v1.0.2

Openclaw Bastion

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:23 AM.

Analysis

This looks like a local prompt-injection scanner, but its code advertises under-documented file-changing and hook/enforcement commands that users should review before installing.

GuidanceUse this skill cautiously: scan specific paths when possible, avoid running sanitize/quarantine/canary/enforce/protect modes until you have reviewed the script and backed up files, and verify whether the active features are intended despite the alert-only description.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/bastion.py

actively neutralizes threats — block injections, sanitize hidden Unicode, quarantine compromised files, deploy canary tokens, and enforce content policies via hooks

The runnable script advertises active file-changing and enforcement capabilities that are not presented in the main SKILL.md command list and conflict with the alert-layer framing.

User impactA user or agent could run commands that modify, quarantine, or enforce policy over workspace files beyond what the main skill instructions suggest.

RecommendationTreat this as a review item: inspect the script before use, back up important files, and run only scan/check commands unless active modification is explicitly intended.

Rogue Agents

SeverityMediumConfidenceMediumStatusConcern

scripts/bastion.py

bastion.py canary [file|dir] ... bastion.py enforce ... bastion.py protect

The script usage advertises canary and hook-style enforcement/protection commands, implying persistent workspace changes or future runtime behavior without clear scoping or removal instructions in SKILL.md.

User impactPersistent canary, protection, or enforcement state could affect later agent activity or workspace files after the initial scan task.

RecommendationDo not run canary, enforce, or protect modes unless you have reviewed exactly what they write, how they are removed, and whether they require explicit approval.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceMediumStatusNote

scripts/bastion.py

".env", ".conf", ".rst", ".tex",

The scanner treats .env and configuration-style files as scannable text; combined with SKILL.md's default whole-workspace scan, this may read files that commonly contain secrets.

User impactBroad scans may inspect local configuration or secret-bearing files even though no external transmission is shown in the artifacts.

RecommendationPrefer targeted scans for untrusted documents, and exclude or review secret-bearing paths before scanning an entire workspace.