ClawPolicy
PassAudited by ClawScan on May 1, 2026.
Overview
ClawPolicy is a coherent wrapper for a policy-engine package, with the main things to notice being its PyPI install and persistent local policy files.
Before installing, make sure you trust the `clawpolicy` PyPI package and upstream project. Use it in a project where persistent `.clawpolicy` policy files are desired, inspect those files after initialization, and consider pinning the package version for repeatable installs.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill means trusting the PyPI `clawpolicy` package that will run locally.
The wrapper obtains the runtime package from PyPI rather than shipping reviewed source code in the skill artifacts, and the shown install command is not version-pinned. This is central to the skill's purpose, so it is a supply-chain notice rather than a concern.
python3 -m pip install clawpolicy
Install only if you trust the upstream package; consider pinning a known-good version in controlled environments.
Generated `.clawpolicy` files may persist across sessions and shape later policy decisions.
The tool creates persistent local policy and agent-related markdown files. That matches the stated policy-engine purpose, but persistent policy/context files can influence future agent behavior if edited or over-trusted.
`init` provisions: `.clawpolicy/policy/rules.json`, `.clawpolicy/policy/playbooks.json`, `.clawpolicy/policy/policy_events.jsonl`, `.clawpolicy/USER.md`, `.clawpolicy/SOUL.md`, `.clawpolicy/AGENTS.md`
Review generated `.clawpolicy` files before relying on them, keep them project-scoped, and remove or reset them if you no longer want the policy state.