Arc Shield
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Arc Shield is a coherent local sanitizer, but its strict mode can still print the unredacted message before failing, which can leak the secrets it is meant to block.
Review or patch the strict-mode behavior before installing this as a pre-send safety control. Until then, treat it as a local audit/redaction helper only, avoid piping its strict-mode stdout to external channels, and verify all sample secrets are fake.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this is placed in a pipeline, terminal log, or send wrapper, secrets may still be exposed even though the command exits with a blocking status.
Strict mode prints the full input before deciding whether critical secrets were found, so a secret-containing message can be emitted to stdout before the command fails.
elif [[ "$MODE" == "strict" ]]; then echo "$INPUT"; if [[ $FOUND_CRITICAL -gt 0 ]]; then
Do not pipe --strict output directly to any external send/log path until fixed; change strict mode to suppress output on failure or only emit redacted text, and add tests for secret-containing strict-mode stdout.
Users may trust the documented command as a safe pre-send filter and accidentally expose unredacted secrets.
The documentation presents --strict as a blocking safeguard for external messages, but the implementation shown above can output the original message before blocking.
# Block if critical secrets found (use before external messaging) echo "Message text" | arc-shield.sh --strict || echo "BLOCKED"
Update the documentation to clearly state stdout/stderr behavior, show safe wrappers that discard stdout on block, and avoid claiming blocking protection until strict mode is corrected.
Users have less provenance information for verifying they installed the intended package and supporting files.
The reviewed files are local scripts, but the registry metadata does not provide a clear source or install specification, while the docs describe git/chmod setup.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Install only from a verified repository or signed bundle, and confirm required files such as scripts and documented configuration are present before use.