consensus-agent-action-guard
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a local safety-check tool, but its external-vote and replay behavior could let untrusted or stale votes decide whether high-risk actions are allowed.
Review this carefully before using it as an enforcement gate for irreversible actions. Only enable external_agent mode when you control and authenticate the vote sources, protect the consensus state files from tampering, and consider adding an independent human-confirmation check for destructive or public actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this is used as a final safety gate, an untrusted or poorly controlled caller could supply favorable external votes and get ALLOW for a risky action that should require confirmation or blocking.
In external_agent mode, the code only checks that external_votes is an array and then lets those caller-supplied votes determine the guard decision; the local constraint and hard-block vote generation path is skipped.
if(input.external_votes!==undefined && !Array.isArray(input.external_votes)) return 'external_votes must be array'; ... const votes = externalMode ? input.external_votes : makeVotes(personaSet, input.proposed_action, input.constraints || {}); const ag = aggregateVotes(votes, { method:'WEIGHTED_APPROVAL_VOTE', approve_threshold:0.7 }); const final_decision = mapDecision(ag.final_decision);Apply hard-block and human-confirmation constraints in every mode, validate the vote schema and allowed voters, and only accept external_agent votes from authenticated, trusted sources.
A stale or previously primed ALLOW/BLOCK decision could carry forward into later runs, affecting high-risk action gating across retries or sessions.
The persisted decision lookup key excludes mode and external_votes even though those values can affect the decision, so an older decision can be reused when the vote source or vote contents have changed.
const idem = makeIdempotencyKey({ board_id, proposed_action: input.proposed_action, constraints: input.constraints||{}, persona_set_id: input.persona_set_id||null }); const prior = await getDecisionByKey(board_id, idem, statePath); if (prior?.response) return prior.response; ... const votes = externalMode ? input.external_votes : makeVotes(personaSet, input.proposed_action, input.constraints || {});Include all decision-changing inputs in the idempotency key, add expiration or explicit revalidation for high-risk actions, and avoid replaying external-vote decisions unless the same authenticated votes are present.
Local audit files may reveal planned actions, voting rationale, or other workflow details, and prior stored decisions may be reused later.
The skill writes decision artifacts, votes, and aggregation details into persistent state. This is expected for auditability, but those artifacts can influence future idempotent lookups and may contain sensitive operational context.
const d = await writeArtifact(board_id, 'decision', { idempotency_key: idem, decision_id, final_decision, votes, aggregation: ag, response }, statePath);Store the consensus state in a protected, project-scoped location; limit who can edit it; and treat decision artifacts as sensitive audit records.
Future installs could resolve to newer dependency versions unless the lockfile is enforced, which matters for a safety-gating component.
The install depends on npm packages with caret version ranges, allowing semver-compatible updates. This is common npm behavior, but it is not an exact pin by itself.
"dependencies": { "consensus-guard-core": "^1.1.15", "tsx": "^4.20.3" }Install with a trusted lockfile or exact pinned versions, and review dependency updates before deploying this guard in production automation.