value identifies that evidence payload for the checked scope.

The findings hash identifies the exact finding set returned by the check.

`checkedAt` records when the evaluation ran. The attestation hash identifies

the stable claim: policy hash, evidence hash, findings hash, and whether the

result was clean. It intentionally does not include `checkedAt`, so the same

policy state produces the same attestation across repeated checks. Together,

these form the audit tuple for this policy check.

`openclaw policy watch` runs the same check repeatedly and reports when the

current evidence no longer matches `expectedAttestationHash`:

openclaw policy watch --json

Use `--once` in CI or scripts that only need one drift evaluation. Without

`--once`, the command polls every two seconds by default; use `--interval-ms` to

choose a different interval.

| Check id | Finding |

| ---------------------------------------- | ------------------------------------------------------------------- |

| `policy/policy-jsonc-missing` | Policy is enabled but `policy.jsonc` is missing. |

| `policy/policy-jsonc-invalid` | Policy cannot be parsed or has malformed rules. |

| `policy/policy-hash-mismatch` | Policy does not match configured `expectedHash`. |

| `policy/attestation-hash-mismatch` | Current policy evidence no longer matches the accepted attestation. |

| `policy/channels-denied-provider` | An enabled channel matches a channel deny rule. |

| `policy/tools-missing-owner` | A governed tool declaration is missing owner metadata. |

| `policy/tools-missing-risk-level` | A governed tool declaration is missing risk metadata. |

| `policy/tools-missing-sensitivity-token` | A governed tool declaration is missing sensitivity metadata. |

| `policy/tools-unknown-risk-level` | A governed tool declaration uses an unknown risk value. |

| `policy/tools-unknown-sensitivity-token` | A governed tool declaration uses an unknown sensitivity value. |

Policy findings can include both `target` and `requirement`. `target` is the

observed workspace thing that does not conform. `requirement` is the authored

policy rule that made it a finding. Both values are addresses today, usually

`oc://` paths, but the field names describe their policy role rather than the

address format.

Example JSON finding:

{

"checkId": "policy/channels-denied-provider",

"severity": "error",

"message": "Channel 'telegram' uses denied provider 'telegram'.",

"source": "policy",

"path": "openclaw config",

"ocPath": "oc://openclaw.config/channels/telegram",

"target": "oc://openclaw.config/channels/telegram",

"requirement": "oc://policy.jsonc/channels/denyRules/#0",

"fixHint": "Telegram is not approved for this workspace."

}

Example tool finding:

{

"checkId": "policy/tools-missing-risk-level",

"severity": "error",

"message": "TOOLS.md tool 'deploy' has no explicit risk classification.",

"source": "policy",

"path": "TOOLS.md",

"line": 12,

"ocPath": "oc://TOOLS.md/tools/deploy",

"target": "oc://TOOLS.md/tools/deploy",

"requirement": "oc://policy.jsonc/tools/requireMetadata"

}

| Command | `0` | `1` | `2` |

| -------------- | ----------------------------------------- | ------------------------------------------------ | ---------------------------- |

| `policy check` | No findings at the threshold. | One or more findings met the threshold. | Argument or runtime failure. |

| `policy watch` | No findings and accepted hash is current. | Findings exist or accepted attestation is stale. | Argument or runtime failure. |

- [Doctor lint mode](/cli/doctor#lint-mode)

- [Path CLI](/cli/path)

- You want to search ClawHub or install skills from ClawHub, Git, or local directories

Inspect local skills, search ClawHub, install skills from ClawHub/Git/local directories, and update

ClawHub-tracked installs.

openclaw skills install git:owner/repo

openclaw skills install git:owner/repo@main

openclaw skills install ./path/to/skill --as custom-name

`search` and `update` use ClawHub directly. `install <slug>` installs a ClawHub

skill, `install git:owner/repo[@ref]` clones a Git skill, and `install ./path`

copies a local skill directory. By default, `install` and `update` target the

active workspace `skills/` directory; with `--global`, they target the shared

managed skills directory. `list`/`info`/`check` still inspect the local skills

visible to the current workspace and config. Workspace-backed commands resolve

the target workspace from `--agent <id>`, then the current working directory

when it is inside a configured agent workspace, then the default agent.

