Skillv1.0.0

ClawScan security

Guardian Wall · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 7:46 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (sanitizing and detecting prompt-injection), includes a local sanitizer script and defensive guidance, and does not request unrelated credentials or install external code.
Guidance: This skill appears coherent and implements a local sanitizer plus a reference of injection patterns. Before installing, consider: (1) Review scripts/sanitize.py yourself — it decodes and prints portions of Base64 it finds, which will surface any sensitive data embedded in inputs; (2) Limit what the 'audit' sub-agent can access and audit its permissions before allowing autonomous spawning; (3) Test the sanitizer on representative malicious/benign samples to tune false positives (homoglyph and base64 heuristics are heuristic and may need adjustment); (4) Run the sanitizer in a restricted environment if you plan to process untrusted files, and ensure outputs are not automatically forwarded to external services. If you accept these trade-offs, the skill is consistent with its stated purpose.
Findings: [ignore-previous-instructions] expected: SKILL.md explicitly lists 'ignore previous instructions' as a forbidden/high-risk pattern to detect; the scanner flagged this phrase from the defensive content, which is expected. [you-are-now] expected: The phrase 'you are now [New Persona]' appears in the file as an example of persona-modulation attacks; being flagged by the pre-scan is consistent with the skill's goal.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, patterns.md, and scripts/sanitize.py all align: the package's assets are exactly what you'd expect for a prompt-injection sanitizer and auditor. No unrelated env vars, binaries, or installs are requested.
Instruction Scope: noteSKILL.md stays on-purpose (sanitize, wrap in randomized delimiters, optionally spawn an audit sub-agent). The recommendation to spawn a sub-agent for high-stakes content is reasonable but can expand the blast radius depending on that sub-agent's privileges — the skill itself doesn't define that sub-agent's scope.
Install Mechanism: okNo install spec (instruction-only) and the included Python script is shipped with the skill. Nothing is downloaded from external or untrusted URLs.
Credentials: noteThe skill requests no credentials or config paths. Minor note: scripts/sanitize.py decodes Base64 matches and prints fragments of the decoded content, which could reveal any sensitive text embedded in the external input (this is by design for detection but could surface secrets if an input contains them).
Persistence & Privilege: okalways:false and user-invocable:true (normal). The skill does not request permanent presence, nor does it modify other skills or system-wide settings.