consensus-deployment-guard
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: consensus-deployment-guard Version: 0.1.10 The OpenClaw AgentSkills skill bundle 'consensus-deployment-guard' is classified as benign. Its purpose is pre-deployment governance, involving input validation, policy evaluation, and local audit artifact generation. The skill explicitly states in `SKILL.md`, `metadata.json`, and `SECURITY-ASSURANCE.md` that it performs no outbound network calls. File system interactions are limited to reading input and schema, and writing decision artifacts to a configured state path (`CONSENSUS_STATE_FILE`, `CONSENSUS_STATE_ROOT`), with strong recommendations in `SECURITY-ASSURANCE.md` for secure configuration. There is no evidence of intentional harmful behavior, data exfiltration, persistence mechanisms, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A future dependency update could affect how decisions are aggregated or stored.
The skill depends on external npm packages, including a core package used for aggregation and state handling, with semver ranges. This is normal for a Node package but important for a deployment gate.
"dependencies": { ... "consensus-guard-core": "^1.1.15", "tsx": "^4.20.3" }Use a lockfile or pinned dependency policy in CI, and review consensus-guard-core before relying on the skill for production release gates.
If the state file or directory is stale or tampered with, future deployment checks may replay an old decision.
The skill stores decision artifacts and reuses prior decisions for idempotency. This is expected audit behavior, but persistent state becomes part of future decision context.
const prior = await getDecisionByKey(board_id, idem, statePath); if (prior?.response) return prior.response; ... writeArtifact(board_id, 'decision', ... statePath);
Store state in a dedicated non-privileged directory with restricted write access, and use a fresh request or state reset when a deployment needs full re-evaluation.
If untrusted systems can provide external_votes, they could influence an ALLOW, BLOCK, or REQUIRE_REWRITE result.
In external_agent mode, supplied external votes directly feed the deployment decision aggregation. The artifacts show schema validation, but not identity or provenance checks for those votes.
const votes = externalMode ? input.external_votes : makeVotes(personaSet, flags); const ag = aggregateVotes(votes, { method: 'WEIGHTED_APPROVAL_VOTE', approve_threshold: 0.7 });Only enable external_agent mode when votes are collected through an authenticated, trusted workflow, and do not accept vote payloads directly from untrusted agents or users.