Enterprise Legal Guardrails

Use this skill to preflight bot output before posting, messaging, or publishing anything that could create legal/compliance risk.

What it is

A generic outbound guardrail checker used by workflows before execute actions such as post/comment/message/chat/send in any app.

When to use

• Before create_post, create_comment, send_message, or equivalent publish actions.
• Before market-related commentary, strategy claims, or price/certainty statements.
• Before HR-sensitive or workplace-adjacent messaging.
• Before anti-spam or coordination-heavy communications.
• Before handling or exposing personal identifiers.

Workflow

1. Draft text.
2. Run the checker with the matching action/profile.
3. If result is PASS/WATCH, proceed.
4. If REVIEW, rewrite or route for human/legal review.
5. If BLOCK, do not execute.

Use it as a shared OpenClaw outbound safety layer for any skill that publishes content. Babylon is only one current integration example, not the primary purpose of the skill.

Quick usage

python3 scripts/check_enterprise_guardrails.py \
  --action post \
  --app <app_name> \
  --policies social antispam hr \
  --text "Draft text here"

python3 scripts/check_enterprise_guardrails.py \
  --action comment \
  --scope include \
  --apps whatsapp,telegram \
  --text "Draft text here"

python3 scripts/check_enterprise_guardrails.py \
  --action market-analysis \
  --text "Market commentary..." \
  --json

App scope (global filtering)

Scope applies to any app-context passed with --app and these env vars (legacy names preserved for compatibility):

• ENTERPRISE_LEGAL_GUARDRAILS_OUTBOUND_SCOPE (all|include|exclude)
• ENTERPRISE_LEGAL_GUARDRAILS_OUTBOUND_APPS (comma-separated list)
• BABYLON_GUARDRAILS_SCOPE
• BABYLON_GUARDRAILS_OUTBOUND_SCOPE
• BABYLON_GUARDRAILS_APPS

Examples:

• all: check all outbound content.
• include + whatsapp,email: only check those apps.
• exclude + whatsapp,email,moltbook,babylon: everything except these apps.

If scope is omitted, default is all.

Profiles

• social: public social text, comments, announcements.
• antispam: unsolicited/pumping/coordinating messaging.
• hr: workplace, hiring, performance, or employee conduct language.
• privacy: personally identifying data and private information disclosures.
• market: market/financial claims and outcome assertions.
• legal: legal conclusions/implication language.

If no profile is provided, defaults are derived from --action:

• post|comment|message → social,legal
• trade|market-analysis → market,financial
• generic → legal,social

Output

• PASS: safe to execute
• WATCH: low risk; optional rewrite
• REVIEW: human/legal review recommended
• BLOCK: do not execute

Tuning

You can tune decision sensitivity via environment variables (or CLI flags in direct runs):

• ENTERPRISE_LEGAL_GUARDRAILS_REVIEW_THRESHOLD (default: 5)
• ENTERPRISE_LEGAL_GUARDRAILS_BLOCK_THRESHOLD (default: 9)

CLI overrides:

• --review-threshold
• --block-threshold

Legacy aliases are supported in legacy env names: ELG_* and BABYLON_GUARDRAILS_*.

Universal outbound adapter (no-native integration path)

For skills/tools without native guardrail hooks (for example: Gmail, custom website publishing, custom message bots), run outbound operations through the wrapper:

python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py   --app <app_name>   --action <post|comment|message|trade|market-analysis|generic> --execute --text "$DRAFT"   -- <outbound command...>

Examples:

# Gmail via gog
python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py   --app gmail --action message --execute --text "Hello, ..."   -- gog gmail send --to user@domain.com --subject "Update" --body "Hello, ..."

# Website/publication publish flow
python3 /path/to/enterprise-legal-guardrails/scripts/guard_and_run.py   --app website --action post --execute --text "$POST_COPY"   -- npm run publish-post "$POST_COPY"

Use this wrapper to apply the same policy checks in non-Babylon outbound flows.

Compatibility

Legacy name legal-risk-checker is preserved in OpenClaw workspaces that still reference it.

References

See references/guardrail-policy-map.md for the full policy rule set and suggested rewrites.

Packaging

A distributable bundle is available at:

• dist/enterprise-legal-guardrails.skill

Hardening controls for guard_and_run.py

For non-native outbound integrations, treat guard_and_run as an execution boundary. Recommended flags/env:

Execution safety is allowlist-first by default. Wrapper requires explicit --allowed-command (or env alias) unless --allow-any-command is explicitly enabled.

• --allow-any-command / ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND
  • Explicitly bypass allowlist enforcement (unsafe; audit-first use only).
• --suppress-allow-any-warning / ENTERPRISE_LEGAL_GUARDRAILS_SUPPRESS_ALLOW_ANY_WARNING
  • Suppresses the runtime safety warning when --allow-any-command is intentionally enabled.
• --allow-any-command-reason / ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND_REASON
  • Mandatory rationale for any allow-any bypass invocation. Suggested format: SEC-1234: emergency fix.
• --allow-any-command-approval-token / ENTERPRISE_LEGAL_GUARDRAILS_ALLOW_ANY_COMMAND_APPROVAL_TOKEN
  • Mandatory approval token for any allow-any bypass invocation; stored as a short token fingerprint in audit logs.
• --allowed-command <exe...> / ENTERPRISE_LEGAL_GUARDRAILS_ALLOWED_COMMANDS
  • Allow-list executables (supports comma/space lists and wildcards).
• --execute / ENTERPRISE_LEGAL_GUARDRAILS_EXECUTE
  • Enables execution after guard checks. Without this flag, runs are validation-only.
• --strict / ENTERPRISE_LEGAL_GUARDRAILS_STRICT
  • Escalate REVIEW to hard block.
• --sanitize-env
• --keep-env <VAR...> / --keep-env-prefix <PREFIX...>
• --command-timeout, --checker-timeout, --max-text-bytes
• --audit-log <file> / ENTERPRISE_LEGAL_GUARDRAILS_AUDIT_LOG

These flags provide execution safety, command scoping, and immutable trail for post-incident review without changing checker logic.