Kevros Governance
ReviewAudited by ClawScan on May 1, 2026.
Overview
Kevros Governance is a disclosed third-party governance and audit integration, but users should carefully scope the action data, credentials, payments, and persistent audit records they send to it.
Before installing, decide which agent actions should be checked by Kevros, avoid sending secrets or unnecessary private data in action_payloads, verify the Taskhawk/Kevros SDK packages and domains, pin dependency versions, protect API keys or x402 payment credentials, and document audit-ledger retention and fail-closed behavior.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A remote governance decision can affect whether an agent completes an action.
The service is intended to influence whether agent actions proceed, are bounded, or stop. This is purpose-aligned governance behavior, but users should explicitly control the policies and failure behavior.
Before your agent takes an action ... Kevros evaluates it against your policies and returns a signed decision: ALLOW, CLAMP ... or DENY.
Define clear policies, document what CLAMP and DENY mean, and decide how the agent should behave if the governance service is unavailable.
Anyone with the API key may be able to submit governance calls or consume the account’s quota.
The integration uses an API key for the external governance service. This is expected for a SaaS integration, but the key should be treated as a credential.
Get a free API key ... -H "X-API-Key: kvrs_..."
Store the API key securely, restrict who can access it, rotate it if exposed, and monitor usage.
Installing the SDKs will execute or rely on third-party package code outside the reviewed artifact.
The skill points users to external SDK packages, but the provided artifacts do not include pinned versions, source code, or lockfiles. This is common for integration documentation but leaves package provenance to the user.
Python SDK: `pip install kevros`; TypeScript SDK: `npm install @kevros/agentkit`
Verify the package source, pin versions, review package metadata, and use standard dependency security controls before installing.
Action details or decision history may be retained in an external audit trail.
The service persistently records governance decisions. Persistent audit records are central to the stated purpose, but they may contain sensitive operational context depending on what action payloads include.
Every decision is appended to a hash-chained, tamper-evident evidence ledger.
Minimize payload contents, avoid secrets and regulated data unless intended, and confirm retention, deletion, and access policies.
Agent-to-agent or MCP integrations may transmit governance context to a third-party service.
The skill advertises MCP and agent-to-agent integration endpoints. These are disclosed and relevant to the governance purpose, but users should verify endpoint identity and data boundaries.
MCP: `https://governance.taskhawktech.com/mcp/` ... A2A: `https://governance.taskhawktech.com/.well-known/agent.json`
Use trusted endpoints, confirm TLS/domain ownership, restrict what agents can send, and document which systems may rely on these responses.