Git and local directory installs expect `SKILL.md` at the source root. The

install slug comes from `SKILL.md` frontmatter `name` when it is valid, then the

source directory or repository name; use `--as <slug>` to override it. `--version`

is ClawHub-only. Skill installs do not support npm package specs or zip/archive

paths, and `openclaw skills update` updates ClawHub-tracked installs only.

Gateway-backed skill dependency installs triggered from onboarding or Skills

settings use the separate `skills.install` request path instead.

- `install git:owner/repo[@ref]` installs a Git skill. Branch refs may contain

slashes, such as `git:owner/repo@feature/foo`.

- `install ./path/to/skill` installs a local directory whose root contains

`SKILL.md`.

- `install --as <slug>` overrides the inferred slug for Git and local directory

installs.

- `install --version <version>` applies only to ClawHub skill slugs.

| `group:plugins` | Tools owned by loaded plugins, including configured MCP servers exposed through `bundle-mcp` |

Configured MCP servers are exposed as plugin-owned tools under the `bundle-mcp` plugin id. Normal tool profiles can allow them, but `tools.sandbox.tools` is an additional gate for sandboxed sessions. If sandbox mode is `"all"` or `"non-main"`, include one of these entries in the sandbox tool allowlist when MCP/plugin tools should be visible:

- `bundle-mcp` for OpenClaw-managed MCP servers from `mcp.servers`

- the plugin id for a specific native plugin

- `group:plugins` for all loaded plugin-owned tools

- exact MCP server tool names or server globs such as `outlook__send_mail` or `outlook__*` when you only want one server

Server globs use the provider-safe MCP server prefix, not necessarily the raw `mcp.servers` key. Non-`[A-Za-z0-9_-]` characters become `-`, names that do not start with a letter get an `mcp-` prefix, and long or duplicate prefixes may be truncated or suffixed; for example, `mcp.servers["Outlook Graph"]` uses a glob like `outlook-graph__*`.

{

agents: { defaults: { sandbox: { mode: "all" } } },

mcp: {

servers: {

outlook: { command: "node", args: ["./outlook-mcp.js"] },

},

},

tools: {

sandbox: {

tools: {

alsoAllow: ["web_search", "web_fetch", "memory_search", "memory_get", "bundle-mcp"],

},

},

},

}

Without that sandbox-layer entry, the MCP server can still load successfully while its tools are filtered before the provider request. Use `openclaw doctor` to catch this shape for OpenClaw-managed servers in `mcp.servers`. MCP servers loaded from bundled plugin manifests or Claude `.mcp.json` use the same sandbox gate, but this diagnostic does not enumerate those sources yet; use the same allowlist entries if their tools disappear in sandboxed turns.

- `group:plugins`: all loaded plugin-owned tools, including configured MCP servers exposed through `bundle-mcp`

For sandboxed MCP servers, the sandbox tool policy is a second allow gate. If `mcp.servers` is configured but sandboxed turns only show built-in tools, add `bundle-mcp`, `group:plugins`, or a server-prefixed MCP tool name/glob such as `outlook__send_mail` or `outlook__*` to `tools.sandbox.tools.alsoAllow`, then restart/reload the gateway and recapture the tool list. Server globs use the provider-safe MCP server prefix: non-`[A-Za-z0-9_-]` characters become `-`, names that do not start with a letter get an `mcp-` prefix, and long or duplicate prefixes may be truncated or suffixed.

`openclaw doctor` currently checks this shape for OpenClaw-managed servers in `mcp.servers`. MCP servers loaded from bundled plugin manifests or Claude `.mcp.json` use the same sandbox gate, but this diagnostic does not enumerate those sources yet; use the same allowlist entries if their tools disappear in sandboxed turns.