ZugaShield Security Scanner
v0.1.17-layer AI security scanner for OpenClaw. Blocks prompt injection, SSRF, command injection, data leakage, and memory poisoning across ALL channels (Signal, T...
⭐ 0· 582·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (an OpenClaw gateway scanner) align with what the plugin implements: it registers gateway hooks, requires Python to run a zugashield_mcp server, and exposes commands to show status/report. Permission for subprocess is declared and needed to spawn the MCP process.
Instruction Scope
SKILL.md instructs installation via pip/npm and to spawn a resident Python MCP server that inspects inputs, outputs, tool calls, and memories — all consistent with the stated purpose. However the SKILL.md was flagged by a prompt-injection detector (patterns like 'ignore-previous-instructions' and 'you-are-now'), which is unexpected for a scanner manifest and may indicate attempted LLM-targeted manipulation in documentation/instructions. The runtime hooks do scan/forward content to the MCP server; they do not, in the JS surface code, read unrelated host secrets.
Install Mechanism
There is no packaged install spec inside the plugin bundle; the SKILL.md recommends 'pip install "zugashield[mcp]"' and 'npm install zugashield-openclaw-plugin'. Running pip to fetch zugashield at runtime means execution of third-party Python code on the host. That is a standard distribution method but is a moderate risk because the Python package is an external artifact you must trust. The npm content provided in the bundle looks normal; no direct downloads from shorteners/personal IPs were found.
Credentials
The plugin declares no required env vars and restricts child-process env to an allowlist, which reduces secret leakage risk. However the child env allowlist includes ZUGASHIELD_FEED_URL / FEED_ENABLED / FEED_STATE_DIR and other ZUGASHIELD_* variables — these imply the engine may be configurable to contact external feeds (update/signature feeds). Those are plausible for a scanner but mean a misconfigured or malicious feed URL could direct the Python process to fetch remote content. No unrelated cloud credentials are requested by the plugin.
Persistence & Privilege
always:false and user-invocable are appropriate. The plugin registers as a service and adds required hooks (high priority/critical) — appropriate for a security filter. It does not request permanent global privileges beyond hooking into the gateway as intended.
Scan Findings in Context
[prompt-injection:ignore-previous-instructions] unexpected: A prompt-injection pattern was detected inside SKILL.md. A documentation file for a scanner should not contain LLM-targeting injection phrases; this is unexpected and worth manual review of the SKILL.md / README text for embedded manipulative instructions.
[prompt-injection:you-are-now] unexpected: Another LLM-instruction-style pattern was found in the SKILL.md. This is not required by a security scanner and could be an attempt to manipulate an LLM that reads these docs; review the doc contents and the repository history.
What to consider before installing
This package is plausible as a gateway scanner, but take these precautions before installing/activating it: 1) Verify the upstream packages: confirm the npm package and PyPI package authors and the GitHub repository (the plugin contains multiple repository/homepage strings — reconcile them). 2) Inspect the Python package 'zugashield' (zugashield_mcp): examine its code on PyPI or the repository before running pip install; a third-party Python package will run code on your host. 3) Check SKILL.md / README for the prompt-injection phrases flagged by the scanner and review any suspicious lines. 4) Don't set sensitive env vars into the process; the plugin tries to whitelist env vars but allows ZUGASHIELD_* feed URLs — ensure those point to trusted, signed feeds, and enable signature verification if available. 5) Test in an isolated/sandboxed OpenClaw instance first (non-production) to verify behavior and network interactions (outbound connections, feed pulls). 6) Prefer packages from an audited source or a repository you control; if you can't validate the Python package or feed origin, treat this as untrusted code. If you want, I can list the exact repo/homepage strings found and point out where they differ, or help you inspect the zugashield_mcp package source if you provide its PyPI link or code.Like a lobster shell, security has layers — review code before you run it.
ai-safetyvk97a0npk0fm6hg3vpstdp2yqah81bqsalatestvk978q1w9d27yr1qj059vm3znad81aa3dmcpvk97a0npk0fm6hg3vpstdp2yqah81bqsaprompt-injectionvk97a0npk0fm6hg3vpstdp2yqah81bqsasecurityvk97a0npk0fm6hg3vpstdp2yqah81bqsa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython