ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

consensus-permission-escalation-guard

v0.1.13

Pre-execution governance for IAM and permission escalation changes. Use when an agent or workflow proposes granting, expanding, or assuming higher privileges...

0· 480·0 current·0 all-time
byKai Cianflone@kaicianflone
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the code and files: the package validates escalation inputs, computes hard-block/rewrite flags, aggregates persona/external votes, and emits ALLOW/BLOCK/REQUIRE_REWRITE. Required binaries (node, tsx) and state-path env vars (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) are appropriate for a local Node-based guard that writes board/state artifacts.
Instruction Scope
SKILL.md and run.js limit behavior to local schema validation, deterministic policy evaluation, and filesystem artifact writes under the configured state path. The runtime explicitly documents no outbound network calls in guard logic and the code enforces input-file constraints (only .json inside CWD). Instructions do reference external_votes mode but require the caller to supply that data.
Install Mechanism
Installation is via npm (reasonable for a Node package). However the registry install metadata claims the package 'creates binaries: node, tsx' — creating the 'node' binary is not realistic for an npm package and appears to be a metadata mismatch. The package depends on consensus-guard-core and common JS deps; review and pin those dependencies. Overall install risk is moderate (typical for npm packages), not a direct red flag, but verify the npm package and lockfile before installing in production.
Credentials
Only two env vars are required (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) which are appropriate for configuring where decision artifacts are written. No API keys or unrelated credentials are requested. Caveat: because the package writes artifacts, misconfiguring CONSENSUS_STATE_ROOT to point at sensitive directories would be risky — the skill's docs explicitly advise using a dedicated non-privileged directory.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It persists decision artifacts under the configured state path only. Ensure the state path is constrained and the process runs as a non-root user to limit blast radius.
Assessment
This package appears to do what it says: a local, deterministic policy gate that validates escalation requests and writes audit artifacts. Before installing or enabling it in a production agent, do the following: (1) inspect and pin the consensus-guard-core dependency (review its code for any network or credential usage), (2) verify the npm package and lockfile integrity (and prefer installing from your own vetted artifact repository), (3) set CONSENSUS_STATE_ROOT/CONSENSUS_STATE_FILE to a dedicated, non-privileged directory (do not point them at system or secrets directories), (4) run the included tests in an isolated environment, and (5) note the minor metadata mismatch claiming creation of a 'node' binary — confirm your install process does not attempt to alter runtime binaries. If you need higher assurance, ask for the full contents of consensus-guard-core and a dependency supply-chain audit.

Like a lobster shell, security has layers — review code before you run it.

latestvk973dzxbsppndxfn71artx9qph824vkq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, tsx
EnvCONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT

Install

Node
Bins: node, tsx
npm i -g consensus-permission-escalation-guard

Comments