consensus-code-merge-guard
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a local merge-decision helper with no credential or network behavior, but users should control the persisted board state and any external vote inputs.
This skill is reasonable to install for local, auditable merge-decision support. Before using it to gate real merges, pin or lock dependencies, restrict the consensus state path to the intended repository or board, and make sure any external votes come from trusted, authenticated sources.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future dependency update could change behavior even though the skill's own source appears coherent.
The skill is installed from npm and depends on external packages. The caret ranges are normal for npm, but they are not exact pins, so installs may pick up compatible future versions unless the lockfile is enforced.
"dependencies": { "consensus-guard-core": "^1.1.15", "tsx": "^4.20.3" }Use the included lockfile or exact dependency pinning in CI/automation, and verify the provenance of consensus-guard-core before relying on this in merge gates.
If the state path contains stale, corrupted, or untrusted artifacts, future merge decisions could be affected.
The code reads from and writes to persistent consensus board state. This is disclosed and purpose-aligned, but stored board/persona artifacts can influence later governance decisions.
getDecisionByKey(board_id,idem,statePath); ... getLatest(board_id,'persona_set',statePath); ... writeArtifact(board_id,'decision',...)
Keep the consensus state directory scoped to the intended project, protect it from untrusted writers, and avoid treating stored audit text as executable instructions.
Untrusted or spoofed external votes could influence the returned MERGE/BLOCK/REVISE decision if the caller does not authenticate and validate vote sources.
In external_agent mode, the included code accepts externally supplied votes and only confirms they are an array before aggregation.
if(i.external_votes!==undefined && !Array.isArray(i.external_votes)) return 'external_votes must be array'; ... const votes=externalMode ? input.external_votes : makeVotes(...)
Only feed external votes from trusted, authenticated agents or humans, and validate vote schemas and identities before invoking this skill in an automated merge workflow.