DashClaw Governance Protocol
PassAudited by ClawScan on May 13, 2026.
Overview
This is an instruction-only governance skill that tells agents to use DashClaw MCP tools for policy checks, approvals, and audit logging; the visible behavior is coherent with that purpose.
Before installing, confirm you intend the agent to be governed by DashClaw, that your DashClaw MCP server is trusted, and that audit records will not capture unnecessary sensitive information. No executable code or install-time behavior is shown in the provided artifacts.
Publisher note
Read-only behavior skill. Two markdown files only: SKILL.md (the governance protocol — guard/decision handling/recording rules/session lifecycle) and references/governance-patterns.md (implementation patterns). No scripts, no executables, no autorun. The skill instructs the consuming agent to call DashClaw MCP tools (dashclaw_guard, dashclaw_record, dashclaw_invoke, dashclaw_session_start/end, dashclaw_wait_for_approval) and read MCP resources (dashclaw://policies, dashclaw://capabilities) — those calls originate from the agent's own MCP client against a user-configured DashClaw instance, not from the skill itself. Designed to be paired with @dashclaw/mcp-server.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may call DashClaw-managed capabilities such as messaging, deployment, or API integrations when the governance process allows it.
The skill routes external API operations through a DashClaw tool that can execute registered capabilities. This is tool-use authority, but it is disclosed and central to the governance purpose.
Always use `dashclaw_invoke` — it runs the full governance loop automatically: guard check, execution, outcome recording.
Review the DashClaw capabilities registered in your MCP server and confirm their permissions, risk levels, and approval rules are appropriate.
DashClaw audit logs may store summaries of what the agent did, why it did it, and what was produced or failed.
The skill intentionally creates persistent governance records containing action details, reasoning, output summaries, and token/model metadata. This is appropriate for auditing but can retain sensitive context.
Record all significant actions with `dashclaw_record`. This powers the audit trail visible in Mission Control and the Decisions ledger.
Avoid placing secrets or unnecessary sensitive content in action summaries, reasoning, and output summaries; configure retention and access controls in DashClaw.
A misconfigured or untrusted DashClaw MCP server could influence which actions the agent believes are allowed or require approval.
The skill relies on MCP resources and tools for policy, capability discovery, and session tracking. This is expected for DashClaw governance, but the trust boundary depends on the configured MCP server.
Read the `dashclaw://policies` MCP resource ... Read the `dashclaw://capabilities` MCP resource ... Call `dashclaw_session_start`
Use this skill only with a trusted DashClaw MCP server and verify the policies and capabilities it exposes.