ClawHub

Governed Delegation

v1.0.0

Policy-guided governed delegation for subagent use. Use when deciding whether to delegate, which model tier is allowed, whether execution must fail closed, o...

0· 82·0 current·0 all-time
byJoao Driessen@joaodriessen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description and the implementation align: this is a narrow policy helper that builds a governed-delegation decision and spawn envelope. Two minor inconsistencies: the SKILL.md shows running the helper via `node .../request.js` but the registry metadata lists no required binaries; and the script imports '../../../lib/intent-router/policy.mjs' (an internal repo/library) which is not included in the skill bundle. Both are plausible design choices (relying on the runtime repo), but they should be explicit.
Instruction Scope
SKILL.md is narrowly scoped and instructs only to classify a task then call the helper. The script only reads JSON from argv/stdin, calls internal policy functions, builds a plan, and prints a JSON decision. It does not perform network I/O, read arbitrary files, or exfiltrate data in the included code.
Install Mechanism
No install spec — lowest-risk model. The skill includes a small Node script but does not attempt to download or install external code. The only risk is runtime dependency on internal libraries (see purpose_capability).
Credentials
The skill requires no environment variables or credentials and does not reference any secret-containing paths. Its input is JSON provided via argument/stdin; outputs are printed to stdout.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and allows autonomous invocation (default). That autonomous capability is normal for skills and is not by itself a problem here.
Assessment
This skill appears to do what it says (build policy-guided delegation decisions) and does not try to exfiltrate secrets, but check these before installing: - Ensure a Node runtime will be available where the skill runs (SKILL.md invokes `node` but the metadata does not list it). If Node isn't present, the helper will fail. - Confirm that the internal module `lib/intent-router/policy.mjs` (and the canonical policy file docs/MODEL_ROUTING_POLICY.md) exist in your agent/runtime and are trusted — the script imports and depends on those internal libraries which are not bundled with the skill. - If you prefer a skill that is self-contained and does not rely on repo internals, request or provide an implementation that does not import '../../../lib/...'. - Test the helper with non-sensitive inputs to verify it behaves as expected, and review the referenced internal policy code for correctness and security because changes to that internal code will change this skill's decisions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97284dqex040f7520fnej2xwn83v29y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments