Open Sentinel - Agent Reliability Layer
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent LLM safety proxy, but its docs overpromise blocking before users see content while the architecture says default checks can run after the response is already returned and fail open.
Review this before installing if you need hard real-time blocking. It appears useful as a policy proxy, but verify whether the mode you use actually blocks current responses rather than detecting issues after delivery, and install only after validating the external PyPI package and using scoped API keys.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may trust the proxy to stop unsafe content before it reaches users or downstream automation, when the default behavior may only detect and react after the fact.
The skill markets pre-output enforcement, but its architecture says the default judge can evaluate after the response has already been delivered. That mismatch is material for a tool advertised to prevent PII leaks, hallucinations, and workflow violations.
SKILL.md: "evaluating every response ... before output reaches users"; architecture.md: "Response returns to your app immediately; judge evaluates in a background asyncio.Task" and "current response (which has already been returned to your app)"
Treat the default async judge as monitoring/deferred enforcement unless you verify synchronous blocking behavior for the policies you rely on.
Installing the skill means trusting the external `opensentinel` package and whatever version PyPI resolves at install time.
The runtime behavior depends on an external PyPI package that is not included in the provided artifacts for code review.
pip install opensentinel
Verify the PyPI package, repository, maintainer, and version pin before installing in a sensitive environment.
The proxy can use the configured provider key to make LLM requests and potentially incur usage/costs under that account.
The skill requires provider credentials so it can proxy LLM calls. This is expected for the stated purpose, but it is still account-level delegated authority.
At least one LLM provider API key: `ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, or `GEMINI_API_KEY`
Use a dedicated, least-privilege provider key with usage limits, and avoid sharing broad production credentials unless necessary.
Prompts, responses, and policy-evaluation metadata may be processed by external LLM or tracing services depending on configuration.
The design routes LLM traffic through a local proxy to upstream providers, may send responses to a sidecar judge model, and can emit telemetry. These flows are purpose-aligned but involve sensitive prompt/response boundaries.
Your App ──▶ Open Sentinel Proxy ──▶ LLM Provider ... A sidecar LLM evaluates each response ... OpenTelemetry Tracing
Review provider, judge model, and tracing settings; keep tracing disabled or local unless you are comfortable with the destination.
Incorrect or poisoned policy state could affect later turns in the same workflow.
The proxy persists violation state across turns and injects reminders into future requests. This is disclosed and aligned with policy enforcement, but it means prior evaluations can influence later model behavior.
queued as deferred interventions, applied on the next turn via pre-call hook ... System prompt amendment ... Context injection
Keep policies narrow, review generated configurations, and reset conversation/workflow state when switching tasks or users.