Back to skill
Skillv1.4.0
ClawScan security
Security Hardening Safey · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 6:36 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files, scripts, and runtime instructions are coherent with its stated purpose (injecting and managing security rules in Agent AGENTS.md files), but review and caution are warranted because it will persistently modify all agents and the package has no published homepage or known author reputation.
- Guidance
- This skill appears to do what it claims (inject and manage security rules across OpenClaw agents) and contains the scripts and rule documents to do so. Before installing or running init.sh: 1) Inspect references/SECURITY-RULES-CORE.md to ensure you agree with the injected text and markers; 2) Backup your ~/.openclaw/agents/*/agent/AGENTS.md and SOUL.md so you can revert if needed; 3) Run init.sh interactively (do not use --yes) the first time to review the preview and confirmations; 4) Prefer testing on a non-production agent directory first to observe behavior; 5) Note the package has no homepage and an unknown source—if you require stronger provenance, request a published source or vendor contact or only install from a vetted registry. If you need automated deployment, plan how you will authorize it securely (audit logs, CI safeguards) because the script can operate unattended with --yes.
- Findings
[ignore-previous-instructions] expected: The SKILL.md and rules intentionally list 'ignore previous' / 'ignore previous instructions' as a red-flag string to detect prompt-injection; the static scanner flagged that pattern but its presence is expected and appropriate for a security-hardening skill.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the skill contains rule files and scripts to scan, inject, update, and remove a SECURITY-RULES block in ~/.openclaw/agents/*/agent/AGENTS.md and to append a safety paragraph to SOUL.md. No unrelated credentials, binaries, or network endpoints are requested. The provided scripts and rule documents are proportional to the declared goal.
- Instruction Scope
- noteSKILL.md and scripts confine actions to the OpenClaw agent area (~/.openclaw/agents/*) and to the skill's own directory. The init script previews changes and requires interactive confirmation by default, but supports --yes to skip confirmation for automation; that allows unattended, wide-scoped modifications if used. Otherwise instructions do not ask the agent to read unrelated system files or secrets.
- Install Mechanism
- okNo install spec or external downloads; the skill is instruction-plus-local-scripts only. All code is included in the bundle and nothing is fetched from remote URLs or package registries. The scripts write to disk under the OpenClaw directory as expected for this utility.
- Credentials
- okThe skill requests no environment variables, credentials, or external config paths. Scripts operate relative to HOME/.openclaw and do not read or exfiltrate secrets. The rules explicitly forbid reading sensitive config (e.g., ~/.openclaw/openclaw.json), and that is consistent with the lack of credential requirements.
- Persistence & Privilege
- noteThe skill intentionally creates persistent changes: it injects rule blocks into every AGENTS.md under ~/.openclaw/agents and appends to SOUL.md, and writes a .initialized flag in the skill directory. This persistent modification aligns with its purpose but has high blast radius (affects all agents). There is no always:true flag, but the --yes automation option and the ability to create AGENTS.md where missing mean user confirmation matters.