consensus-agent-action-guard
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: consensus-agent-action-guard Version: 1.1.14 The OpenClaw AgentSkills skill bundle 'consensus-agent-action-guard' is designed to provide pre-execution governance for high-risk agent actions, acting as a security guardrail. The code and documentation consistently align with this stated purpose, focusing on evaluating proposed actions, applying consensus logic, and recording decisions as audit artifacts. Crucially, the skill explicitly states in `SKILL.md` and `metadata.json` that there are 'No outbound network calls in shipped guard decision logic', which strongly mitigates data exfiltration risks. Filesystem writes are limited to 'board/state artifacts under the configured consensus state path', controlled by environment variables, which is expected for its audit functionality. There is no evidence of intentional malicious behavior, prompt injection against the agent, or unauthorized resource access. The `detectHardBlockFlags` mechanism is a defensive feature, not an attack vector.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this is used as a final safety gate, an untrusted or poorly controlled caller could supply favorable external votes and get ALLOW for a risky action that should require confirmation or blocking.
In external_agent mode, the code only checks that external_votes is an array and then lets those caller-supplied votes determine the guard decision; the local constraint and hard-block vote generation path is skipped.
if(input.external_votes!==undefined && !Array.isArray(input.external_votes)) return 'external_votes must be array'; ... const votes = externalMode ? input.external_votes : makeVotes(personaSet, input.proposed_action, input.constraints || {}); const ag = aggregateVotes(votes, { method:'WEIGHTED_APPROVAL_VOTE', approve_threshold:0.7 }); const final_decision = mapDecision(ag.final_decision);Apply hard-block and human-confirmation constraints in every mode, validate the vote schema and allowed voters, and only accept external_agent votes from authenticated, trusted sources.
A stale or previously primed ALLOW/BLOCK decision could carry forward into later runs, affecting high-risk action gating across retries or sessions.
The persisted decision lookup key excludes mode and external_votes even though those values can affect the decision, so an older decision can be reused when the vote source or vote contents have changed.
const idem = makeIdempotencyKey({ board_id, proposed_action: input.proposed_action, constraints: input.constraints||{}, persona_set_id: input.persona_set_id||null }); const prior = await getDecisionByKey(board_id, idem, statePath); if (prior?.response) return prior.response; ... const votes = externalMode ? input.external_votes : makeVotes(personaSet, input.proposed_action, input.constraints || {});Include all decision-changing inputs in the idempotency key, add expiration or explicit revalidation for high-risk actions, and avoid replaying external-vote decisions unless the same authenticated votes are present.
Local audit files may reveal planned actions, voting rationale, or other workflow details, and prior stored decisions may be reused later.
The skill writes decision artifacts, votes, and aggregation details into persistent state. This is expected for auditability, but those artifacts can influence future idempotent lookups and may contain sensitive operational context.
const d = await writeArtifact(board_id, 'decision', { idempotency_key: idem, decision_id, final_decision, votes, aggregation: ag, response }, statePath);Store the consensus state in a protected, project-scoped location; limit who can edit it; and treat decision artifacts as sensitive audit records.
Future installs could resolve to newer dependency versions unless the lockfile is enforced, which matters for a safety-gating component.
The install depends on npm packages with caret version ranges, allowing semver-compatible updates. This is common npm behavior, but it is not an exact pin by itself.
"dependencies": { "consensus-guard-core": "^1.1.15", "tsx": "^4.20.3" }Install with a trusted lockfile or exact pinned versions, and review dependency updates before deploying this guard in production automation.