EctoClaw
ReviewAudited by ClawScan on May 1, 2026.
Overview
EctoClaw is a coherent audit and policy skill, but users should understand that it can persist sensitive agent activity and relies on an external npm package.
Before installing, confirm you trust the npm package and run EctoClaw on localhost or a private authenticated server. Treat its audit ledger as sensitive because it is designed to retain detailed agent activity, including prompts, tool results, and memory.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Sensitive conversations, tool outputs, and memory entries may be retained in the audit system and could be exposed if ECTOCLAW_URL points to an untrusted or poorly protected server.
The skill explicitly stores broad agent context, including memory and prompts, in a persistent immutable ledger. This is central to the audit purpose and is disclosed, but it is sensitive.
Records every agent action (messages, skills, tools, plugins, memory, models) in an immutable hash-chained ledger... audit logs can contain sensitive prompts, tool outputs, and memory contents.
Use a localhost or private authenticated EctoClaw server, avoid logging secrets when possible, and understand the retention and immutability behavior before auditing sensitive work.
An incorrect policy could block legitimate agent actions, fail to redact sensitive data, or change approval behavior in ways the user did not intend.
The skill can update audit/firewall policy rules, which can affect blocking, redaction, flagging, and approval behavior. The action is user-directed and aligned with the skill purpose, but policy changes are impactful.
Create or Update a Policy... Call PUT {ECTOCLAW_URL}/api/policies/{name} with {"content": "<TOML policy>"}Review policy TOML before saving it, keep backups of known-good policies, and test new rules on low-risk sessions first.
Installing the skill means trusting the published npm package and its dependencies, not just the reviewed SKILL.md instructions.
The install path relies on an external npm package and binary, while the provided artifact set contains only SKILL.md. This is a normal setup pattern for this kind of tool, but the installed package is outside the provided text artifacts.
node | package: ectoclaw | creates binaries: ectoclaw
Install only from the expected package source, review the package/version if possible, and use normal npm supply-chain precautions.