warn
suspicious.prompt_injection_instructions
- Location
- README.md:52
- Finding
- Prompt-injection style instruction pattern detected.
Openclaw Sentinel
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.prompt_injection_instructions
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI01: Agent Goal HijackWhat this means
Security scanners may flag the phrase, but within this artifact it is used to test blocking behavior.
Why it was flagged
This is a literal prompt-injection phrase, but it is presented as a test payload for the security tool.
Skill content
`npx openclaw sentinel test "Ignore all previous instructions"` returns a `blocked` action
Recommendation
Keep these strings quoted as test inputs and do not treat them as operational instructions.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If enforce mode is enabled or thresholds are too strict, legitimate messages may be blocked.
Why it was flagged
The plugin can be configured to block OpenClaw traffic, which is expected for a prompt-injection firewall but materially affects agent behavior.
Skill content
`enforce` - Block messages that exceed the threat confidence threshold
Recommendation
Start in monitor mode, review detections, and only enable enforce mode after testing.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
The installed plugin will run in the OpenClaw environment, so users must trust the external package source.
Why it was flagged
The setup depends on installing external plugin code from the OpenClaw/npm ecosystem; the package implementation is not included in the reviewed artifacts.
Skill content
`openclaw plugins install ai-sentinel`
Recommendation
Verify the package name, publisher, source, and version before installing; pin a trusted version where possible.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
A Pro API key stored in project files could be exposed if committed or shared accidentally.
Why it was flagged
The skill may use a service API key for Pro features, but it is disclosed as optional and purpose-aligned.
Skill content
AI_SENTINEL_API_KEY ... Only needed for Pro tier remote classification and dashboard.
Recommendation
Store the key only in local environment files, ensure .env is ignored by git, and rotate the key if exposed.
NoteHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Sensitive prompts, tool results, or message content could leave the local machine if Pro cloud-scan or raw-content telemetry is enabled.
Why it was flagged
Pro mode can transmit scan data, and in some modes message content, to an external service; the artifact discloses this and requires consent.
Skill content
Pro tier: Scan results (and optionally message content) are sent to `https://api.zetro.ai` for dashboard reporting and analytics.
Recommendation
Use Community/local mode or telemetry without raw content for sensitive projects, and review the provider privacy policy before enabling Pro.
Findings (2)
warn
suspicious.prompt_injection_instructions
- Location
- SKILL.md:263
- Finding
- Prompt-injection style instruction pattern detected.