DashClaw Governance Protocol
AdvisoryAudited by Static analysis on May 13, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may call DashClaw-managed capabilities such as messaging, deployment, or API integrations when the governance process allows it.
The skill routes external API operations through a DashClaw tool that can execute registered capabilities. This is tool-use authority, but it is disclosed and central to the governance purpose.
Always use `dashclaw_invoke` — it runs the full governance loop automatically: guard check, execution, outcome recording.
Review the DashClaw capabilities registered in your MCP server and confirm their permissions, risk levels, and approval rules are appropriate.
DashClaw audit logs may store summaries of what the agent did, why it did it, and what was produced or failed.
The skill intentionally creates persistent governance records containing action details, reasoning, output summaries, and token/model metadata. This is appropriate for auditing but can retain sensitive context.
Record all significant actions with `dashclaw_record`. This powers the audit trail visible in Mission Control and the Decisions ledger.
Avoid placing secrets or unnecessary sensitive content in action summaries, reasoning, and output summaries; configure retention and access controls in DashClaw.
A misconfigured or untrusted DashClaw MCP server could influence which actions the agent believes are allowed or require approval.
The skill relies on MCP resources and tools for policy, capability discovery, and session tracking. This is expected for DashClaw governance, but the trust boundary depends on the configured MCP server.
Read the `dashclaw://policies` MCP resource ... Read the `dashclaw://capabilities` MCP resource ... Call `dashclaw_session_start`
Use this skill only with a trusted DashClaw MCP server and verify the policies and capabilities it exposes.