ClawDefender - OpenClaw Security - Prompt injection, rogue skills etc
v1.0.1Security scanner and input sanitizer for AI agents. Detects prompt injection, command injection, SSRF, credential exfiltration, and path traversal attacks. Use when (1) installing new skills from ClawHub, (2) processing external input like emails, calendar events, Trello cards, or API responses, (3) validating URLs before fetching, (4) running security audits on your workspace. Protects agents from malicious content in untrusted data sources.
⭐ 31· 8.1k·59 current·60 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (scanner + sanitizer) aligns with the provided scripts: sanitize.sh performs prompt checks and wraps clawdefender.sh, and clawdefender.sh contains pattern lists and validation modules. No unrelated credentials, binaries, or opaque network dependencies are demanded by the metadata.
Instruction Scope
SKILL.md instructs copying the two scripts into the workspace and piping external content into sanitize.sh, which in turn calls clawdefender.sh for detection. That is within the stated purpose. Two points to note: (1) the README and scripts instruct running 'npx clawhub install' as part of the --install flow (this executes code from the network), and (2) the tool scans the agent workspace and references many sensitive paths and config names — scanning those files is expected for a security tool but can expose sensitive data to the scanner process. Review the scan/audit behavior and test in an isolated environment first.
Install Mechanism
There is no packaged install spec; the skill is instruction-only plus two included shell scripts. No remote download or extract instructions are embedded in the skill files themselves. The only network-execution call is the optional 'npx clawhub install' used by the script's --install flow, which is conventional but runs code from npm at runtime.
Credentials
The skill requests no environment variables or credentials in metadata. However, the scripts are hardcoded to use WORKSPACE="/home/clawdbot/clawd" and will read/write under that path (logs, whitelist, security directory). For a security scanner, access to workspace files is proportional to purpose, but the hardcoded path may cause the tool to access unexpected locations on your host if not adjusted. No extraneous credential requests are present in the manifest.
Persistence & Privilege
always is false and model invocation is allowed (normal). The script writes persistent artifacts: $WORKSPACE/memory/security-scans.md and $WORKSPACE/security/whitelist.json, and may modify a whitelist. That persistence is reasonable for a scanner but you should confirm you are comfortable with files being created/updated in the workspace and with the tool running autonomously if you allow it.
Scan Findings in Context
[ignore-previous-instructions] expected: The pre-scan detected the prompt-injection phrase inside SKILL.md. This skill intentionally lists injection patterns (including phrases like 'ignore previous instructions') as examples to detect them, so the finding is expected and not an attempt to manipulate the evaluator.
Assessment
What to check before installing: 1) Review the two scripts (sanitize.sh and clawdefender.sh) yourself — they are plain shell and readable. 2) Update the WORKSPACE variable to point to your intended agent/workspace (it's hardcoded to /home/clawdbot/clawd) so the tool doesn't scan unintended locations. 3) Run the scripts in a non-production/test environment first to see what files they read/write (they create logs and a whitelist under the workspace). 4) Be cautious with the '--install' flow: it runs 'npx clawhub install', which fetches/executes code from the network; only use that if you trust the upstream package. 5) Don't run with elevated privileges (root). 6) If you plan to allow autonomous invocation, restrict filesystem permissions and consider sandboxing the workspace to limit blast radius. 7) If you need higher assurance, run the audit step on a copy of your skills directory rather than live data.Like a lobster shell, security has layers — review code before you run it.
latestvk970qkmy2xkt9pj94q4apk4r3180b3fk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.