SSH Guard
Help the user install and enable the ssh-guard plugin from this repository.
Channel Compatibility
| Channel | Status |
|---|---|
| Telegram | ✅ Supported |
| Feishu | ✅ Supported |
| Mattermost | ✅ Supported |
| Weixin | ❌ Not Supported |
| Others | 🔍 Unverified |
Workflow
- Confirm the target OpenClaw environment and config file location.
- Ask which approval language the user wants:
- Chinese:
index.zh-CN.ts - English:
index.en.ts
- Chinese:
- Default to English if the user does not specify a language.
- Ensure the plugin directory is reachable from
plugins.load.paths. - Ensure
plugins.entries["ssh-guard"].enabledistrue. - Check the current top-level
session.dmScopevalue first. - If it is already
per-channel-peerorper-account-channel-peer, keep it and skip the selection step. - Otherwise, tell the user
session.dmScope: "main"is not supported for this plugin in DM flows. - Ask the user to choose one of these top-level
session.dmScopevalues:per-channel-peerper-account-channel-peer
- Explain the two choices as OpenClaw session-routing behavior first:
per-channel-peer: DM session key isagent:<agentId>:<channel>:direct:<peerId>, so the same person gets a different DM session in each channelper-account-channel-peer: DM session key isagent:<agentId>:<channel>:<accountId>:direct:<peerId>, so DM sessions are separated by channel, receiving account, and person
- Then explain the plugin recommendation separately:
- default to
per-channel-peer - use
per-account-channel-peerwhen one channel has multiple accounts and they should not share DM session state
- If the user has no preference, default to
per-channel-peer. - Explain whether the user should:
- point OpenClaw directly at this repository directory, or
- copy/symlink the files into an existing extensions directory
- Remind the user to restart or reload OpenClaw after changing plugin config.
Language Selection
Use these entry files:
index.zh-CN.ts: Chinese approval prompts and approval keywordsindex.en.ts: English approval prompts and approval keywordsindex.ts: default entry and currently points toindex.en.ts
If the user wants Chinese prompts, either:
- change the plugin entry to load
index.zh-CN.ts, or - change
index.tsto exportindex.zh-CN.ts
If the user wants English prompts, keep the current default or point the entry to index.en.ts.
Installation Rules
- Prefer using this repository as the single source of truth for the plugin.
- Do not describe the plugin as a generic policy skill first; it is primarily a publishable OpenClaw plugin repository.
- When updating
openclaw.json, make minimal changes:- add top-level
session.dmScopeif missing - add the plugin directory to
plugins.load.pathsif missing - add
ssh-guardtoplugins.entriesif missing - set
enabledtotrueunless the user explicitly wants it disabled
- add top-level
- Use absolute paths in config examples.
- Preserve existing plugin entries and load paths.
- Do not offer
mainas a valid choice for this plugin's DM setup flow. - Present
per-channel-peerandper-account-channel-peeras the recommended DM setup choices for this plugin. - If
session.dmScopeis alreadyper-channel-peerorper-account-channel-peer, do not ask the user to change it. - Explain that group sessions are unaffected because OpenClaw already routes groups as
agent:<agentId>:<channel>:group:<groupId>.
Default Config Shape
Show config updates in this form:
"session": {
"dmScope": "per-channel-peer"
},
"plugins": {
"load": {
"paths": [
"/absolute/path/to/ssh-guard"
]
},
"entries": {
"ssh-guard": {
"enabled": true
}
}
}
Repo Positioning
When the user asks what this repository is for, explain:
- this repository is mainly for publishing and reusing the
ssh-guardplugin - the plugin blocks commands whose command text contains
sshuntil the user explicitly approves them - the repository also includes language-specific entry files so deployments can choose Chinese or English approval prompts
- the plugin requires isolated top-level
session.dmScopefor DM use, and should not be installed withsession.dmScope: "main"
Notes
- Prefer direct, actionable installation guidance over re-explaining the internal approval state machine.
- If the user asks to install the plugin into another repo, update that repo’s config to reference this repository cleanly.
- If language preference is unknown and no surrounding context suggests otherwise, choose English by default and mention that Chinese is available.
📦 Repository: https://github.com/yanbo92/ssh-guard