@petercha90/oasis
v1.3.9
Published
OASIS — OpenClaw Antidote for Suspicious Injection Signals
Downloads
70
Maintainers
Readme
How It Works
OASIS hooks into OpenClaw's before_tool_call pipeline at the Gateway level. Every tool call passes through a three-stage decision:
Agent requests tool call
│
▼
┌─────────────────┐
│ before_tool_call│ ◄── OASIS hook
└────────┬────────┘
│
Read tool? ─── Yes ──→ Pass through ✅
│
No
│
Pattern scan ──→ score 0.0 ~ 1.0
│
┌─────┴──────┐
= 1.0 > threshold ≤ threshold
│ │ │
🚨 Block ⚠️ Approval ✅ Auto-allow
(no override) (Slack buttons)Requirements
| Requirement | Minimum Version |
| ---------------- | --------------- |
| OpenClaw Gateway | >= 2026.3.28 |
| Node.js | >= 22.14 |
| Slack workspace | Required |
Installation
1. Install Plugin
openclaw plugins install @petercha90/oasis
openclaw gateway restart2. Create OASIS Slack App
A dedicated Slack app is required for OASIS to work. It handles approval buttons and user interactions.
Step 1: Create the App from Manifest
- Go to api.slack.com/apps → Create New App → From an app manifest
- Pick your workspace
- Paste the manifest below (YAML tab) and click Next → Create
display_information:
name: OASIS
description: OpenClaw Antidote for Suspicious Injection Signals
background_color: "#4A154B"
features:
bot_user:
display_name: OASIS
always_online: true
app_home:
home_tab_enabled: false
messages_tab_enabled: true
messages_tab_read_only_enabled: false
oauth_config:
scopes:
bot:
- chat:write
- reactions:read
- reactions:write
- channels:history
- channels:read
settings:
event_subscriptions:
bot_events:
- message.channels
- reaction_added
interactivity:
is_enabled: true
org_deploy_enabled: false
socket_mode_enabled: true
token_rotation_enabled: falseThe manifest pre-configures everything: bot scopes, event subscriptions, Socket Mode, interactivity, and the Messages tab. No manual clicking required.
Step 2: Generate App-Level Token
- Left sidebar → Basic Information → App-Level Tokens → Generate Token and Scopes
- Token Name:
oasis, Scope:connections:write→ Generate - Copy the
xapp-...token — this is your App Token
Step 3: Install to Workspace
- Left sidebar → Install App → Install to Workspace → Allow
- Copy the
xoxb-...Bot User OAuth Token — this is your Bot Token
3. Configure OASIS
Add both tokens to your OpenClaw plugin config. You can use direct strings or SecretRef:
Option A: Direct tokens
// ~/.openclaw/openclaw.json
{
"plugins": {
"entries": {
"oasis": {
"enabled": true,
"config": {
"threshold": 0.5,
"oasisBotToken": "xoxb-your-bot-token-here",
"oasisAppToken": "xapp-your-app-token-here"
}
}
}
},
"approvals": {
"plugin": {
"enabled": true
}
}
}Option B: SecretRef (recommended — keeps tokens in .env)
// ~/.openclaw/openclaw.json
{
"plugins": {
"entries": {
"oasis": {
"enabled": true,
"config": {
"threshold": 0.5,
"oasisBotToken": {
"source": "env",
"provider": "default",
"id": "OASIS_BOT_TOKEN"
},
"oasisAppToken": {
"source": "env",
"provider": "default",
"id": "OASIS_APP_TOKEN"
}
}
}
}
},
"approvals": {
"plugin": {
"enabled": true
}
}
}# ~/.openclaw/.env
OASIS_BOT_TOKEN=xoxb-your-bot-token
OASIS_APP_TOKEN=xapp-your-app-token4. Invite OASIS bot to channels
/invite @OASISRestart the gateway and OASIS will automatically connect:
openclaw gateway restartWhen a tool call requires approval, OASIS posts Allow / Deny / Allow Always buttons in Slack.
Allow Always
For repetitive commands like CronJobs or Slack Webhooks, you can skip repeated approvals by clicking 🔁 Allow Always. This permanently allows the exact tool + command/URL combination.
