Openclaw Sentinel
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ai-sentinel Version: 0.1.8 The skill is designed for security scanning and prompt injection detection, aligning with its stated purpose. All potentially high-risk actions, such as modifying `openclaw.config.ts`, creating/updating `.env` and `.gitignore`, and transmitting data to `https://api.zetro.ai` (for Pro tier), are explicitly declared and require multiple layers of user confirmation via `AskUserQuestion`. The `SKILL.md` explicitly instructs the agent to 'Never write files autonomously' and `disable-model-invocation: true` is set, enhancing security. The `CHANGELOG.md` further indicates a deliberate effort to add these transparency and consent mechanisms as security improvements. Minor discrepancies between `SKILL.md` and `README.md` regarding declared file writes and package names are noted but do not indicate malicious intent or unmitigated vulnerabilities in the agent's execution path.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Security scanners may flag the phrase, but within this artifact it is used to test blocking behavior.
This is a literal prompt-injection phrase, but it is presented as a test payload for the security tool.
`npx openclaw sentinel test "Ignore all previous instructions"` returns a `blocked` action
Keep these strings quoted as test inputs and do not treat them as operational instructions.
If enforce mode is enabled or thresholds are too strict, legitimate messages may be blocked.
The plugin can be configured to block OpenClaw traffic, which is expected for a prompt-injection firewall but materially affects agent behavior.
`enforce` - Block messages that exceed the threat confidence threshold
Start in monitor mode, review detections, and only enable enforce mode after testing.
The installed plugin will run in the OpenClaw environment, so users must trust the external package source.
The setup depends on installing external plugin code from the OpenClaw/npm ecosystem; the package implementation is not included in the reviewed artifacts.
`openclaw plugins install ai-sentinel`
Verify the package name, publisher, source, and version before installing; pin a trusted version where possible.
A Pro API key stored in project files could be exposed if committed or shared accidentally.
The skill may use a service API key for Pro features, but it is disclosed as optional and purpose-aligned.
AI_SENTINEL_API_KEY ... Only needed for Pro tier remote classification and dashboard.
Store the key only in local environment files, ensure .env is ignored by git, and rotate the key if exposed.
Sensitive prompts, tool results, or message content could leave the local machine if Pro cloud-scan or raw-content telemetry is enabled.
Pro mode can transmit scan data, and in some modes message content, to an external service; the artifact discloses this and requires consent.
Pro tier: Scan results (and optionally message content) are sent to `https://api.zetro.ai` for dashboard reporting and analytics.
Use Community/local mode or telemetry without raw content for sensitive projects, and review the provider privacy policy before enabling Pro.