OpenClaw Skill Governance (Balanced Dynamic Core Pool)
v1.0.1Manages skill lifecycle and routing using a balanced governance model with status transitions, core pool tuning, and failure-based quarantine.
⭐ 0· 289·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (manage skill lifecycle, routing, core pool tuning) match the instructions which operate on a skill-registry.json and describe status transitions. However, the SKILL.md repeatedly references concrete scripts (PowerShell .ps1 files) that are not included in the package and there's no install spec — that is an inconsistency between claimed capabilities and the actual artifact delivered.
Instruction Scope
Runtime instructions instruct running scripts that read/write local workspace files (skill-registry.json and 'evidence'), and to perform status transitions and weekly cleanup. Because no scripts are provided, an operator or the agent would need to create, fetch, or run ad-hoc commands to implement these steps. The instructions permit broad read/write access to the workspace (which may contain secrets or unrelated data) and give operational authority over the central skill registry — reasonable for a governance tool but risky without concrete, auditable scripts.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk by an installer. This reduces supply-chain risk, but it also means the declared scripts are missing and must be provided externally, which is the core concern.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate to the stated local governance purpose.
Persistence & Privilege
The skill is not marked always:true and allows normal autonomous invocation (default). It explicitly intends to modify skill-registry.json (the agent's source-of-truth for skills), which is expected for governance but is a powerful capability: whoever supplies or runs the missing scripts would be able to change which skills are eligible for automatic routing. That capability should be treated as high-impact and controlled.
What to consider before installing
Before installing or enabling this skill, ensure the governance scripts it references are available and have been audited. The package contains only documentation — it does not include the .ps1 scripts it tells you to run. If you plan to use it, either (a) obtain and review the scripts from a trusted source and store them in the workspace with restricted permissions, or (b) implement your own vetted scripts that follow the described policy. Limit the skill's workspace access (or run it in a sandbox) so the registry and any sensitive files cannot be altered without review. Backup skill-registry.json before running any reconciliation/cleanup actions, and prefer an operator-driven audit step for promotions/demotions rather than fully autonomous execution until you have vetted the implementation. If you cannot verify where the scripts come from, do not enable automatic routing or give the agent permission to fetch or execute remote code to satisfy the missing scripts.Like a lobster shell, security has layers — review code before you run it.
autonomyvk9778ps330ahh04mb85b68tt79822wnzgovernancevk9778ps330ahh04mb85b68tt79822wnzlatestvk9778ps330ahh04mb85b68tt79822wnzstabilityvk9778ps330ahh04mb85b68tt79822wnz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.