consensus-send-email-guard
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a local email-governance checker, but its approve/block decisions can be weakened by optional constraints and externally supplied votes, so it should be reviewed before relying on it.
Before installing, decide whether you will use only trusted callers and trusted external_votes, and run it with a dedicated consensus state directory. Treat APPROVE as advisory unless you enforce default hard-block constraints and verify the dependency versions you deploy.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may over-trust the guard as applying unconditional safety blocks, while some risky drafts may be approved if constraints are omitted or weakened.
The skill advertises hard-block enforcement, but the shipped logic only triggers these checks when caller-controlled constraints such as no_sensitive_data or no_legal_claims are true, and constraints are not required by validation.
- enforces hard-block categories (sensitive data, legal/medical certainty, disallowed guarantees)
Make hard-block checks default and fail closed when required safety constraints are missing, or clearly document that protections are caller-configured rather than unconditional.
If an upstream agent or caller can supply external_votes, it may be able to steer the guard toward APPROVE, BLOCK, or REWRITE without a trusted vote boundary.
In external_agent mode, votes from outside agents are passed directly into the decision aggregation. The provided validation only checks vote values and that reputation_before is a number; it does not show origin authentication, trusted-agent membership, or reputation range limits.
const votes = externalMode
? input.external_votes
: await generatePersonaVotes(personaSet, input.email_draft, input.constraints || {});
const aggregation = aggregateVotes(votes, policy);Only accept external votes from authenticated trusted sources, clamp reputation values, require known persona IDs or signatures, and run deterministic hard-block scanning regardless of external votes.
Email subjects, rewrite text, votes, and rationale may remain in the local consensus state after the check completes.
The skill persists decision artifacts, including email summary, votes, policy snapshot, and rewrite_patch, into the configured board state. This is purpose-aligned and disclosed, but it creates retained context that may contain sensitive draft-derived information.
const decisionPayload = {
board_id,
decision_id,
timestamp,
idempotency_key,
email_summary,
...
votes,
aggregation: {
...
},
final_decision: aggregation.final_decision,
rewrite_patch,
policy_snapshot: policy
};
const decisionWrite = await writeDecision(board_id, { ...decisionPayload, response }, statePath);Use a dedicated non-privileged state directory, restrict file permissions, and define retention/deletion practices for decision artifacts.
Future installs may receive dependency updates that affect guard behavior or security posture.
The npm package depends on external packages, including the core consensus guard library used by the runtime. The caret ranges are normal for npm but are not exact pins, so dependency behavior can change within allowed semver ranges.
"dependencies": {
"consensus-guard-core": "^1.1.15",
"tsx": "^4.20.3"
}Audit the dependency packages, prefer lockfile-based or exact-version installs in production, and monitor consensus-guard-core updates.