← 返回 Skills 市场

consensus-agent-action-guard

Name: consensus-agent-action-guard
Author: kaicianflone

作者 Kai Cianflone · GitHub ↗ · v1.1.14

cross-platform ✓ 安全检测通过

501

总下载

当前安装

版本数

在 OpenClaw 中安装

/install consensus-agent-action-guard

功能描述

Pre-execution governance for high-risk agent actions. Uses persona-weighted consensus to decide ALLOW/BLOCK/REQUIRE_REWRITE before external or irreversible s...

使用说明 (SKILL.md)

consensus-agent-action-guard

consensus-agent-action-guard is the final safety gate before autonomous action execution.

What this skill does

evaluates proposed agent actions (risk, irreversibility, side effects)
applies hard-block and weighted consensus logic
returns one of: ALLOW | BLOCK | REQUIRE_REWRITE
emits required follow-up actions (e.g., human confirmation)
writes decision and persona updates to board artifacts

Why this matters

Most catastrophic automation failures happen at execution time. This skill inserts explicit governance before side effects.

Ecosystem role

Built on the same consensus stack as communication and merge guards, giving one policy language across agent operations.

Typical usage

gating destructive operations
controlling external messaging/posting actions
requiring human confirmation for irreversible high-risk tasks

Runtime, credentials, and network behavior

runtime binaries: node, tsx
network calls: none in the guard decision path itself
filesystem writes: board/state artifacts under the configured consensus state path

Dependency trust model

consensus-guard-core is the first-party consensus package used in guard execution
versions are semver-pinned in package.json for reproducible installs
this skill does not request host-wide privileges and does not mutate other skills

Quick start

node --import tsx run.js --input ./examples/input.json

Tool-call integration

This skill is wired to the consensus-interact contract boundary (via shared consensus-guard-core wrappers where applicable):

readBoardPolicy
getLatestPersonaSet / getPersonaSet
writeArtifact / writeDecision
idempotent decision lookup

This keeps board orchestration standardized across skills.

Invoke Contract

This skill exposes a canonical entrypoint:

invoke(input, opts?) -> Promise\x3COutputJson | ErrorJson>

invoke() starts the guard flow and executes deterministic policy evaluation with board operations via shared guard-core wrappers.

external_agent mode

Guards support two modes:

mode="external_agent": caller supplies external_votes[] from agents/humans/models for deterministic aggregation.
mode="persona": requires an existing persona_set_id; guard will not generate persona sets internally.

安全使用建议

This package appears to implement what it says: a local Node-based pre-execution guard that writes audit artifacts to a configured state path. Before installing or enabling it in a production agent, do these checks: 1) Inspect the consensus-guard-core dependency (source or package) to confirm it performs only local state operations and does not make unexpected network calls or read unrelated host secrets. 2) Verify the CONSENSUS_STATE_FILE / CONSENSUS_STATE_ROOT values will point to a location you control and that writing there is acceptable. 3) Double-check the install metadata (the claim that the package creates a 'node' binary is likely incorrect); inspect package postinstall scripts in package.json/package-lock for unexpected side effects. 4) Run the included tests and demo in a sandboxed environment first to confirm behavior. If you need higher assurance, review the upstream dependencies' source code and consider pinning dependency versions.

功能分析

Type: OpenClaw Skill Name: consensus-agent-action-guard Version: 1.1.14 The OpenClaw AgentSkills skill bundle 'consensus-agent-action-guard' is designed to provide pre-execution governance for high-risk agent actions, acting as a security guardrail. The code and documentation consistently align with this stated purpose, focusing on evaluating proposed actions, applying consensus logic, and recording decisions as audit artifacts. Crucially, the skill explicitly states in `SKILL.md` and `metadata.json` that there are 'No outbound network calls in shipped guard decision logic', which strongly mitigates data exfiltration risks. Filesystem writes are limited to 'board/state artifacts under the configured consensus state path', controlled by environment variables, which is expected for its audit functionality. There is no evidence of intentional malicious behavior, prompt injection against the agent, or unauthorized resource access. The `detectHardBlockFlags` mechanism is a defensive feature, not an attack vector.

能力评估

ℹ Purpose & Capability

The skill is a Node-based guard and legitimately needs node/tsx and a configured consensus state path (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) to read/write board artifacts; these align with the declared purpose. One incongruity: the install metadata lists the package as creating the 'node' and 'tsx' binaries, which is unexpected (an npm package should not produce the system 'node' binary). This appears to be metadata noise or a packaging mistake rather than functional maliciousness, but it should be clarified.

ℹ Instruction Scope

SKILL.md and run.js limit behavior to local, deterministic decision logic and filesystem writes under a configured state path. The runtime code uses consensus-guard-core wrappers (getLatest, writeArtifact, aggregateVotes). That keeps core logic out of the skill, but it also means the exact runtime side effects depend on consensus-guard-core's implementation — SKILL.md states 'no network calls in the guard decision path itself', which is plausible but conditional on the core library. Review consensus-guard-core to confirm there are no unexpected network calls or reads of unrelated host state.

ℹ Install Mechanism

Installation uses an npm package and includes a package-lock.json — a standard registry install with reproducible deps (consensus-guard-core, tsx). No downloads from arbitrary URLs or extract-from-remote steps were observed. The only oddity is the registry/install metadata claiming the package 'creates binaries: node, tsx' — tsx as a bin is reasonable; claiming to create 'node' is incorrect and should be corrected before trusting install metadata.

✓ Credentials

The skill only requires CONSENSUS_STATE_FILE and CONSENSUS_STATE_ROOT for its state/artifact writes. There are no unrelated credentials, no broad host credentials, and the code does not read arbitrary environment variables. This is proportionate to a local guard that persists state/artifacts.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills' configurations. It writes artifacts to its configured consensus state path (expected for a governance/audit tool). Autonomous invocation is allowed by default (platform normal) but not escalated here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install consensus-agent-action-guard
安装完成后，直接呼叫该 Skill 的名称或使用 /consensus-agent-action-guard 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.14

Bumped consensus-guard-core dependency to ^1.1.15 and rolled forward release.

v1.1.13

Added explicit requires/env/install SKILL frontmatter for registry scanner parity.

v1.1.12

Updated to consensus-guard-core ^1.1.13 with package-root import contract and compatibility fixes.

v1.1.11

Bumped consensus-guard-core dependency to ^1.1.11 and rolled forward release.

v1.1.10

Bumped consensus-guard-core dependency to ^1.1.10 and released patch version.

v1.1.9

Bumped semver deps (consensus-guard-core 1.1.5 / consensus-tools 0.1.8) and version.

v1.1.8

Decoupled guard/provider path; deterministic contract updates.

v1.1.7

Bump consensus-guard-core dependency to ^1.1.4 for corrected invoke contract and shared core alignment.

v1.1.6

Scanner hardening: remove required OPENAI_API_KEY metadata; clarify optional/conditional LLM credentials

v1.1.5

confirm release sync

v1.1.4

Security hardening: explicit runtime/credential model and semver-pinned npm dependencies

v1.1.3

Packaging hardening: standalone install metadata, dependency cleanup, and safer runtime requirements

v1.1.2

Security hardening: statePath confined to safe root with traversal protection

v1.1.1

1.1.1: tested examples/input.json in e2e to keep docs and behavior synced

v1.1.0

Release 1.1.0: invoke contract + external-agent support + ecosystem alignment

v1.0.0

Initial public release

元数据

Slug consensus-agent-action-guard

版本 1.1.14

许可证 —

累计安装 1

当前安装数 1

历史版本数 16

常见问题