Skip to content

kadubon/pic-openclaw-skill

Repository files navigation

PIC OpenClaw Skill

Review-first action checks for OpenClaw agents.

PIC OpenClaw Skill gives an OpenClaw agent a safety checklist before it sends email, runs shell, writes files, calls the network, stores memory, installs skills, or claims work is done. It helps the agent turn a proposed action into reviewable evidence, unresolved items, rollback notes, and a conservative allow/warn/defer/block decision.

What you can do with it:

  • install a manual OpenClaw skill that works without Python, uv, PIC, or network access
  • ask OpenClaw to treat proposed actions as candidate work before external effects happen
  • run an optional helper CLI that emits deterministic JSON decisions and Markdown feedback
  • optionally attach local PIC review data when you already have a trusted pic command

Generated agent output is a candidate, not verified work. PIC workflow_usable=true means useful for routing or review, not permission to execute.

This skill does not clone PIC automatically. This skill does not install PIC automatically. This skill does not execute OpenClaw actions. This skill does not run commands proposed by an agent. This skill does not prove correctness, real ASI, external-world truth, or action safety. This skill does not replace OpenClaw sandboxing, approvals, allowlists, or tool policy. PIC integration is optional and user-configured.

OpenClaw skills can affect local agent behavior. Review SKILL.md before use, and do not run install commands generated by an agent unless you have reviewed them.

What problem this solves

OpenClaw agents can draft shell commands, file writes, network requests, emails, memory writes, and skill installs faster than a human can verify them. This OpenClaw skill adds an autonomous agent guardrail: before an external-effect action is treated as work done, the agent records an agent action proposal, evidence, missing checks, rollback path, and risk level.

The goal is AI agent action checking, AI workflow verification, LLM output validation, and clear handling of unresolved work. It is not a generic multi-agent bridge and it is not an action executor.

Quick start: skill-only mode

Skill-only mode is the default path. It does not require PIC, Python, uv, a network call, or a clone of the PIC repository.

Recommended first path: use skill-only mode by copying skill/pic-residual-guard/ into your OpenClaw skills directory. Configure PIC-backed mode only after reviewing the skill and verifying your local PIC command.

Manual copy is the primary install path:

mkdir -p <workspace>/skills/pic-residual-guard
cp -R skill/pic-residual-guard/* <workspace>/skills/pic-residual-guard/

Use ~/.openclaw/skills/pic-residual-guard only when you want a shared managed skill visible across local agents. Then ask OpenClaw to use the PIC Residual Guard before external-effect actions. Skill-only mode needs only skill/pic-residual-guard/SKILL.md and the examples in that directory.

If your OpenClaw version supports Git-based skill installation, use the documented OpenClaw install flow for this repository. Git install syntax is version-dependent; this command is an example, not a guarantee:

openclaw skills install git:kadubon/pic-openclaw-skill@main

Optional: PIC-backed mode

The helper CLI is optional. Use it when you want deterministic JSON decisions and feedback markdown. The recommended helper environment uses uv, matching PIC's development workflow:

uv sync --all-extras --dev
uv run pic-openclaw-check \
  --input examples/bridge/openclaw_action_email.json \
  --output bridge-decision.json \
  --feedback pic-feedback.md

PIC-backed mode is optional and can use an existing pic command without cloning PIC:

uv run pic-openclaw-check \
  --input examples/bridge/openclaw_action_email.json \
  --pic-command "pic" \
  --profile development \
  --output bridge-decision.json \
  --feedback pic-feedback.md

--pic-command is trusted local operator configuration. Do not let OpenClaw or an LLM generate it, and do not pass shell pipelines. The implementation uses shlex.split with shell=False, but the command still selects a trusted local executable. Recommended values are pic and uv run pic.

For full practical PIC workflows, reproducibility, and repository fixtures, a local PIC source checkout is recommended but not required:

git clone https://github.com/kadubon/percolation-inversion-compiler.git
cd percolation-inversion-compiler
uv sync --all-extras --dev

Then run the helper from this repository:

uv run pic-openclaw-check \
  --input examples/bridge/openclaw_action_email.json \
  --mode advisory \
  --pic-repo ../percolation-inversion-compiler \
  --pic-command "uv run pic" \
  --profile development \
  --output bridge-decision.json \
  --feedback pic-feedback.md

The checker renders the OpenClaw proposal as candidate text and may run:

uv run pic agent check --compact --text-file <candidate-text> --profile development --no-allow-live-connectors --output <pic-report>

It does not execute the proposed OpenClaw action. Use --pic-entrypoint agent-intake only when you intentionally target a legacy PIC command contract.

What counts as an external-effect action

External-effect actions include shell command, file write, file delete, network request, email send, message send, calendar edit, package install, skill install, repository mutation, persistent memory write, credential or token handling, browser automation, payment, purchase, and irreversible transaction.

Action proposal format

Use OpenClawActionProposal for pre-action checks. It records the proposed tool, arguments as data, evidence refs, missing evidence, rollback plan, risk level, and whether human confirmation is required. See schemas/openclaw-action-proposal.schema.json.

