ClawHub

Openclaw Sentinel

v0.1.8

Prompt injection detection and security scanning for OpenClaw agents. Installs the ai-sentinel plugin via OpenClaw CLI, configures plugin settings, and offer...

0· 1.4k·3 current·3 all-time
by@amandiwakar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to install/configure an AI Sentinel plugin for OpenClaw and only requests items consistent with that purpose: it declares an optional AI_SENTINEL_API_KEY for Pro telemetry, requires openclaw.config.*, and references installing the 'ai-sentinel' package. Nothing requested is unrelated to integrating a security plugin into an OpenClaw project.
Instruction Scope
Instructions stay within the plugin setup scope: verifying openclaw.config.*, running the OpenClaw install command, choosing tier/mode, and optionally configuring telemetry. The SKILL.md explicitly requires AskUserQuestion before any file writes and has a Pro consent gate for external data transmission. Note: Pro mode can send scan results or raw message content to api.zetro.ai — this is called out and gated, but it is a real data-exfiltration surface the user must approve.
Install Mechanism
This is an instruction-only skill (no install spec); the installer is the OpenClaw CLI command which will pull the plugin from npm. That is coherent, but the actual plugin code comes from the npm package (ai-sentinel). Users should vet the npm package (source, package contents) before installing because installing the plugin will add third-party code to their environment.
Credentials
No required env vars are demanded. One optional environment variable (AI_SENTINEL_API_KEY) is declared and justified for Pro tier only. Declared file writes (.env, .gitignore, openclaw.config.* updates) and the external endpoint (api.zetro.ai) match the described Pro functionality.
Persistence & Privilege
The skill is not always-included and sets disable-model-invocation: true (prevents autonomous invocation). It requests no system-wide privileges beyond modifying the project's OpenClaw config when explicitly approved by the user. There is no indication it modifies other skills' configs without consent.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL.md and README include test payloads and example commands such as 'Ignore all previous instructions' for verifying the sentinel's detection. The static scanner flagged this pattern; in this context it appears to be used as a benign test vector rather than an attempt to subvert the evaluator. Still, the presence of such strings is why the pre-scan flagged potential prompt-injection content.
Assessment
This skill appears to do what it claims, but take these precautions before installing: 1) Review the npm package (ai-sentinel / ai-sentinel-sdk) and its source code on npm/GitHub to ensure you trust the publisher before running openclaw plugins install; 2) If you enable Pro, read the privacy policy and explicitly confirm the telemetry/‘cloud-scan’ options — Pro can send scan results and optionally raw message text to https://api.zetro.ai; 3) Keep backups of your openclaw.config.* before applying changes and only approve file writes when you verify the exact modifications shown by the setup wizard; 4) The static scanner flagged an 'ignore-previous-instructions' pattern, likely due to included test payloads — that alone is not malicious, but be cautious of any skill that attempts to suppress prompts or bypass confirmation gates. If you want higher assurance, ask the skill author for the plugin's source repository and audit it (or ask a developer to do so) before installation.

Like a lobster shell, security has layers — review code before you run it.

anti-malwarevk97awqf01hreb2fahzy0v0g29n80yvxeanti-virusvk97awqf01hreb2fahzy0v0g29n80yvxefirewallvk97awqf01hreb2fahzy0v0g29n80yvxelatestvk97125gxxrfhe9xp5cprjpz7cx8186vtmiddlewarevk97awqf01hreb2fahzy0v0g29n80yvxeprompt-injectionvk97awqf01hreb2fahzy0v0g29n80yvxesafetyvk97awqf01hreb2fahzy0v0g29n80yvxesecurityvk97awqf01hreb2fahzy0v0g29n80yvxe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
OSmacOS · Linux · Windows

Comments