Openclaw Warden
ReviewAudited by ClawScan on May 10, 2026.
Overview
This local integrity scanner is mostly purpose-aligned, but its shipped script includes under-disclosed file and skill-changing countermeasure commands plus persistent snapshots despite the skill being presented as detection-only.
Use caution before installing. The scan/verify functions fit the stated purpose, and no network exfiltration is evident, but review the Python script and decide whether you are comfortable with local snapshots and the extra restore/quarantine/rollback/protect capabilities. If you use it, run only the commands you intend and inspect the .integrity directory it creates.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Static scanners may flag this text, but in context it supports the security-scanning purpose.
These are prompt-injection phrases, but they are presented as examples of patterns the scanner detects rather than as instructions for the agent to follow.
- **Instruction override:** "ignore previous instructions", "disregard above", "you are now", "new system prompt"
Treat these strings as detector documentation; do not treat them as active instructions.
If invoked, these commands could modify files, disable or re-enable skills, or alter workspace state beyond simple scanning.
The script documents commands that can change workspace files or installed skills, but SKILL.md only presents detection/status/baseline/accept workflows. These high-impact commands are not clearly bounded in the user-facing instructions.
integrity.py restore FILE ... integrity.py quarantine SKILL ... integrity.py unquarantine SKILL ... integrity.py rollback FILE ... integrity.py protect
Review the full script before use, and only run documented detection commands unless you intentionally want the countermeasure behavior.
Sensitive workspace context may be duplicated into persistent local snapshot files, increasing what must be protected or cleaned up.
The script contains functionality to persist local snapshot copies of monitored workspace files. Those files include agent identity, memory, config, and skill files, while SKILL.md primarily describes a checksum baseline.
INTEGRITY_DIR = ".integrity" ... SNAPSHOTS_DIR = "snapshots" ... shutil.copy2(abspath, dest)
Inspect the .integrity directory after use, protect it like sensitive workspace data, and avoid running baseline/restore workflows on workspaces containing secrets unless this storage is acceptable.
Users may underestimate the authority included in the installed files and allow broader workspace changes than expected.
This frames the installed skill as detection-only, but the included script visibly documents countermeasure capabilities such as snapshot restore, skill quarantine, git rollback, and protect.
Free detection layer — upgrade to openclaw-warden-pro for automated countermeasures.
The skill should clearly disclose all included mutation/countermeasure commands in SKILL.md and separate or remove pro-only functionality if it is not intended for the free skill.
It may be harder to verify where this version came from or compare it to an upstream repository.
The registry metadata does not provide a clear source or homepage, which limits provenance review, though there is no automatic install script in the supplied artifacts.
Source: unknown; Homepage: none
Prefer installing only after verifying the publisher and reviewing the included script contents.