Governed Agents
ReviewAudited by ClawScan on May 18, 2026.
Overview
The skill’s purpose is clear, but it should be reviewed because it launches autonomous CLI agents and has an unsafe temporary-directory cleanup pattern that could delete outside its intended area if task IDs are not sanitized.
Only install this if you want an agent to spawn and score other agents. Before use, review the installer, use a low-privilege workspace/account, and avoid custom task IDs or private URLs unless the path handling and network behavior have been tightened.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or attacker-influenced task ID could make cleanup target an unexpected path, risking unintended deletion outside the skill’s temporary working directory.
contract.task_id is a writable contract field, but the cleanup path is formed by string interpolation and later recursively deleted without an evident resolve-and-assert containment check under the intended temp directory.
task_id = contract.task_id or str(uuid.uuid4())[:8]
task_dir = Path(f"/tmp/governed-{task_id}")
...
shutil.rmtree(str(task_dir), ignore_errors=True)Use tempfile.mkdtemp or sanitize task IDs to a strict safe pattern, then resolve the cleanup path and assert it remains under a dedicated governed-agents temp root before deleting.
Installing and using the skill can cause autonomous sub-agents to run commands and modify files within their configured working directories.
The skill spawns external agent CLIs and lets Codex run in full-auto mode. This is central to the skill’s purpose, but it is a powerful execution path.
cmd = [CODEX53_CLI, "-m", "gpt-5.3-codex", "exec", "--full-auto", prompt] ... run_result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout + 30, cwd=cwd, env=env)
Use only with clearly scoped contracts, review the working directory, and avoid invoking full-auto sub-agents on sensitive repositories unless you trust the model and task prompt.
A checked URL can reveal your IP address and the requested URL path/query to that remote server.
The grounding gate automatically sends HTTP HEAD requests to URLs found in agent output. The code includes private-IP and scheme checks, but these requests still leave the local machine.
urls = _extract_urls(output)
...
with urllib.request.urlopen(req, timeout=timeout) as resp:
return resp.status < 400Avoid feeding private or tokenized URLs into outputs that will be grounded, and consider adding redirect validation or an allowlist for high-sensitivity environments.
Sub-agent runs may consume or act through your locally authenticated Codex/OpenClaw accounts.
The skill does not forward API-key environment variables, but it does allow Codex/OpenClaw CLIs to use their own local account configuration via HOME.
Only the following variables are forwarded: ... `HOME` ... External CLIs must source their own credentials via their own configuration.
Run with dedicated low-privilege CLI profiles where possible and confirm which local accounts the external CLIs will use.
Incorrect or manipulated reputation records could affect future agent selection, supervision level, or task blocking.
The skill stores persistent reputation state and uses it to affect future supervision decisions, including blocking low-reputation agents.
Scores persist in SQLite (`.state/governed_agents/reputation.db`). ... R ≤ 0.2 → suspended (task blocked)
Keep the reputation database in the documented workspace state directory, back it up if important, and reset or inspect it when results look wrong.
The registry summary may understate what the skill’s own metadata says it can do.
SKILL.md declares an installer script and sensitive capabilities, while the registry-provided install/capability summary says there is no install spec and no derived capability tags.
install: {"kind": "script", "script": "install.sh"}
capabilities: ["persistent_db_writes", "external_cli_execution", "network_requests"]Review SKILL.md and install.sh from the source repository before running installation commands, and treat the skill as network-, subprocess-, and persistence-capable.