Openclaw Sec
v0.2.6AI Agent Security Suite - Real-time protection against prompt injection, command injection, SSRF, path traversal, secrets exposure, and content policy violations
⭐ 10· 4.4k·15 current·17 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The codebase (many TypeScript modules: prompt-injection, command-validator, url-validator, path-validator, secret-detector, content-scanner, plus tests and hooks) aligns with the described purpose of a real-time security validation suite. It does not request unrelated credentials or binaries in the registry metadata, which is appropriate. However, the registry lists 'No install spec — this is an instruction-only skill' while the package contains a full implementation and README instructs running npm install; that mismatch is an incoherence worth noting.
Instruction Scope
SKILL.md describes CLI commands and hooking into the host agent, stores logs and a local SQLite DB, and shows example inputs (including attack strings) and example notification/webhook configuration. The instructions ask the user to copy example config files and run npm install and to enable hooks for 'automatic protection' — these are reasonable for this tool, but the hooks and automatic protection mechanism means the skill will receive/validate user inputs and may be wired into agent I/O. The SKILL.md also contains many prompt-injection example strings (used for detection), which is expected for a security tool but flagged by the pre-scan as potential injection attempts — they appear in tests and examples, not as commands to override the evaluator.
Install Mechanism
The registry shows no formal install spec, yet the README and SKILL.md instruct users to run 'npm install' and to install via 'npx clawdhub ...'. Installing will fetch npm dependencies (package.json and large lockfiles are present) which is a moderate-risk step compared to an instruction-only skill. There are also hook scripts (hooks/install-hooks.sh, handler.ts files) which may modify the OpenClaw agent hooks/config when run. No external download URLs or shorteners are present in the supplied files, which reduces high-risk download concerns, but you should inspect package.json, its dependencies, and the hook scripts before running npm install or executing install hooks.
Credentials
The registry requires no environment variables or credentials, which is consistent for an on-host validator. The example configuration (not mandatory) contains optional notification channels (webhook, Slack, Discord, SMTP) that would accept external credentials if enabled — those are optional but would expose scanned content externally if configured. The config also supports owner_ids that bypass checks; ensure you understand and control any bypass lists. There is no evidence the package demands unrelated cloud or system credentials by default.
Persistence & Privilege
always:false (no forced global inclusion) and model invocation is allowed (default) — appropriate. However, the skill includes 'auto-hooks' and an install script that can enable hooks in the OpenClaw workspace; installation will place files under ~/.openclaw/workspace/skills/openclaw-sec/ and write logs and a local DB by default. Hooks can change agent behavior (automatic protection) and could be configured to send notifications externally. Review hooks/install-hooks.sh and any hook registration steps — they can persist behavior across agent sessions and should be audited prior to enabling.
Scan Findings in Context
[prompt-injection-strings-in-SKILL.md] expected: The pre-scan detected phrases like 'ignore-previous-instructions', 'you-are-now', and 'system-prompt-override' inside SKILL.md. These are present as test/example inputs for the prompt-injection detector and are expected for a security-detection project, but they triggered the pattern detector because they resemble attack strings. They should be reviewed, but their presence alone is consistent with the skill's purpose.
What to consider before installing
Summary of what to check before installing and enabling this skill:
1) Source & provenance: The skill registry entry has no homepage and the 'Source' is unknown. Prefer an official repository or vendor; verify the repository (e.g., GitHub) and the publisher's identity before trusting the package.
2) Inspect package.json & dependencies: Before running npm install, open package.json and the lockfile. Run 'npm audit' and review any non-trivial dependencies (native modules, postinstall scripts). Avoid running install in your primary environment—use a sandbox/container/VM.
3) Review hook scripts: Read hooks/install-hooks.sh and the handler.ts hook implementations. These scripts will register hooks into your OpenClaw agent and can change agent behavior and persist across runs. Only enable hooks after you understand what they modify.
4) Don't enable external notifications without review: Example config supports webhooks, Slack, Discord, and SMTP and can send findings externally. Keep notifications disabled (default) until you verify that nothing sensitive will be sent and you trust the endpoint.
5) Check owner_ids and bypass lists: The example config supports 'owner_ids' that bypass checks. Make sure any bypass list is controlled and does not accidentally grant a third party unrestricted access.
6) Run in isolation & test: Install and run the skill in an isolated environment first (container or throwaway VM). Run the included tests locally and observe what files the skill reads/writes. Pay attention to where the DB and logs are stored (~/.openclaw or .openclaw-sec.db by default).
7) Audit behavior with instrumentation: Monitor network activity while running scans to ensure no unexpected outbound connections (especially if you enable notification channels). Also inspect filesystem accesses to ensure the skill isn't reading secrets by design.
8) When in doubt, ask for more info: If you need higher confidence, request the canonical source repository, release signatures, or a published package from a known publisher. If you can't verify provenance, treat the package as higher risk and avoid enabling persistent hooks or external integrations.Like a lobster shell, security has layers — review code before you run it.
latestvk973g54gy8ms7w099me2be692n80xvbs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.