ClawHub
Bundle Pluginstructural

AEGIS Tool-Call Audit Signerv2.0.1

Ed25519-signed, SHA-256-chained tool-call audit log for OpenClaw multi-agent setups. Tamper-evident provenance chain.

openclaw-aegis-signer·runtime aegis-signer·by @msbel5
openclaw bundles install clawhub:openclaw-aegis-signer
Latest release: v2.0.1Download zip

Capabilities

Bundle format
clawpack
Tags
bundle-onlyformat:clawpackartifact:npm-packnpm-mirror:available
Runtime ID
aegis-signer

Compatibility

Built With Open Claw Version
2026.5.4
Plugin Api Range
>=2026.0.0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the implementation. The code registers an after_tool_call hook, hashes tool arguments and results with SHA-256, signs audit entries with an Ed25519 private key, and appends them to a JSONL audit log. Reading configured key files and an audit-log path is necessary for this purpose.
Instruction Scope
The instructions stay within the audit-signing purpose: generate a local keypair, configure local paths, restart the OpenClaw gateway, and run a local verifier. The code does not collect unrelated files, read unrelated environment variables, or send data to external endpoints. Minor functional note: redactArgs and redactResult are declared in the config schema, but the implementation always hashes args/results and does not appear to use those toggles.
Install Mechanism
There is no separate install spec, no dependency installation, and no download/extract behavior. However, this is not merely an instruction-only bundle in practice: it includes JavaScript plugin code that OpenClaw will run when enabled. That code footprint is coherent with the stated audit-log purpose and uses only built-in Node modules.
Credentials
No environment variables or external credentials are requested. The plugin uses configured private/public key paths and an audit-log path, which are proportionate for a signing/audit tool. The README's key-generation command uses HOME only to write local files under ~/.openclaw.
Persistence & Privilege
always is false and the plugin is not enabled by default. It activates on startup when enabled and hooks every tool call, which is broad visibility but exactly matches its advertised purpose as an audit logger. It does not modify other skills' settings or system-wide agent policy.
Assessment
Install this only if you want a plugin that observes every OpenClaw tool call and writes a local tamper-evident log containing tool names, agent names, timestamps, and hashes of arguments/results. Protect the private key file carefully; if it is exposed, the audit chain can no longer be trusted. If supply-chain provenance matters to you, verify that the installed package matches the GitHub repository named in package.json/README.

Verification

Tier
structural
Scope
artifact only
Summary
Validated package structure and extracted metadata.
Scan status
clean

Tags

latest
2.0.1

AEGIS Tool-Call Audit Signer

Cryptographically-signed audit chain for OpenClaw multi-agent tool calls. Every tool invocation is signed with Ed25519 and chained via SHA-256. Inspector replays and verifies provenance during audit. The chain is append-only and tamper-evident: modifying any past entry invalidates every subsequent signature.

Pure Node: no Python, no native deps, no shell-out. Uses Node's built-in crypto module (Ed25519 signing native since Node 16).

Why this exists

Multi-agent systems suffer from "MISSION ACCOMPLISHED" fabrication: an agent claims a task is done without actually performing the tool calls. Without a verifiable record of which tools fired and what they returned, Inspector cannot distinguish a real success from a hallucinated one.

This plugin solves that:

  1. Hooks the after_tool_call event
  2. Computes SHA-256 digests of tool args and results (both redacted by default)
  3. Signs the entry body with the configured Ed25519 private key
  4. Appends a chain link where each entry's this_hash = sha256(prev_hash + body)
  5. Stores the signed entry as one JSON line in ~/.openclaw/audit-log.jsonl

Inspector's audit phase replays the chain, recomputes hashes, verifies each signature against the public key, and confirms continuity. Any tampered or missing entry breaks verification.

Install

Via OpenClaw plugins CLI:

openclaw plugins install clawhub:openclaw-aegis-signer

No --dangerously-force-unsafe-install flag required as of v2.0.0. The plugin contains zero shell-execution patterns.

One-time key generation

Generate a fresh Ed25519 keypair before enabling the plugin:

mkdir -p ~/.openclaw/aegis
node -e '
const c = require("crypto");
const fs = require("fs");
const { publicKey, privateKey } = c.generateKeyPairSync("ed25519");
fs.writeFileSync(
  process.env.HOME + "/.openclaw/aegis/private.key",
  privateKey.export({ format: "pem", type: "pkcs8" }),
);
fs.writeFileSync(
  process.env.HOME + "/.openclaw/aegis/public.key",
  publicKey.export({ format: "pem", type: "spki" }),
);
'
chmod 600 ~/.openclaw/aegis/private.key

The plugin also accepts the 32-byte raw seed format produced by PyNaCl, so existing keypairs from earlier (1.x) deployments still work.

Configure in OpenClaw

{
  "plugins": {
    "entries": {
      "aegis-signer": {
        "enabled": true,
        "config": {
          "privateKeyPath": "/home/USER/.openclaw/aegis/private.key",
          "publicKeyPath": "/home/USER/.openclaw/aegis/public.key",
          "auditLogPath": "/home/USER/.openclaw/audit-log.jsonl"
        }
      }
    }
  }
}

Restart the gateway: systemctl --user restart openclaw-gateway.

What gets logged

Each tool call appends one JSON line. Example shape:

{
  "agent": "captain",
  "args_hash": "sha256:7a8b...",
  "prev_hash": "sha256:9e8f...",
  "result_hash": "sha256:c1d2...",
  "seq": 4217,
  "tool": "thalamus_route",
  "ts": "2026-05-05T20:14:32.811Z",
  "this_hash": "sha256:a3b4...",
  "signature": "ed25519:6f7e8d9c..."
}

No raw arguments or results. Only their SHA-256 digests. This preserves privacy while still allowing replay verification by anyone with the input/output recorded separately (for example in Thalamus packets).

Verify the chain

Pure Node verifier ships with the plugin:

node node_modules/openclaw-aegis-signer/verify.js \
  ~/.openclaw/aegis/public.key \
  ~/.openclaw/audit-log.jsonl

Expected output: OK: <N> entries verified. If any entry was tampered with, verification fails at that index with a non-zero exit code.

Hooks

EventWhat this plugin does
after_tool_callCompute args + result hashes, link to previous chain head, sign with Ed25519, append to chain

No other hooks. The plugin is purely passive after registration.

Performance

  • Sign + chain operation: ~0.4ms per tool call on a Pi 5 CPU
  • Audit log growth: ~250 bytes per entry, ~1MB per 4000 calls
  • No network I/O, no native deps, no Python
  • Chain verification: ~30ms per 1000 entries on a Pi 5

Security caveats

  • Private key in ~/.openclaw/aegis/private.key should be chmod 600. The plugin warns at startup if the mode is wider.
  • If the key is compromised, rotate by generating a new keypair and starting a new chain. The old chain remains verifiable; new entries use the new key.
  • This plugin is provenance, not a pre-execution firewall: it records what happened, it does not block. For pre-execution policy combine with OpenClaw's tool allowlist.

Changelog

2.0.0

  • Removed Python dependency. Signing and verification are now pure Node via node:crypto (Ed25519 native).
  • No more child_process. Plugin scans cleanly without --dangerously-force-unsafe-install.
  • Manifest no longer declares python3 runtime.
  • signer.py and verify.py removed. New verify.js ships in the package.
  • Backward compatible with existing chains and existing PyNaCl-format raw 32-byte keys.

License

MIT. Source code: https://github.com/msbel5/openclaw-aegis-signer