← Back to Skills Marketplace
consensus-agent-action-guard
by
Kai Cianflone
· GitHub ↗
· v1.1.14
501
Downloads
0
Stars
1
Active Installs
16
Versions
Install in OpenClaw
/install consensus-agent-action-guard
Description
Pre-execution governance for high-risk agent actions. Uses persona-weighted consensus to decide ALLOW/BLOCK/REQUIRE_REWRITE before external or irreversible s...
README (SKILL.md)
consensus-agent-action-guard
consensus-agent-action-guard is the final safety gate before autonomous action execution.
What this skill does
- evaluates proposed agent actions (risk, irreversibility, side effects)
- applies hard-block and weighted consensus logic
- returns one of:
ALLOW | BLOCK | REQUIRE_REWRITE - emits required follow-up actions (e.g., human confirmation)
- writes decision and persona updates to board artifacts
Why this matters
Most catastrophic automation failures happen at execution time. This skill inserts explicit governance before side effects.
Ecosystem role
Built on the same consensus stack as communication and merge guards, giving one policy language across agent operations.
Typical usage
- gating destructive operations
- controlling external messaging/posting actions
- requiring human confirmation for irreversible high-risk tasks
Runtime, credentials, and network behavior
- runtime binaries:
node,tsx - network calls: none in the guard decision path itself
- filesystem writes: board/state artifacts under the configured consensus state path
Dependency trust model
consensus-guard-coreis the first-party consensus package used in guard execution- versions are semver-pinned in
package.jsonfor reproducible installs - this skill does not request host-wide privileges and does not mutate other skills
Quick start
node --import tsx run.js --input ./examples/input.json
Tool-call integration
This skill is wired to the consensus-interact contract boundary (via shared consensus-guard-core wrappers where applicable):
- readBoardPolicy
- getLatestPersonaSet / getPersonaSet
- writeArtifact / writeDecision
- idempotent decision lookup
This keeps board orchestration standardized across skills.
Invoke Contract
This skill exposes a canonical entrypoint:
invoke(input, opts?) -> Promise\x3COutputJson | ErrorJson>
invoke() starts the guard flow and executes deterministic policy evaluation with board operations via shared guard-core wrappers.
external_agent mode
Guards support two modes:
mode="external_agent": caller suppliesexternal_votes[]from agents/humans/models for deterministic aggregation.mode="persona": requires an existingpersona_set_id; guard will not generate persona sets internally.
Usage Guidance
This package appears to implement what it says: a local Node-based pre-execution guard that writes audit artifacts to a configured state path. Before installing or enabling it in a production agent, do these checks: 1) Inspect the consensus-guard-core dependency (source or package) to confirm it performs only local state operations and does not make unexpected network calls or read unrelated host secrets. 2) Verify the CONSENSUS_STATE_FILE / CONSENSUS_STATE_ROOT values will point to a location you control and that writing there is acceptable. 3) Double-check the install metadata (the claim that the package creates a 'node' binary is likely incorrect); inspect package postinstall scripts in package.json/package-lock for unexpected side effects. 4) Run the included tests and demo in a sandboxed environment first to confirm behavior. If you need higher assurance, review the upstream dependencies' source code and consider pinning dependency versions.
Capability Analysis
Type: OpenClaw Skill
Name: consensus-agent-action-guard
Version: 1.1.14
The OpenClaw AgentSkills skill bundle 'consensus-agent-action-guard' is designed to provide pre-execution governance for high-risk agent actions, acting as a security guardrail. The code and documentation consistently align with this stated purpose, focusing on evaluating proposed actions, applying consensus logic, and recording decisions as audit artifacts. Crucially, the skill explicitly states in `SKILL.md` and `metadata.json` that there are 'No outbound network calls in shipped guard decision logic', which strongly mitigates data exfiltration risks. Filesystem writes are limited to 'board/state artifacts under the configured consensus state path', controlled by environment variables, which is expected for its audit functionality. There is no evidence of intentional malicious behavior, prompt injection against the agent, or unauthorized resource access. The `detectHardBlockFlags` mechanism is a defensive feature, not an attack vector.
