npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

openclaw-lease-broker

v0.1.0

Published

OpenClaw-native privileged execution broker plugin with a root-owned broker daemon.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

moltpodmoltpod

Keywords

openclawpluginsudoleaseapprovalsecuritybroker

Readme

OpenClaw Lease Broker

Want to let a normally non-sudoer OpenClaw occasionally run a sudo command with explicit human approval? This repo attempts to solve that problem.

OpenClaw stays unprivileged by default. When it genuinely needs to do something privileged, like restart a service or add a vhost, it asks for approval. A human reviews what is being requested in plain English, approves or denies it, and if approved the system runs exactly that command once.

The agent cannot approve itself. The agent cannot widen the command. One approval, one execution, then it is gone.

How It Works

flowchart TD
    A[Agent asks to run a sudo command] --> B[Plugin intercepts and blocks it]
    B --> C[Broker records an exact pending request]
    C --> D[Human receives a review message]
    D --> E{Approve or deny}
    E -- Deny --> F[Request stays blocked]
    E -- Approve --> G[Broker stores one exact single-use approval]
    G --> H[Agent retries the same command]
    H --> I[Broker validates, consumes approval, and executes as root]
    I --> J[stdout, stderr, and exit code flow back normally]

What You Get

  • Exact-command privileged execution with explicit human approval
  • One-time approvals with expiry and audit trail
  • Plain-English operator review instead of raw shell alone
  • A root-owned broker as the only privileged execution authority
  • A standard review service for human-facing approval UX

Review UX

The current MVP uses a separate reviewd service to ask the human for approval. reviewd sends:

  • the exact command
  • a plain-English summary of what it does
  • expected effect
  • likely risk
  • a short “safe or surprising” note

Humans can reply conversationally, for example do it or no. reviewd interprets that reply and sends a structured decision to the broker.

The current shipped review transport is Mattermost DM. Twilio WhatsApp / SMS is the next planned transport and is not part of the MVP yet.

Install

This is a two-step install:

  1. Install the normal OpenClaw plugin package.
  2. Run the one-time host bootstrap as root:
sudo bin/openclaw-lease-broker-install-host

The host bootstrap installs the root broker, the review service, the CLI, sockets, and root-owned state. If only the plugin is installed, privileged requests fail closed with a clear “broker unavailable; host bootstrap required” message.

Trust Model

  • OpenClaw may request privileged work.
  • OpenClaw may not approve privileged work.
  • Only the broker executes as root.
  • Review transport secrets stay out of the OpenClaw runtime.

MVP

  • OpenClaw plugin client
  • Root broker daemon
  • reviewd review service
  • Mattermost DM approval flow
  • Manual CLI approve / deny / revoke fallback
  • Exact single-use approvals with finite TTL

Next

  • Twilio WhatsApp review transport
  • Twilio SMS review transport
  • Richer explanation and routing

Spec

Full architecture, threat model, protocol, state model, and rollout plan live in SPEC.md.