- Click 🔁 Allow Always on an approval request → the specific command is added to the allowlist
- Future identical calls are auto-approved without prompts
- The allowlist is persisted to disk and survives Gateway restarts
Managing the Allowlist
DM the OASIS bot with list to view, remove individual entries, or clear the entire allowlist:
Tool Classification
| Classification | Tools | Behavior |
| ----------------------- | -------------------------------------------------------------------------- | ---------------- |
| Read (free pass) | read, glob, grep, web_search, list, cat | No analysis |
| Execute (risk scan) | exec, bash, write, edit, web_fetch, file_delete, apply_patch | Pattern matching |
Customize via config:
{
"config": {
"customReadTools": ["my_safe_tool"],
"customExecuteTools": ["my_dangerous_tool"]
}
}Risk Scoring
All scoring is deterministic pattern matching. No LLM involved.
| ID | Detection | Score | Action |
| ---------------------- | ------------------------------------------------ | ------- | ------------ |
| BLOCK_DESTRUCTIVE | rm -rf /, fork bomb, mkfs, dd if=/dev/zero | 1.0 | 🚨 Blocked |
| BLOCK_PIPE_SHELL | curl \| bash, wget \| sh | 1.0 | 🚨 Blocked |
| PROMPT_INJECTION | ignore previous instructions, you are now | 0.9 | Ask approval |
| SECRET_ACCESS | $AWS_SECRET, $SLACK_WEBHOOK, process.env.TOKEN | 0.8 | Ask approval |
| SUSPICIOUS_DOMAIN | .xyz, .tk, .ml, .pw, .top | 0.8 | Ask approval |
| DATA_EXFILTRATION | curl -X POST, nc -e, reverse shell | 0.7 | Ask approval |
| ENV_DUMP | printenv, env \| grep, export -p, /proc/*/environ | 0.6 | Ask approval |
| SENSITIVE_FILE | .env, .ssh/id_rsa, .aws/credentials, /proc/*/environ | 0.6 | Ask approval |
| PRIVILEGE_ESCALATION | sudo, chmod 777, chown root | 0.5 | Ask approval |
| EXTERNAL_URL | Non-safe-domain HTTP access | 0.3 | Ask approval |
- Score 1.0 = always blocked, no approval possible
- Score > threshold = user approval required (Slack buttons)
- Score ≤ threshold = auto-allowed
- Multiple matches use
max()strategy
Configuration
| Option | Type | Default | Description |
| -------------------- | ---------- | -------- | --------------------------------------------------- |
| threshold | number | 0.5 | Risk threshold (0.0 strictest ~ 0.9 most lenient) |
| approvalTimeoutMs | number | 120000 | Approval timeout in ms (auto-deny on timeout) |
| safeDomains | string[] | [] | Additional safe domains (skip EXTERNAL_URL scoring) |
| customPatterns | object[] | [] | Custom detection patterns ({id, regex, score}) |
| customReadTools | string[] | [] | Additional read-only tools |
| customExecuteTools | string[] | [] | Additional execute tools |
| logLevel | string | "info" | debug, info, warn, error |
Built-in Safe Domains
github.com, npmjs.com, pypi.org, crates.io, api.anthropic.com, api.openai.com, docs.openclaw.ai, stackoverflow.com and more.
Uninstall
openclaw plugins uninstall oasis
openclaw gateway restartProject Structure
oasis/
├── src/
│ ├── index.ts # Plugin entry (definePluginEntry)
│ ├── scanner.ts # Risk scoring engine
│ ├── classifier.ts # Tool classification
│ ├── patterns.ts # Detection patterns
│ ├── config.ts # Config loading
│ ├── logger.ts # Structured logging
│ ├── types.ts # TypeScript types
│ ├── cli/
│ │ └── setup-wizard.ts # Plugin CLI commands
│ └── slack/
│ ├── approval-handler.ts # Dedicated OASIS Slack app (Socket Mode)
│ ├── approval-parser.ts # Parse approval messages
│ └── gateway-client.ts # Gateway WebSocket client
├── tests/ # 61 tests across 5 suites
├── openclaw.plugin.json # Plugin manifest
├── package.json
└── tsconfig.jsonWhy "OASIS"?
OpenClaw Antidote for Suspicious Injection Signals
Like an oasis in the desert, a safe zone amidst security threats. 🏝️
License
MIT — Peter Cha