Capability Assessment
Purpose & Capability
The skill is a Node-based guard and legitimately needs node/tsx and a configured consensus state path (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) to read/write board artifacts; these align with the declared purpose. One incongruity: the install metadata lists the package as creating the 'node' and 'tsx' binaries, which is unexpected (an npm package should not produce the system 'node' binary). This appears to be metadata noise or a packaging mistake rather than functional maliciousness, but it should be clarified.
Instruction Scope
SKILL.md and run.js limit behavior to local, deterministic decision logic and filesystem writes under a configured state path. The runtime code uses consensus-guard-core wrappers (getLatest, writeArtifact, aggregateVotes). That keeps core logic out of the skill, but it also means the exact runtime side effects depend on consensus-guard-core's implementation — SKILL.md states 'no network calls in the guard decision path itself', which is plausible but conditional on the core library. Review consensus-guard-core to confirm there are no unexpected network calls or reads of unrelated host state.
Install Mechanism
Installation uses an npm package and includes a package-lock.json — a standard registry install with reproducible deps (consensus-guard-core, tsx). No downloads from arbitrary URLs or extract-from-remote steps were observed. The only oddity is the registry/install metadata claiming the package 'creates binaries: node, tsx' — tsx as a bin is reasonable; claiming to create 'node' is incorrect and should be corrected before trusting install metadata.
Credentials
The skill only requires CONSENSUS_STATE_FILE and CONSENSUS_STATE_ROOT for its state/artifact writes. There are no unrelated credentials, no broad host credentials, and the code does not read arbitrary environment variables. This is proportionate to a local guard that persists state/artifacts.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configurations. It writes artifacts to its configured consensus state path (expected for a governance/audit tool). Autonomous invocation is allowed by default (platform normal) but not escalated here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install consensus-agent-action-guard - After installation, invoke the skill by name or use
/consensus-agent-action-guard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.14
Bumped consensus-guard-core dependency to ^1.1.15 and rolled forward release.
v1.1.13
Added explicit requires/env/install SKILL frontmatter for registry scanner parity.
v1.1.12
Updated to consensus-guard-core ^1.1.13 with package-root import contract and compatibility fixes.
v1.1.11
Bumped consensus-guard-core dependency to ^1.1.11 and rolled forward release.
v1.1.10
Bumped consensus-guard-core dependency to ^1.1.10 and released patch version.
v1.1.9
Bumped semver deps (consensus-guard-core 1.1.5 / consensus-tools 0.1.8) and version.
v1.1.8
Decoupled guard/provider path; deterministic contract updates.
v1.1.7
Bump consensus-guard-core dependency to ^1.1.4 for corrected invoke contract and shared core alignment.
v1.1.6
Scanner hardening: remove required OPENAI_API_KEY metadata; clarify optional/conditional LLM credentials
v1.1.5
confirm release sync
v1.1.4
Security hardening: explicit runtime/credential model and semver-pinned npm dependencies
v1.1.3
Packaging hardening: standalone install metadata, dependency cleanup, and safer runtime requirements
v1.1.2
Security hardening: statePath confined to safe root with traversal protection
v1.1.1
1.1.1: tested examples/input.json in e2e to keep docs and behavior synced
v1.1.0
Release 1.1.0: invoke contract + external-agent support + ecosystem alignment
v1.0.0
Initial public release
Metadata
Frequently Asked Questions
What is consensus-agent-action-guard?
Pre-execution governance for high-risk agent actions. Uses persona-weighted consensus to decide ALLOW/BLOCK/REQUIRE_REWRITE before external or irreversible s... It is an AI Agent Skill for Claude Code / OpenClaw, with 501 downloads so far.
How do I install consensus-agent-action-guard?
Run "/install consensus-agent-action-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is consensus-agent-action-guard free?
Yes, consensus-agent-action-guard is completely free (open-source). You can download, install and use it at no cost.
Which platforms does consensus-agent-action-guard support?
consensus-agent-action-guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created consensus-agent-action-guard?
It is built and maintained by Kai Cianflone (@kaicianflone); the current version is v1.1.14.
More Skills