← 返回 Skills 市场

consensus-permission-escalation-guard

Name: consensus-permission-escalation-guard
Author: kaicianflone

作者 Kai Cianflone · GitHub ↗ · v0.1.13

cross-platform ⚠ suspicious

539

总下载

当前安装

版本数

在 OpenClaw 中安装

/install consensus-permission-escalation-guard

功能描述

Pre-execution governance for IAM and permission escalation changes. Use when an agent or workflow proposes granting, expanding, or assuming higher privileges...

使用说明 (SKILL.md)

consensus-permission-escalation-guard

consensus-permission-escalation-guard is the final safety gate before privilege elevation is applied.

What this skill does

validates escalation requests against a strict input schema (reject unknown fields)
evaluates hard-block and rewrite policy flags for IAM risk patterns
runs persona-weighted voting (or aggregates external votes)
returns one of: ALLOW | BLOCK | REQUIRE_REWRITE
writes decision artifacts for replay/audit

Decision policy shape

Hard-block examples:

wildcard permissions (*, : *, broad owner/admin jumps)
missing ticket reference when required
break-glass escalation without incident reference
separation-of-duties conflicts (e.g., create + approve authority)

Rewrite examples:

weak or non-actionable justification
temporary duration exceeds policy limit
production escalation requires explicit human confirmation gate

Runtime and safety model

runtime binaries: node, tsx
network behavior: none in deterministic guard logic
environment config read by this package: CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT
filesystem writes: consensus board/state artifacts under configured state path

Invoke contract

invoke(input, opts?) -> Promise\x3COutputJson | ErrorJson>

Modes:

mode="persona" (default): uses local deterministic persona defaults for internal voting
mode="external_agent": consume external_votes[], then aggregate and enforce policy deterministically

Install

npm i consensus-permission-escalation-guard

Quick start

node --import tsx run.js --input ./examples/input.json

Tests

npm test

Test coverage includes schema rejection, hard-block paths, rewrite paths, allow paths, idempotent retries, and external-agent aggregation behavior.

Note: this skill depends on consensus-guard-core for aggregation/state helpers; review that package alongside this one for full runtime auditability.

See also: SECURITY-ASSURANCE.md for threat model, runtime boundaries, and deployment hardening guidance.

安全使用建议

This package appears to do what it says: a local, deterministic policy gate that validates escalation requests and writes audit artifacts. Before installing or enabling it in a production agent, do the following: (1) inspect and pin the consensus-guard-core dependency (review its code for any network or credential usage), (2) verify the npm package and lockfile integrity (and prefer installing from your own vetted artifact repository), (3) set CONSENSUS_STATE_ROOT/CONSENSUS_STATE_FILE to a dedicated, non-privileged directory (do not point them at system or secrets directories), (4) run the included tests in an isolated environment, and (5) note the minor metadata mismatch claiming creation of a 'node' binary — confirm your install process does not attempt to alter runtime binaries. If you need higher assurance, ask for the full contents of consensus-guard-core and a dependency supply-chain audit.

功能分析

Type: OpenClaw Skill Name: consensus-permission-escalation-guard Version: 0.1.13 The skill is designed as a security governance gate, performing robust input validation and explicitly declaring no network calls. However, it requires and performs file writes to paths defined by environment variables (`CONSENSUS_STATE_FILE`, `CONSENSUS_STATE_ROOT`) via `src/index.mjs` and its `consensus-guard-core` dependency. While `SECURITY-ASSURANCE.md` and `README.md` strongly warn against pointing these to sensitive directories, this capability represents a significant configuration vulnerability if misconfigured by the agent or user, potentially leading to unauthorized file modification or data exposure. Additionally, the `package-lock.json` reveals a deprecated `prebuild-install` as an optional transitive dependency, which introduces a supply chain risk.

能力评估

✓ Purpose & Capability

Name/description match the code and files: the package validates escalation inputs, computes hard-block/rewrite flags, aggregates persona/external votes, and emits ALLOW/BLOCK/REQUIRE_REWRITE. Required binaries (node, tsx) and state-path env vars (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) are appropriate for a local Node-based guard that writes board/state artifacts.

✓ Instruction Scope

SKILL.md and run.js limit behavior to local schema validation, deterministic policy evaluation, and filesystem artifact writes under the configured state path. The runtime explicitly documents no outbound network calls in guard logic and the code enforces input-file constraints (only .json inside CWD). Instructions do reference external_votes mode but require the caller to supply that data.

ℹ Install Mechanism

Installation is via npm (reasonable for a Node package). However the registry install metadata claims the package 'creates binaries: node, tsx' — creating the 'node' binary is not realistic for an npm package and appears to be a metadata mismatch. The package depends on consensus-guard-core and common JS deps; review and pin those dependencies. Overall install risk is moderate (typical for npm packages), not a direct red flag, but verify the npm package and lockfile before installing in production.

✓ Credentials

Only two env vars are required (CONSENSUS_STATE_FILE, CONSENSUS_STATE_ROOT) which are appropriate for configuring where decision artifacts are written. No API keys or unrelated credentials are requested. Caveat: because the package writes artifacts, misconfiguring CONSENSUS_STATE_ROOT to point at sensitive directories would be risky — the skill's docs explicitly advise using a dedicated non-privileged directory.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or global agent settings. It persists decision artifacts under the configured state path only. Ensure the state path is constrained and the process runs as a non-root user to limit blast radius.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install consensus-permission-escalation-guard
安装完成后，直接呼叫该 Skill 的名称或使用 /consensus-permission-escalation-guard 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.13

Bumped consensus-guard-core dependency to ^1.1.15 and rolled forward release.

v0.1.12

Added explicit requires/env/install SKILL metadata for registry scanner parity.

v0.1.11

Declared required state env vars in package config and README for scanner clarity.

v0.1.10

Updated to consensus-guard-core ^1.1.13 with package-root import contract and compatibility fixes.

v0.1.9

Aligned metadata strategy, added SECURITY-ASSURANCE.md, and hardened demo input-path handling.

v0.1.8

Bumped consensus-guard-core dependency to ^1.1.11 and rolled forward release.

v0.1.7

Bumped consensus-guard-core dependency to ^1.1.10 and released patch version.

v0.1.6

Bumped semver deps (consensus-guard-core 1.1.5 / consensus-tools 0.1.8) and version.

v0.1.5

Switched consensus-guard-core dependency from local file path to npm version.

v0.1.4

Clarified install/runtime metadata and explicit local consensus-guard-core dependency source.

v0.1.3

Decoupled guard/provider path; deterministic contract updates.

v0.1.2

Docs portability fix: remove hardcoded repo cd from quick-start; keep guard behavior unchanged.

v0.1.1

Initial release: permission escalation guard with strict schema validation, policy flags, idempotency, board artifacts, and vector-driven tests.

元数据

Slug consensus-permission-escalation-guard

版本 0.1.13

许可证 —

累计安装 0

当前安装数 0

历史版本数 13

常见问题