v0.1.1

OpenClaw Consensus

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 11:31 PM.

Analysis

This skill appears bounded and purpose-aligned, but it will run a local OpenClaw CLI, call selected API-backed models, and save the brief and outputs on disk.

GuidanceBefore installing or invoking, make sure you are comfortable sending the brief to the selected OpenClaw-configured models, possibly incurring provider usage, and saving the brief plus model outputs in local run artifacts.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityLowConfidenceHighStatusNote

src/cli.mjs

Per-run nonce used to fence untrusted content (brief + model outputs).

The workflow intentionally feeds user brief content and model-generated outputs into later prompt stages. The nonce fencing is a disclosed mitigation, and the behavior is purpose-aligned.

User impactContent from the brief or from earlier model answers can influence later model answers and the final synthesis.

RecommendationReview the final synthesis critically and keep the skill's instruction to preserve disagreement and uncertainty in mind.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

src/cli.mjs

const result = spawnSync('openclaw', args, {

The CLI shells out to the local OpenClaw binary. This is expected for a repo-local OpenClaw runtime and is not shown as hidden or unrelated tool use.

User impactUsing the skill can run local commands and consume configured provider/model resources.

RecommendationUse it only when you have intentionally selected the models and are comfortable with the associated local command and provider calls.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown
Homepage: none
Required binaries (all must exist): node, openclaw

The package has no linked upstream source or homepage in the provided metadata and depends on local `node` and `openclaw` binaries. No remote installer or dependency download is shown.

User impactUsers need to trust the published skill artifact and their local OpenClaw/Node installations.

RecommendationInstall only from a trusted ClawHub listing and ensure your local `openclaw` and `node` binaries are the expected ones.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

SKILL.md

node {baseDir}/src/cli.mjs run --brief "<brief>" --models "openai-codex/gpt-5.4,openai-codex/gpt-5.5"

The skill instructs the agent to execute the repo-local Node CLI. That code execution is disclosed and central to the consensus runtime.

User impactInvoking the skill runs local JavaScript code and then calls OpenClaw for model execution.

RecommendationTreat invocation as running a local tool, not as a passive text-only prompt.

Cascading Failures

SeverityLowConfidenceHighStatusNote

SKILL.md

runs the same brief through 2-4 explicitly selected API-backed models

One brief is propagated to several model calls and saved into multiple artifacts, but the workflow is capped to a fixed 2-round process with explicit model selection.

User impactA bad, sensitive, or mistaken brief can be duplicated across multiple provider calls and output files.

RecommendationCheck the final brief before running and keep the model shortlist small and intentional.

Human-Agent Trust Exploitation

SeverityInfoConfidenceHighStatusNote

SKILL.md

Consensus is not proof of correctness.

The skill's output could naturally invite overtrust, but the instructions explicitly warn against treating model consensus as certainty.

User impactUsers may be tempted to overvalue agreement across models.

RecommendationUse the synthesis as decision support, not as proof, and follow the stated escalation guidance for expert-sensitive issues.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

docs/RUNTIME_CONTRACT.md

OpenClaw already knows which providers/models are configured and usable

The skill relies on the active OpenClaw workspace's existing provider/model access rather than collecting separate credentials.

User impactRuns may use the user's existing OpenClaw provider access, quotas, and configured model permissions.

RecommendationConfirm that the selected models and providers are ones you are authorized and willing to use for the brief.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

preserves round-1 and round-2 artifacts on disk

The skill intentionally stores model outputs, and the artifact docs also include the original brief and final synthesis in the run directory.

User impactSensitive brief text and model outputs may remain in local run artifacts after the session ends.

RecommendationAvoid putting secrets in briefs, and delete or protect run directories if the content is sensitive.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusNote

SKILL.md

runs the same brief through 2-4 explicitly selected API-backed models from the active OpenClaw-configured pool

The workflow sends the brief to multiple selected API-backed models and shares earlier model outputs into later rounds. This is the core feature and is explicitly disclosed.

User impactBriefs and intermediate model outputs may be transmitted to the selected model providers through OpenClaw.

RecommendationSelect providers deliberately and do not submit confidential material unless those provider data-handling terms are acceptable.