consensus-code-merge-guard
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future dependency update could change behavior even though the skill's own source appears coherent.
The skill is installed from npm and depends on external packages. The caret ranges are normal for npm, but they are not exact pins, so installs may pick up compatible future versions unless the lockfile is enforced.
"dependencies": { "consensus-guard-core": "^1.1.15", "tsx": "^4.20.3" }Use the included lockfile or exact dependency pinning in CI/automation, and verify the provenance of consensus-guard-core before relying on this in merge gates.
If the state path contains stale, corrupted, or untrusted artifacts, future merge decisions could be affected.
The code reads from and writes to persistent consensus board state. This is disclosed and purpose-aligned, but stored board/persona artifacts can influence later governance decisions.
getDecisionByKey(board_id,idem,statePath); ... getLatest(board_id,'persona_set',statePath); ... writeArtifact(board_id,'decision',...)
Keep the consensus state directory scoped to the intended project, protect it from untrusted writers, and avoid treating stored audit text as executable instructions.
Untrusted or spoofed external votes could influence the returned MERGE/BLOCK/REVISE decision if the caller does not authenticate and validate vote sources.
In external_agent mode, the included code accepts externally supplied votes and only confirms they are an array before aggregation.
if(i.external_votes!==undefined && !Array.isArray(i.external_votes)) return 'external_votes must be array'; ... const votes=externalMode ? input.external_votes : makeVotes(...)
Only feed external votes from trusted, authenticated agents or humans, and validate vote schemas and identities before invoking this skill in an automated merge workflow.