Authensor Gateway
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a purpose-aligned Authensor policy gate, but it works by changing tool-call behavior and sending redacted action metadata to a configured control plane.
This skill looks coherent with its stated security-gateway purpose. Before installing, confirm it will be enabled in the sessions where you expect protection, verify the control-plane URL, use a dedicated API key, review policy and log-retention settings, and avoid embedding secrets in command lines, URLs, or tool arguments.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Tool calls may be delayed, require approval, or be blocked according to Authensor policy.
This is broad agent-behavior control. It is expected for a policy-gate skill, but it changes the normal sequence for all tool calls when the skill is active.
**You MUST follow this protocol before executing any tool call.** No exceptions.
Use it only when you intentionally want Authensor to mediate tool execution, and test the policy defaults before relying on it.
Authensor or the configured control plane may see details about what tools are being used and what resources they target.
The skill sends redacted action-resource metadata to a configured control plane. That is core to the gateway purpose, but the metadata can still include operationally sensitive paths, commands, URLs, and tool arguments.
Before sending the resource to the control plane, **strip any sensitive data** ... `Bash` ... `The full command string` ... `MCP tool calls` ... `The tool name and arguments`
Verify the CONTROL_PLANE_URL, review the service's privacy and retention terms, and avoid putting secrets directly in commands, URLs, or tool arguments.
A leaked or overly broad API key could expose or alter Authensor policy or audit data depending on the service's account controls.
The skill requires an Authensor API key and control-plane URL. This is expected for the integration, but it is still delegated account access.
requires:
env:
- CONTROL_PLANE_URL
- AUTHENSOR_API_KEYUse a dedicated least-privilege API key, store it securely, and rotate or revoke it if it may have been exposed.
A history of tool actions may be stored outside the immediate chat session.
The skill discloses persistent audit logging of action records. This is purpose-aligned for compliance, but users should understand what is retained.
Every action (allowed, denied, or pending) is logged with a receipt ID and timestamp.
Review audit-log retention, access controls, and deletion options before using it in sensitive environments.