Result claim format

Use OpenClawResultClaim when an agent claims work completed. The checker asks for evidence refs, log refs, rollback availability, and unresolved items. A completion claim without logs or evidence remains candidate work.

Memory write check

Use OpenClawMemoryWrite before persistent memory writes. Unsupported factual claims without evidence defer by default. Preference or plan memories can still warn or defer depending on persistence and risk.

Skill install check

Use OpenClawSkillInstall before installing an OpenClaw skill. Skill install safety requires clear source, requested permissions, install steps, and explicit review when shell, network, file writes, or credential access are involved.

Decision meanings

  • allow: low-risk action with adequate evidence and reversible effects.
  • warn: low or medium risk action with unresolved items that can be safely carried forward.
  • defer: missing evidence, missing rollback plan, missing user confirmation, or external-effect action that needs review.
  • block: credential exposure, unsafe shell, destructive file operation, unauthorized network action, skill install with unclear permissions, or any critical risk action without explicit user approval.

allowed_to_execute is false unless the bridge policy says the action can proceed. PIC accepted=true is review input, not permission to execute.

The helper has three modes:

  • observe: review observation only; allowed_to_execute=false.
  • advisory: default behavior; decisions do not bypass OpenClaw approvals.
  • enforce: stronger local bridge policy for credential, shell, destructive, critical, and missing-evidence hazards.

policy_allows_next_step is true only for allow/warn decisions outside observe mode. requires_user_authorization highlights cases that still need explicit user approval.

Security boundary

This repository is an OpenClaw agent safety helper. It does not clone PIC automatically, install PIC automatically, execute OpenClaw actions, run commands proposed by an agent, create PRs, create issues, mutate repositories, access credentials, or call cloud LLMs.

This skill is not a replacement for OpenClaw sandboxing, approvals, allowlists, or tool policy. Run openclaw security audit, keep exec on deny or ask where appropriate, keep filesystem tools workspace-only, and use skill allowlists for agents that should not see this skill.

Feedback output is sanitized to avoid local absolute paths and secrets. Generated agent output is a candidate, not verified work.

ClawHub submission bundle

The repository includes a minimal ClawHub-ready bundle at:

clawhub/pic-residual-guard/

Submit that directory, not the repository root.

The repository root remains Apache-2.0. The ClawHub bundle is MIT-0. The ClawHub bundle contains only the skill text, a small README, and a bundle-local license. It does not include the Python helper CLI, tests, schemas, or optional PIC-backed tooling.

ClawHub note

This repository is Apache-2.0 at the root and includes a separate MIT-0 ClawHub submission bundle. ClawHub publication remains a manual operator step and has not happened merely because the bundle exists. See docs/licensing.md and docs/clawhub-readiness.md.

Relationship to Percolation Inversion Compiler

PIC integration is optional and user-configured. PIC is used as review data for candidate text, missing checks, and unresolved work. This repository reads PIC machine fields such as accepted, operationally_usable, settled, missing_obligations, residual_summary, residual_ledger, agent_tasks, route_execution_requests, and provenance when a PIC command is configured. PIC tasks and route requests are review data only; they are not commands.

For PIC v0.5.0 and newer, this repository also preserves workflow_usable, unresolved_obligations, next_safe_actions, schema_refs, safety_invariants, checked output summaries, and planning review notes. These fields help an operator route review work. They do not grant OpenClaw shell, network, file, browser, repository, or message-send authority.

Plain-language rule: agent output is candidate work. A possible action path is not permission to act. Missing evidence remains an unresolved item. Trace logs describe what was observed, not external-world truth. Suggested next steps are review notes, not a task list to run. A useful local result is not reusable work until evidence, scope, authority, risk, maintenance, and final review checks pass.

See docs/theory-alignment.md for the plain-language mapping from the background theory files to OpenClaw skill behavior.

This skill does not claim that PIC proves real ASI, external-world truth, or action safety.

Search terms: OpenClaw skill, OpenClaw agent safety, AI agent action checking, AI workflow verification, autonomous agent guardrail, LLM output validation, unresolved work, missing evidence, agent action proposal, skill install safety, memory write review, PIC integration, Percolation Inversion Compiler.

Release status

Current release: v0.2.0.

This release is intended for manual OpenClaw skill installation, local testing, and ClawHub skill distribution. Skill-only mode is the recommended first path. PIC-backed mode is optional and requires trusted local operator configuration.

Examples

Examples live in examples/bridge/ and skill/pic-residual-guard/examples/.

uv run pic-openclaw-check \
  --input examples/bridge/openclaw_action_shell.json \
  --output bridge-decision.json \
  --feedback pic-feedback.md

Tests

uv sync --all-extras --dev
uv run ruff check .
uv run ruff format --check .
uv run mypy src scripts
uv run pytest
uv build

Tests do not require PIC, do not clone PIC, do not run OpenClaw, do not require network, and do not run shell commands from example action proposals.

License

Apache-2.0. See LICENSE.