consensus-support-reply-guard
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or compromised upstream agent could steer the guard toward allowing, blocking, or rewriting a customer support response without the visible code independently checking the draft for legal or sensitive-data risks.
In external_agent mode, the included code validates external_votes only as an array before using them for aggregation, while the local hard-block detection is in the makeVotes path that external mode bypasses.
if(i.external_votes!==undefined && !Array.isArray(i.external_votes)) return 'external_votes must be array'; ... const votes=externalMode ? input.external_votes : makeVotes(ps,input.reply_draft,input.constraints||{});Use external_agent mode only with trusted, authenticated vote sources; validate vote schema and origin; and run the hard-block draft scan regardless of mode before trusting an ALLOW decision.
A stale or bad decision can be replayed across retries or later support workflows, potentially letting a risky reply remain approved or a safe reply remain blocked.
The idempotency key includes the draft and constraints but not mode or external_votes, even though those fields can change the final decision; a prior persisted response can therefore be returned for a later call with different decision evidence.
const idem=makeIdempotencyKey({board_id,reply_draft:input.reply_draft,constraints:input.constraints||{},persona_set_id:ps?.persona_set_id || input.persona_set_id || null}); const prior=await getDecisionByKey(board_id,idem,statePath); if(prior?.response) return prior.response;Include mode, a digest of external_votes, policy version, and relevant persona/aggregation inputs in the idempotency key, or require an explicit cache-bypass/review path for changed evidence.
Local state files may retain information about customer-support drafts and governance decisions after the immediate task is done.
The skill intentionally retains audit artifacts for support decisions. This is aligned with its governance purpose, but the stored artifacts may contain support-risk context, votes, or rewrite details.
preserves decision history in board artifacts ... filesystem writes: board/state artifacts under the configured consensus state path
Configure the consensus state path carefully, restrict file access, and define retention or cleanup practices for support-decision artifacts.
The installed behavior may depend on dependency resolution and package provenance.
The skill relies on npm dependencies for core guard and runtime behavior. This is normal for a Node skill, and a lockfile is present, but semver ranges can resolve different code if the lockfile is not honored.
"dependencies": { "consensus-guard-core": "^1.1.15", "tsx": "^4.20.3" }Install with the provided lockfile where possible and review or pin core dependencies for production support automation.