War/Den Governance
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is broadly aligned with governance, but its audit-log integrity and optional cloud-memory scoping have implementation gaps users should review before installing.
Use this only if you want a skill that can mediate and log every bot action. Prefer local/community mode unless you intend to send governance or memory data to the enterprise providers, keep WARDEN_FAIL_OPEN set to false, and do not rely on the audit log as fully tamper-evident until all audit fields are included in the hash chain.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can block or allow bot actions and record their outcomes.
The skill registers hooks around bot actions so it can allow, deny, review, and log activity. This is purpose-aligned for a governance skill, but it gives the skill broad influence over normal agent execution.
hooks:\n - before_action\n - after_action\n - on_error
Review the default policies, keep fail-open disabled unless you explicitly accept that risk, and test high-impact actions before relying on the skill.
If you add these keys, action and memory workflows may use the corresponding external accounts.
The skill can use optional provider API keys for enterprise governance and cloud memory. This is disclosed and purpose-aligned, but it extends authority to third-party services when configured.
SENTINEL_API_KEY:\n required: false\n description: Sentinel_OS API key for enterprise governance\n ENGRAMPORT_API_KEY:\n required: false\n description: EngramPort API key for enterprise memory
Only configure these keys if you want enterprise cloud mode, use least-privilege keys where available, and rotate/revoke keys if no longer needed.
In enterprise memory mode, recalled memories could be mixed across namespaces or sessions, exposing or reusing context more broadly than expected.
The cloud memory read method accepts bot_id and namespace, but the request payload sent to EngramPort does not include either value. That makes the namespace boundary unclear and may allow memories to be recalled outside the requested namespace if the server does not independently enforce it.
def read(\n self,\n bot_id: str,\n query: str,\n namespace: str,\n limit: int = 10,\n ) -> list[dict]:\n...\n payload = {"query": query, "limit": limit}Pass namespace/session and bot identity in cloud recall requests, document the isolation boundary, and add tests proving cross-namespace recall is blocked.
Audit exports could appear valid even if important details of an action record were altered.
The audit hash covers only previous hash, agent ID, action type, decision, and timestamp. Stored fields such as action_data, context, reason, and policy_id are inserted into the audit log but are not included in the hash, so changes to those fields may not be detected despite the tamper-evident audit positioning.
hash_input = (\n f"{prev_hash}{action.agent_id}{action.type.value}"\n f"{decision.value}{timestamp}"\n )Hash a canonical serialization of the complete audit event, including action data, context, reason, and policy ID, and update verification tests accordingly.