Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agentshield Audit
v1.0.32Trust Infrastructure for AI Agents - Like SSL/TLS for agent-to-agent communication. 77 security tests, cryptographic certificates, and Trust Handshake Protoc...
⭐ 0· 1k·3 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (AgentShield, trust layer + audits + handshake) align with the included scripts: audit runner, sanitizing API client, handshake/completion, key/cert handling, secret & supply-chain scanners. Network calls to a central API (agentshield.live) and local file/key access (~/.openclaw/workspace/.agentshield/) are expected for certificate issuance and handshake.
Instruction Scope
SKILL.md and the scripts instruct running local tests and optionally contacting the API. The docs explicitly describe human-in-the-loop consent before reading IDENTITY.md/SOUL.md and provide a --dry-run mode to preview payloads. The SKILL.md (and included example files) contains prompt-injection test strings and zero-width/unicode examples — these triggered static detectors but are legitimate test vectors for an auditing tool. Still: follow the recommended dry-run and consent flow before any real submission.
Install Mechanism
There is no remote installer; the package is a bundled Python toolset and SKILL.md instructs pip install -r requirements.txt (cryptography, requests). This is proportional to the task and does not fetch arbitrary code at runtime. No suspicious external download URLs were found in the provided manifest.
Credentials
The skill declares no required credentials and only optional env vars (AGENTSHIELD_API, AGENT_NAME, OPENCLAW_AGENT_NAME). It reads local identity files and stores a private Ed25519 key locally (claimed mode 600). Those privileges are appropriate for generating/signing certificates, but they are sensitive: verify file paths/permissions and that you consent before the tool reads those files. The tool also performs network outbound to agentshield.live — expected, but verify the endpoint before sending data.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The skill stores keys and certificates in its own workspace directory and does not claim to modify other skills or system-wide agent settings. No 'always' or other elevated persistent privileges are requested.
Scan Findings in Context
[ignore-previous-instructions] expected: The SKILL and attack-pattern files intentionally include prompt-injection strings (e.g., 'ignore previous instructions', 'jailbreak') because they are used as test vectors for prompt-injection detection. The static detector flagged them, which is expected for an audit tool.
[unicode-control-chars] expected: The code and example prompts include checks for zero-width/RTL control characters (unicode attack vectors). The presence of these patterns in tests/prompt examples is expected and appropriate for an auditing suite.
[dangerous-command-patterns] expected: agentshield_attack_patterns.json lists dangerous strings (e.g., 'rm -rf /', 'curl | bash') as attack payloads. Static scanners flag these, but this is deliberate as part of live attack simulations — expected for this tool. Do not run attack payloads against production systems.
Assessment
High-level: this package appears coherent for its stated purpose (local security tests + certificate-based trust handshake), and the authors built a dry-run + whitelist sanitization to avoid leaking test payloads. Before installing or running in production: 1) Run the dry-run mode (python3 initiate_audit.py --auto --dry-run) and inspect the exact payload the tool would submit. 2) Verify you are using v1.0.32 or later (notes indicate v1.0.31 had a sanitization bug). 3) Confirm the API endpoint you will contact (AGENTSHIELD_API) — if you don't trust agentshield.live, override the env var or run only locally. 4) Review the code that reads local files and the private key path (~/.openclaw/workspace/.agentshield/) and ensure permissions are appropriate. 5) If you run automated (--yes/--auto) mode, only do so in sandboxed or pre-audited environments. 6) If you want stronger assurances, run the package in an isolated VM/container and inspect network traffic during a dry-run. These steps minimize risk and verify the implementation matches the privacy claims.SKILL.md:366
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
agent-securityvk97e64skd41bf6btkyhcgphg8s81k26aagentsvk9769xh5659qy86takywebmmsx81py05ai-safetyvk9769xh5659qy86takywebmmsx81py05api-securityvk9769xh5659qy86takywebmmsx81py05auditvk97fj7cfbqq627gjvaebq41c3d81sqfmcertificatesvk97fj7cfbqq627gjvaebq41c3d81sqfmcode-scanvk97epm4279trxfxbpbev1b88xh81k59rcompliancevk9769xh5659qy86takywebmmsx81py05cryptographyvk97fj7cfbqq627gjvaebq41c3d81sqfmed25519vk9769xh5659qy86takywebmmsx81py05eu-ai-actvk9769xh5659qy86takywebmmsx81py05human-in-the-loopvk97e64skd41bf6btkyhcgphg8s81k26aidentityvk9769xh5659qy86takywebmmsx81py05latestvk97fdch2s48t6sr5d7trqp994s840f2hllm-securityvk9769xh5659qy86takywebmmsx81py05privacyvk97e64skd41bf6btkyhcgphg8s81k26aprivacy-firstvk97e64skd41bf6btkyhcgphg8s81k26aprompt-injectionvk97e64skd41bf6btkyhcgphg8s81k26arate-limitingvk9769xh5659qy86takywebmmsx81py05secret-scanningvk9769xh5659qy86takywebmmsx81py05securityvk97fj7cfbqq627gjvaebq41c3d81sqfmtoken-optimizervk97epm4279trxfxbpbev1b88xh81k59rtrustvk97fj7cfbqq627gjvaebq41c3d81sqfmv6.0vk97epm4279trxfxbpbev1b88xh81k59rverificationvk9769xh5659qy86takywebmmsx81py05
License
MIT-0
Free to use, modify, and redistribute. No attribution required.