ClawHub

consensus-code-merge-guard

v1.1.15

Persona-weighted merge governance for AI-assisted engineering. Evaluates PR risk (tests, security markers, reliability signals), returns MERGE/BLOCK/REVISE d...

0· 489·0 current·0 all-time
byKai Cianflone@kaicianflone
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (persona-weighted merge governance) match the code and declared requirements. Requested binaries (node, tsx) and environment variables (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) are plausibly needed to read/write the consensus board state and run the packaged JS guard.
Instruction Scope
SKILL.md and run.js describe a local decision flow that reads input JSON, evaluates policy, and writes decision/artifact files to a configured consensus state path. The decision path itself contains no outbound network calls, but actual board read/write/aggregation calls are delegated to the 'consensus-guard-core' package (imported functions like writeArtifact, getLatest, resolveStatePath). You should audit that package because it is the component that performs state persistence and could perform network or filesystem actions beyond what this skill's code shows.
Install Mechanism
Install is a normal npm package (consensus-code-merge-guard) with a package-lock.json present. There are no download-from-personal-server or URL-extract install steps in the manifest. Dependencies are registry packages (consensus-guard-core, tsx) which is expected for a Node skill.
Credentials
Only two env vars (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) are required and are consistent with the skill's stated need to read/write board state. No cloud credentials, tokens, or other sensitive variables are requested. Note: both env names are required by the metadata even though the code uses a resolveStatePath helper — verify which of the two actually controls the path in your deployment.
Persistence & Privilege
always:false (no forced global presence). The skill writes artifacts only under the configured consensus state path and its own output directory (run.js writes ./out). It does not modify other skills or system-wide agent settings in the provided code.
Assessment
This package appears to do what it says: evaluate PR summaries and write an auditable decision to a configured state path. Before installing, review the consensus-guard-core dependency because all board reads/writes and state resolution are delegated to it — that component determines whether any network calls or broader filesystem access occur. Confirm the CONSENSUS_STATE_FILE / CONSENSUS_STATE_ROOT environment variables point to a safe directory (not containing secrets or system config). Run the included tests in an isolated environment (npm test/demo) and inspect the produced artifact files (./out and your state path). Note minor metadata/version inconsistencies across SKILL.md, metadata.json, and package.json — not a blocker, but worth verifying you install the intended version.

Like a lobster shell, security has layers — review code before you run it.

latestvk9709azpg8khg2wfk9h080xf7x824jw6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, tsx
EnvCONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT

Install

Nodenpm i -g consensus-code-merge-guard

Comments