Governed Agents
v0.1.11Deterministic verification + reputation scoring for AI sub-agents. Prevents hallucinated success via 4 code gates (files, tests, lint, AST) and a 3-layer pip...
⭐ 1· 292·0 current·0 all-time
by@nefas11
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (deterministic verification + reputation for sub-agents) matches the actual code and SKILL.md: the package runs deterministic gates (files/tests/lint/AST), a grounding gate (HTTP HEAD reachability), and an LLM council. Requested binaries (codex, git, pytest) and optional linters are proportionate to these features.
Instruction Scope
SKILL.md and code direct the agent to spawn external CLIs (codex/openclaw), run git/pytest, probe URLs with HTTP HEAD, and write a local SQLite DB under the skill's workspace. These actions are within the stated verification/rep scoring scope. The skill also includes prompt-sanitization and prompt-injection detection logic (e.g., replacing IGNORE/OVERRIDE), which explains the presence of such strings.
Install Mechanism
Install is a bundled install.sh script (present in the repo) that copies code into the OpenClaw workspace. No external downloads from untrusted URLs or remote extract operations are used. This is an expected and proportionate install method for an instruction+code skill, but you should still inspect the script before running.
Credentials
Only optional env vars are declared (workspace paths, DB path, optional GOVERNED_AUTH_TOKEN). The code documents a narrow allowlist for env variables forwarded to subprocesses and provides a GOVERNED_NO_NETWORK toggle. No unrelated secret-scoped variables are requested. Requiring access to a workspace and a local DB file is consistent with a reputation/persistence feature.
Persistence & Privilege
The skill writes to its own state directory (~/.openclaw/workspace/.state/governed_agents/) and persists a local SQLite DB for reputations. always is false and it does not request system-wide privileged persistence or modify other skills' configs. This level of persistence matches the declared purpose.
Scan Findings in Context
[prompt-injection-pattern:ignore-previous-instructions] expected: The SKILL.md and prompt_validator.py intentionally include prompt-injection detection patterns and strings (e.g., IGNORE/OVERRIDE/IGNORE-PREVIOUS-INSTRUCTIONS) so they will be flagged by a scanner; presence is expected because the skill implements detection/escaping for reviewer prompts.
Assessment
This skill appears coherent and implements exactly what it claims: it spawns external agent CLIs, runs git/pytest, probes URLs, and stores a local reputation DB. Before installing, review install.sh and confirm you are comfortable with copying the repository into your OpenClaw workspace. Consider these precautions: (1) run the install in a sandbox or inspect the script to confirm no unexpected actions, (2) ensure the external CLIs (codex, openclaw, git, pytest) you allow are trusted, (3) do not set sensitive API keys into env vars that would be forwarded (GOVERNED_AUTH_TOKEN is optional and listed), (4) if you want to prevent any network checks, set GOVERNED_NO_NETWORK=1 to skip URL probing, and (5) review the allowlist in the code if you have special secret-management needs. The repository includes prompt-injection detection and some sanitization, but always treat outputs used to build prompts with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk979p8k3x8mr10qfnnwabp63jd839222
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛡️ Clawdis
Binscodex, git, pytest