Kevros Governance
v0.3.8Implements cryptographic governance for AI agents by verifying actions against policies and recording signed, tamper-evident audit trails.
⭐ 0· 227·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description claim cryptographic governance and the SKILL.md consistently describes verify/attest/bind primitives, API endpoints, SDK install commands and pricing. The requested capabilities align with the stated purpose.
Instruction Scope
The SKILL.md contains concrete runtime instructions (SDK usage examples, curl calls to governance.taskhawktech.com, and package install commands). It does not instruct the agent to read local secrets or system files, but it does direct network calls and use of API keys. Because this is instruction-only, those network calls would occur outside any packaged code — verify before sending sensitive data.
Install Mechanism
There is no install spec in the registry entry (lowest platform risk), but the instructions recommend installing third‑party packages (pip install kevros, npm install @kevros/agentkit). Those packages would come from public registries (PyPI/NPM) and are not provided or audited here — this is a supply‑chain risk and the skill gives no repo links or checksums.
Credentials
The skill declares no required env vars or credentials, but the examples expect an X-API-Key and direct signup to governance.taskhawktech.com. There is no guidance on key storage or scope. No unrelated credentials are requested, but sensitive data would be transmitted to an external service.
Persistence & Privilege
Skill is instruction-only, has always:false, and does not request persistent system-wide privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other high privileges here.
What to consider before installing
This skill reads like a legitimate governance service, but important questions remain: the registry entry provides no source repository or homepage provenance and the SKILL.md tells you to install third-party SDKs and call an external API (governance.taskhawktech.com). Before installing or using it: 1) Ask the publisher for links to the SDK source code (GitHub repo), package pages on PyPI/NPM, and API documentation; verify package names, maintainers, and checksums. 2) Review the SDK source code (or have it audited) before pip/npm install. 3) Do not send secrets, private keys, or high‑value data to the service until you confirm its trustworthiness and privacy policy. 4) Test interactions in a network‑restricted sandbox and monitor network calls. 5) Consider limiting the agent so it requires explicit user confirmation before invoking external governance endpoints. If the publisher cannot provide verifiable repository URLs and documentation, treat this skill as risky and avoid installing or using its SDKs or API keys.Like a lobster shell, security has layers — review code before you run it.
latest
Kevros — Governance-as-a-Service for AI Agents
Every agent action verified. Every decision recorded. Every record signed.
What This Does
Kevros adds cryptographic governance to any AI agent. Before your agent takes an action (deploy code, move money, access data), Kevros evaluates it against your policies and returns a signed decision: ALLOW, CLAMP (adjusted to safe bounds), or DENY.
Every decision is appended to a hash-chained, tamper-evident evidence ledger. Auditors can verify the entire chain without your source code.
Quick Start
from kevros_governance import GovernanceClient
client = GovernanceClient(agent_id="my-agent")
result = client.verify(
action_type="trade",
action_payload={"symbol": "AAPL", "qty": 100},
agent_id="my-agent",
)
print(result.decision) # ALLOW, CLAMP, or DENY
Or use the API directly:
# Get a free API key (instant, no credit card)
curl -X POST https://governance.taskhawktech.com/signup \
-H "Content-Type: application/json" \
-d '{"agent_id": "my-agent"}'
# Verify an action
curl -X POST https://governance.taskhawktech.com/governance/verify \
-H "X-API-Key: kvrs_..." \
-H "Content-Type: application/json" \
-d '{"action_type": "deploy", "action_payload": {"service": "api"}, "agent_id": "my-agent"}'
Governance Primitives
| Primitive | What It Proves | Cost |
|---|---|---|
| Verify | Agent is authorized — signed ALLOW/CLAMP/DENY | $0.01 |
| Attest | Action happened — hash-chained evidence | $0.02 |
| Bind | Intent matched command — cryptographic binding | $0.02 |
| Bundle | Compliance evidence package — independently verifiable | $0.25 |
| Media Attest | Media file integrity — SHA-256 in provenance chain | $0.05 |
Free endpoints: verify-outcome, verify-token, verify-certificate, reputation lookup, passport, media verify.
Payment
- Free tier: 1,000 calls/month, instant signup, no credit card
- x402 (USDC on Base): Pay per call, no API key needed
- Subscription: Scout $29/mo, Sentinel $149/mo, Sovereign $499/mo
Why Agents Need This
- Audit trails: When regulators ask "who authorized this agent action?", you have cryptographic proof
- Fail-closed safety: If governance fails, the agent stops. Not the other way around
- Trust between agents: Agent B can verify Agent A's release token without trusting Agent A
- Evidence chain: Hash-chained, append-only, independently verifiable
Integration
- Python SDK:
pip install kevros - TypeScript SDK:
npm install @kevros/agentkit - MCP:
https://governance.taskhawktech.com/mcp/ - A2A:
https://governance.taskhawktech.com/.well-known/agent.json - x402:
https://governance.taskhawktech.com/.well-known/x402 - REST API:
https://governance.taskhawktech.com/api
Works with LangChain, CrewAI, OpenAI Agents SDK, Microsoft Agent Framework, and any HTTP client.
Links
- Website: https://www.taskhawktech.com
- API Docs: https://governance.taskhawktech.com/api
- Quickstart: https://www.taskhawktech.com/quickstart
- Playground: https://www.taskhawktech.com/playground
Comments
Loading comments...