Agentshield Audit
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent as a security-audit tool, but its handshake helper appears able to print a completed session key before confirming the local agent is part of that handshake.
Install only if you are comfortable with a security-audit tool that stores a local signing key and contacts agentshield.live. Use dry-run first, avoid --yes on sensitive agents, and do not use the trust-handshake session-key flow for sensitive communication until the session key is only returned after signed participant verification.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a completed handshake ID is exposed and the API behaves as this client expects, a non-participant could potentially retrieve the shared session key.
The script requests handshake status using only the handshake ID and prints the returned session key before checking whether the local agent is the requester or target and before signing anything.
status = requests.get(f"{API}/trust-handshake/status/{args.handshake_id}").json(); if status["status"] == "completed": print(f"✅ Already done! Session Key: {status['session_key']}"); returnDo not rely on the handshake session key flow until the client and server require signed participant authentication before returning or printing any session key.
Using --yes on a sensitive agent could submit audit metadata without a final human review.
The skill explicitly supports an automation mode that skips consent prompts, including prompts around local file reads and API submission.
"automation_warning": "The --yes flag bypasses ALL consent prompts... NOT recommended for production agents with sensitive data. Use --dry-run first to inspect payload."
Use --dry-run first and avoid --yes unless the agent is sandboxed or you have already reviewed the exact payload and endpoint.
Anyone who can read this local key could impersonate the certified agent in AgentShield workflows.
The skill generates and stores a persistent cryptographic identity key used to obtain certificates and sign handshake challenges.
"~/.openclaw/workspace/.agentshield/agent.key (Ed25519 private key)"
Keep the workspace private, verify file permissions, and rotate/revoke the certificate if the key may have been exposed.
Future dependency versions could change behavior or introduce vulnerabilities, even though these packages are expected for this purpose.
The skill relies on pip-installed dependencies with lower-bound version specifiers rather than pinned hashes or exact versions.
"requires_pip": true, "packages": ["cryptography>=41.0.0", "requests>=2.31.0"]
Install in a virtual environment and consider pinning or reviewing dependency versions before use in production.
These strings are expected test inputs, but users should understand that the skill intentionally runs adversarial prompt-safety checks.
Prompt-injection strings are included as local test patterns for the audit suite.
injection_patterns = ["ignore previous instructions", "disregard all prior commands", "new instructions:", "system override"]
Treat these as audit payloads only; do not copy them into production prompts except for controlled testing.
Users may be unsure whether they are reviewing the fixed version or stale documentation for a version with known privacy issues.
The SKILL.md frontmatter shows 1.0.31 while registry/clawhub metadata identify 1.0.32, and the changelog says 1.0.31 had a privacy-impacting sanitization bug.
version: 1.0.31
Verify the installed package version and inspect the actual initiate_audit.py submission path before relying on the privacy guarantees.