Production deletion
An agent told to clean up or reset state can hit the wrong database if you hand it raw DB or shell access.
Scoped access for high-risk workflows
Concerned about OpenClaw accessing your internal database?
Use OpenScope to allow only predefined actions.
Your AI agent should not be one bad step away from dropping production or leaking your source code.
CLI v2.0.4
$ agent: clear user data for inactive accounts
@agent_call: delete_user_data(account_scope="all", confirmed=false)
Requested scope exceeds allowed action policy
BROKER: Request denied
Action: delete_user_data | Scope: all accounts | Confirmation: missing
Suggested safe action: view_eligible_accounts or delete_user_data(account_scope="single")
The problem is not that agents are evil. It is that they are fast, literal, and one bad action can be irreversible.
A helpful agent can still delete the wrong database, restart the wrong service, or skip a publishing checklist and expose private source code. If the raw privileged path is available, the blast radius is available too.
Release checklist failure
An agent can publish the wrong artifact or leak source if release safety steps live only in prompts or docs.
Literal execution
Agents often do exactly what seems locally useful, not what your broader operational intent required.
Fast blast radius
When an agent has raw power, mistakes happen at machine speed across sensitive systems.
The OpenScope Model
OpenScope turns dangerous raw access into safe, reviewable actions.
Instead of giving the agent shell, database credentials, or a direct publishing path, you give it a brokered action like restart_service, publish_build, or refund_payment.
Capability example
restart_service(service="api") publish_build(build="2026.04.02") refund_payment(charge_id="...")
The broker keeps the key material, enforces the checklist, and exposes only the smaller action surface you meant the agent to use.
Security Difference
The key idea: do not ask the agent to be careful with raw power.
Use OpenScope when prompts, checklists, and monitoring are not enough because one wrong action would be too costly.
Execution containment
A monitored raw path is still a raw path.
If the agent can still reach the shell, production database, or release pipeline directly, catastrophic mistakes remain possible. OpenScope replaces that with a narrower action surface.
- The agent does not receive the raw privileged primitive.
- Policy applies to named actions and their parameters.
- The exposed surface is smaller, checklistable, and easier to review.
Key containment
The stronger requirement is that the agent never holds the dangerous path.
OpenScope keeps the key, token, database credential, or publishing control inside the broker instead of leaving it reachable through a raw tool path.
- Keys and broad permissions stay inside the broker.
- The agent sees approved capabilities, not credentials or unsafe shortcuts.
- The trust boundary is simpler to explain to engineering and security teams.
Use Cases
Where capability brokering becomes necessary
Best fit when a single wrong step could create a production, security, or customer-impacting incident.
Production operations
SSH-based remediation
Sensitive databases
Internal admin APIs
Endpoint automation
Finance and support actions
OpenClaw on macOS
Sandboxed NemoClaw
Brokered Jira and SSH extensions
Architecture Overview
OpenScope sits between the intelligence layer and the execution layer.
A broker that converts high-level intents into narrow approved actions.
Decision Lens
Use OpenScope when “just be careful” is not a sufficient control.
If a mistaken delete, publish, refund, or restart would hurt, move that workflow behind brokered actions.
Use a gateway for governance.
Routing, visibility, review, and broad traffic-plane control still matter.
Use OpenScope for containment.
Brokered actions help when the agent should never receive the raw primitive.
Use both when needed.
Governance and execution containment solve different trust problems.
Quick Start
Try the broker model with real commands.
The banner handles the external calls to action. The homepage keeps one repo-backed command path handy.
openscope init --force openscope status openscope notes list_notes --agent openclaw --folder Work openscope notes read_note --agent openclaw --folder Work --note "My Note"