Arc Shield
Analysis
Arc Shield is a coherent secret-scanning tool, but its strict blocking behavior and some advertised protections do not match the provided implementation closely enough for a security tool.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
elif [[ "$MODE" == "strict" ]]; then
echo "$INPUT"
if [[ $FOUND_CRITICAL -gt 0 ]]; thenStrict mode is the mode users are told to use before external messaging, but this code prints the original unsanitized input before handling critical findings.
detect_mnemonics() {
# 12 or 24 word phrases (simplified detection)
...
# Main detection
main() {
# Run all detectors
local findings_1pass=$(detect_1password_tokens)
...
local findings_cc=$(detect_credit_cards)A mnemonic detector is defined, but the visible main detection/report flow does not invoke or report mnemonic findings, despite the documentation advertising wallet mnemonic blocking.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
The registry metadata gives no provenance or automated install contract, while the documentation includes executable scripts and clone/chmod setup steps.
rm -rf ~/.openclaw/workspace/skills/arc-shield
This is a destructive shell command, but it is documented as an uninstall step scoped to this skill's own directory and is not shown as automatic execution.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
echo -e "${color}[${severity}]${NC} ${category}" >&2
...
echo " → ${match}" >&2The scanner reports matched secret snippets to stderr, which is useful for local review but can make reports or captured logs sensitive.